From a55c9d584271c39b6e6d3f4fb2de007370b70e7c Mon Sep 17 00:00:00 2001 From: Cristina Amico Date: Fri, 22 May 2026 11:14:56 +0200 Subject: [PATCH 1/7] [Fleet] Add meta:{id} to fleet schemas --- .../types/models/package_policy_schema.ts | 558 +++---- .../fleet/server/types/models/agent_policy.ts | 653 ++++---- .../server/types/models/enrollment_api_key.ts | 57 +- .../fleet/server/types/rest_spec/agent.ts | 18 +- .../server/types/rest_spec/agent_policy.ts | 123 +- .../types/rest_spec/enrollment_api_key.ts | 43 +- .../fleet/server/types/rest_spec/epm.ts | 1332 +++++++++-------- .../server/types/rest_spec/package_policy.ts | 50 +- 8 files changed, 1539 insertions(+), 1295 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts b/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts index 3cd5e292438a2..3dd3561cf0fe4 100644 --- a/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts +++ b/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts @@ -46,22 +46,25 @@ export const VarGroupSelectionsSchema = schema.maybe( }) ); -export const DeprecationInfoSchema = schema.object({ - description: schema.string(), - since: schema.maybe(schema.string()), - replaced_by: schema.maybe( - schema.recordOf( - schema.oneOf([ - schema.literal('package'), - schema.literal('policyTemplate'), - schema.literal('input'), - schema.literal('dataStream'), - schema.literal('variable'), - ]), - schema.string() - ) - ), -}); +export const DeprecationInfoSchema = schema.object( + { + description: schema.string(), + since: schema.maybe(schema.string()), + replaced_by: schema.maybe( + schema.recordOf( + schema.oneOf([ + schema.literal('package'), + schema.literal('policyTemplate'), + schema.literal('input'), + schema.literal('dataStream'), + schema.literal('variable'), + ]), + schema.string() + ) + ), + }, + { meta: { id: 'deprecation_info' } } +); const PackagePolicyStreamsSchema = { id: schema.maybe(schema.string()), // BWC < 7.11 @@ -137,22 +140,25 @@ export const ExperimentalDataStreamFeaturesSchema = schema.arrayOf( { maxSize: 100 } ); -export const PackagePolicyPackageSchema = schema.object({ - name: schema.string({ - meta: { - description: 'Package name', - }, - }), - title: schema.maybe(schema.string()), - version: schema.string({ - meta: { - description: 'Package version', - }, - }), - experimental_data_stream_features: schema.maybe(ExperimentalDataStreamFeaturesSchema), - requires_root: schema.maybe(schema.boolean()), - fips_compatible: schema.maybe(schema.boolean()), -}); +export const PackagePolicyPackageSchema = schema.object( + { + name: schema.string({ + meta: { + description: 'Package name', + }, + }), + title: schema.maybe(schema.string()), + version: schema.string({ + meta: { + description: 'Package version', + }, + }), + experimental_data_stream_features: schema.maybe(ExperimentalDataStreamFeaturesSchema), + requires_root: schema.maybe(schema.boolean()), + fips_compatible: schema.maybe(schema.boolean()), + }, + { meta: { id: 'package_policy_package' } } +); export const PackagePolicyBaseSchema = { name: schema.string({ @@ -309,11 +315,14 @@ export const PackagePolicyBaseSchema = { ), }; -export const NewPackagePolicySchema = schema.object({ - ...PackagePolicyBaseSchema, - id: schema.maybe(schema.string()), - force: schema.maybe(schema.boolean()), -}); +export const NewPackagePolicySchema = schema.object( + { + ...PackagePolicyBaseSchema, + id: schema.maybe(schema.string()), + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'new_package_policy' } } +); /** * Snapshot of the package policy SO schema as of model version 10.22.0. @@ -329,7 +338,7 @@ export const PackagePolicySchemaV22 = NewPackagePolicySchema.extends( global_data_tags: undefined, condition: undefined, }, - { unknowns: 'ignore' } + { unknowns: 'ignore', meta: { id: 'package_policy_v22' } } ); /** @@ -342,7 +351,7 @@ export const PackagePolicySchemaV23 = PackagePolicySchemaV22.extends( { global_data_tags: NewPackagePolicySchema.getPropSchemas().global_data_tags, }, - { unknowns: 'ignore' } + { unknowns: 'ignore', meta: { id: 'package_policy_v23' } } ); /** @@ -354,7 +363,7 @@ export const PackagePolicySchemaV24 = PackagePolicySchemaV23.extends( { condition: NewPackagePolicySchema.getPropSchemas().condition, }, - { unknowns: 'ignore' } + { unknowns: 'ignore', meta: { id: 'package_policy_v24' } } ); const CreatePackagePolicyProps = { @@ -373,37 +382,40 @@ const CreatePackagePolicyProps = { spaceIds: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), }; -export const CreatePackagePolicyRequestBodySchema = schema.object({ - ...CreatePackagePolicyProps, - id: schema.maybe( - schema.string({ - meta: { - description: 'Package policy unique identifier', - }, - }) - ), - force: schema.maybe( - schema.boolean({ - meta: { - description: - 'Force package policy creation even if the package is not verified, or if the agent policy is managed.', - }, - }) - ), - // supports_agentless is deprecated for package policy creation in favor of agentless policies API - supports_agentless: schema.maybe( - schema.nullable( +export const CreatePackagePolicyRequestBodySchema = schema.object( + { + ...CreatePackagePolicyProps, + id: schema.maybe( + schema.string({ + meta: { + description: 'Package policy unique identifier', + }, + }) + ), + force: schema.maybe( schema.boolean({ - defaultValue: false, meta: { description: - 'Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.', - deprecated: true, + 'Force package policy creation even if the package is not verified, or if the agent policy is managed.', }, }) - ) - ), -}); + ), + // supports_agentless is deprecated for package policy creation in favor of agentless policies API + supports_agentless: schema.maybe( + schema.nullable( + schema.boolean({ + defaultValue: false, + meta: { + description: + 'Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.', + deprecated: true, + }, + }) + ) + ), + }, + { meta: { id: 'create_package_policy_request' } } +); export const SimplifiedVarsSchema = schema.recordOf( schema.string(), @@ -502,230 +514,254 @@ function validateAdditionalDatastreamsPermissions(values: string[]) { } } -export const SimplifiedPackagePolicyBaseSchema = schema.object({ - id: schema.maybe( - schema.string({ - meta: { - description: 'Policy unique identifier.', - }, - }) - ), - name: schema.string({ - meta: { - description: 'Unique name for the policy.', - }, - }), - description: schema.maybe( - schema.string({ - meta: { - description: 'Policy description.', - }, - }) - ), - namespace: schema.maybe( - schema.string({ - meta: { - description: - 'Policy namespace. When not specified, it inherits the agent policy namespace.', - }, - }) - ), - output_id: schema.maybe(schema.oneOf([schema.literal(null), schema.string()])), - vars: schema.maybe(SimplifiedVarsSchema), - var_group_selections: VarGroupSelectionsSchema, - inputs: SimplifiedPackagePolicyInputsSchema, - supports_agentless: schema.maybe( - schema.nullable( - schema.boolean({ - defaultValue: false, +export const SimplifiedPackagePolicyBaseSchema = schema.object( + { + id: schema.maybe( + schema.string({ meta: { - description: 'Indicates whether the package policy belongs to an agentless agent policy.', + description: 'Policy unique identifier.', }, }) - ) - ), - additional_datastreams_permissions: schema.maybe( - schema.oneOf([ - schema.literal(null), - schema.arrayOf(schema.string(), { - validate: validateAdditionalDatastreamsPermissions, - meta: { - description: 'Additional datastream permissions, that will be added to the agent policy.', - }, - maxSize: 100, - }), - ]) - ), - condition: schema.maybe( - schema.string({ + ), + name: schema.string({ meta: { - description: - '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.', + description: 'Unique name for the policy.', }, - }) - ), -}); - -export const SimplifiedPackagePolicyPreconfiguredSchema = SimplifiedPackagePolicyBaseSchema.extends( - { - id: schema.string(), - package: schema.object({ - name: schema.string(), }), - } -); - -export const SimplifiedCreatePackagePolicyRequestBodySchema = - SimplifiedPackagePolicyBaseSchema.extends({ - policy_id: schema.maybe( - schema.oneOf([schema.literal(null), schema.string()], { - meta: { - description: 'Deprecated. Use policy_ids instead.', - deprecated: true, - }, - }) - ), - policy_ids: schema.maybe( - schema.arrayOf(schema.string(), { + description: schema.maybe( + schema.string({ meta: { - description: 'IDs of the agent policies which that package policy will be added to.', + description: 'Policy description.', }, - maxSize: MAX_REUSABLE_AGENT_POLICIES_PER_PACKAGE_POLICY, }) ), - force: schema.maybe( - schema.boolean({ + namespace: schema.maybe( + schema.string({ meta: { description: - 'Force package policy creation even if the package is not verified, or if the agent policy is managed.', + 'Policy namespace. When not specified, it inherits the agent policy namespace.', }, }) ), - package: PackagePolicyPackageSchema, - // supports_agentless is deprecated for package policy creation in favor of agentless policies API + output_id: schema.maybe(schema.oneOf([schema.literal(null), schema.string()])), + vars: schema.maybe(SimplifiedVarsSchema), + var_group_selections: VarGroupSelectionsSchema, + inputs: SimplifiedPackagePolicyInputsSchema, supports_agentless: schema.maybe( schema.nullable( schema.boolean({ defaultValue: false, meta: { description: - 'Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.', - deprecated: true, + 'Indicates whether the package policy belongs to an agentless agent policy.', }, }) ) ), - }); - -export const UpdatePackagePolicyRequestBodySchema = schema.object({ - ...CreatePackagePolicyProps, - name: schema.maybe(schema.string()), - inputs: schema.maybe( - schema.arrayOf( - schema.object({ - ...PackagePolicyInputsSchema, - streams: schema.maybe( - schema.arrayOf(schema.object(PackagePolicyStreamsSchema), { maxSize: 1000 }) - ), - }), - { maxSize: 1000 } - ) - ), - version: schema.maybe(schema.string()), - force: schema.maybe(schema.boolean()), -}); + additional_datastreams_permissions: schema.maybe( + schema.oneOf([ + schema.literal(null), + schema.arrayOf(schema.string(), { + validate: validateAdditionalDatastreamsPermissions, + meta: { + description: + 'Additional datastream permissions, that will be added to the agent policy.', + }, + maxSize: 100, + }), + ]) + ), + condition: schema.maybe( + schema.string({ + meta: { + description: + '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.', + }, + }) + ), + }, + { meta: { id: 'simplified_package_policy_base' } } +); -export const UpdatePackagePolicySchema = schema.object({ - ...PackagePolicyBaseSchema, - version: schema.maybe(schema.string()), -}); +export const SimplifiedPackagePolicyPreconfiguredSchema = SimplifiedPackagePolicyBaseSchema.extends( + { + id: schema.string(), + package: schema.object({ + name: schema.string(), + }), + }, + { meta: { id: 'simplified_package_policy_preconfigured' } } +); -export const PackagePolicySchema = schema.object({ - ...PackagePolicyBaseSchema, - id: schema.string({ - meta: { - description: 'Package policy unique identifier.', +export const SimplifiedCreatePackagePolicyRequestBodySchema = + SimplifiedPackagePolicyBaseSchema.extends( + { + policy_id: schema.maybe( + schema.oneOf([schema.literal(null), schema.string()], { + meta: { + description: 'Deprecated. Use policy_ids instead.', + deprecated: true, + }, + }) + ), + policy_ids: schema.maybe( + schema.arrayOf(schema.string(), { + meta: { + description: 'IDs of the agent policies which that package policy will be added to.', + }, + maxSize: MAX_REUSABLE_AGENT_POLICIES_PER_PACKAGE_POLICY, + }) + ), + force: schema.maybe( + schema.boolean({ + meta: { + description: + 'Force package policy creation even if the package is not verified, or if the agent policy is managed.', + }, + }) + ), + package: PackagePolicyPackageSchema, + // supports_agentless is deprecated for package policy creation in favor of agentless policies API + supports_agentless: schema.maybe( + schema.nullable( + schema.boolean({ + defaultValue: false, + meta: { + description: + 'Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.', + deprecated: true, + }, + }) + ) + ), }, - }), - version: schema.maybe( - schema.string({ + { meta: { id: 'simplified_create_package_policy_request' } } + ); + +export const UpdatePackagePolicyRequestBodySchema = schema.object( + { + ...CreatePackagePolicyProps, + name: schema.maybe(schema.string()), + inputs: schema.maybe( + schema.arrayOf( + schema.object({ + ...PackagePolicyInputsSchema, + streams: schema.maybe( + schema.arrayOf(schema.object(PackagePolicyStreamsSchema), { maxSize: 1000 }) + ), + }), + { maxSize: 1000 } + ) + ), + version: schema.maybe(schema.string()), + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'update_package_policy_request' } } +); + +export const UpdatePackagePolicySchema = schema.object( + { + ...PackagePolicyBaseSchema, + version: schema.maybe(schema.string()), + }, + { meta: { id: 'update_package_policy' } } +); + +export const PackagePolicySchema = schema.object( + { + ...PackagePolicyBaseSchema, + id: schema.string({ meta: { - description: 'Package policy ES version.', + description: 'Package policy unique identifier.', }, - }) - ), - revision: schema.number({ - meta: { - description: 'Package policy revision.', - }, - }), - updated_at: schema.string(), - updated_by: schema.string(), - created_at: schema.string(), - created_by: schema.string(), - elasticsearch: schema - .maybe( - schema.object({ - privileges: schema.maybe( - schema.object({ - cluster: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - }) - ), - }) - ) - .extendsDeep({ - unknowns: 'allow', }), - inputs: schema.arrayOf( - schema.object({ - ...PackagePolicyInputsSchema, - compiled_input: schema.maybe(schema.any()), + version: schema.maybe( + schema.string({ + meta: { + description: 'Package policy ES version.', + }, + }) + ), + revision: schema.number({ + meta: { + description: 'Package policy revision.', + }, }), - { maxSize: 100 } - ), - secret_references: schema.maybe( - schema.arrayOf( + updated_at: schema.string(), + updated_by: schema.string(), + created_at: schema.string(), + created_by: schema.string(), + elasticsearch: schema + .maybe( + schema.object({ + privileges: schema.maybe( + schema.object({ + cluster: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + }) + ), + }) + ) + .extendsDeep({ + unknowns: 'allow', + }), + inputs: schema.arrayOf( schema.object({ - id: schema.string(), + ...PackagePolicyInputsSchema, + compiled_input: schema.maybe(schema.any()), }), - { maxSize: 1000 } - ) - ), -}); - -export const PackagePolicyResponseSchema = PackagePolicySchema.extends({ - vars: schema.maybe( - schema.oneOf([ConfigRecordSchema, schema.maybe(SimplifiedVarsSchema)], { - meta: { - description: 'Package level variable.', - }, - }) - ), - inputs: schema.oneOf( - [ + { maxSize: 100 } + ), + secret_references: schema.maybe( schema.arrayOf( schema.object({ - ...PackagePolicyInputsSchema, - compiled_input: schema.maybe(schema.any()), + id: schema.string(), }), - { maxSize: 100 } - ), - SimplifiedPackagePolicyInputsSchema, - ], - { - meta: { - description: 'Package policy inputs.', - }, - } - ), - spaceIds: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - agents: schema.maybe(schema.number()), -}); + { maxSize: 1000 } + ) + ), + }, + { meta: { id: 'package_policy' } } +); -export const OrphanedPackagePoliciesResponseSchema = schema.object({ - items: schema.arrayOf(PackagePolicyResponseSchema, { maxSize: 10000 }), - total: schema.number(), -}); +export const PackagePolicyResponseSchema = PackagePolicySchema.extends( + { + vars: schema.maybe( + schema.oneOf([ConfigRecordSchema, schema.maybe(SimplifiedVarsSchema)], { + meta: { + description: 'Package level variable.', + }, + }) + ), + inputs: schema.oneOf( + [ + schema.arrayOf( + schema.object({ + ...PackagePolicyInputsSchema, + compiled_input: schema.maybe(schema.any()), + }), + { maxSize: 100 } + ), + SimplifiedPackagePolicyInputsSchema, + ], + { + meta: { + description: 'Package policy inputs.', + }, + } + ), + spaceIds: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + agents: schema.maybe(schema.number()), + }, + { meta: { id: 'package_policy_response' } } +); + +export const OrphanedPackagePoliciesResponseSchema = schema.object( + { + items: schema.arrayOf(PackagePolicyResponseSchema, { maxSize: 10000 }), + total: schema.number(), + }, + { meta: { id: 'orphaned_package_policies_response' } } +); export const DryRunPackagePolicySchema = PackagePolicySchema.extends( { @@ -749,13 +785,17 @@ export const DryRunPackagePolicySchema = PackagePolicySchema.extends( }, { unknowns: 'allow', + meta: { id: 'dry_run_package_policy' }, } ); -export const PackagePolicyStatusResponseSchema = schema.object({ - id: schema.string(), - success: schema.boolean(), - name: schema.maybe(schema.string()), - statusCode: schema.maybe(schema.number()), - body: schema.maybe(schema.object({ message: schema.string() })), -}); +export const PackagePolicyStatusResponseSchema = schema.object( + { + id: schema.string(), + success: schema.boolean(), + name: schema.maybe(schema.string()), + statusCode: schema.maybe(schema.number()), + body: schema.maybe(schema.object({ message: schema.string() })), + }, + { meta: { id: 'package_policy_status_response' } } +); diff --git a/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts b/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts index a6207da8c3542..ba03a7a78f37d 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts @@ -297,144 +297,166 @@ export const AgentPolicySchemaV3 = schema .object({ ...AgentPolicyBaseSchema, }) - .extends({ - has_agent_version_conditions: schema.maybe(schema.boolean()), - }); - -export const AgentPolicySchemaV4 = AgentPolicySchemaV3.extends({ - min_agent_version: schema.maybe(schema.nullable(schema.string())), - package_agent_version_conditions: schema.maybe( - schema.nullable( - schema.arrayOf( - schema.object({ - name: schema.string(), - title: schema.string(), - version_condition: schema.string(), - }), - { maxSize: 1000 } + .extends( + { + has_agent_version_conditions: schema.maybe(schema.boolean()), + }, + { meta: { id: 'agent_policy_v3' } } + ); + +export const AgentPolicySchemaV4 = AgentPolicySchemaV3.extends( + { + min_agent_version: schema.maybe(schema.nullable(schema.string())), + package_agent_version_conditions: schema.maybe( + schema.nullable( + schema.arrayOf( + schema.object({ + name: schema.string(), + title: schema.string(), + version_condition: schema.string(), + }), + { maxSize: 1000 } + ) ) - ) - ), -}); + ), + }, + { meta: { id: 'agent_policy_v4' } } +); -export const AgentPolicySchemaV5 = AgentPolicySchemaV4.extends({ - is_verifier: schema.maybe(schema.boolean()), -}); +export const AgentPolicySchemaV5 = AgentPolicySchemaV4.extends( + { + is_verifier: schema.maybe(schema.boolean()), + }, + { meta: { id: 'agent_policy_v5' } } +); -export const AgentPolicySchemaV6 = AgentPolicySchemaV5.extends({ - agentless: schema.maybe( - schema.object({ - cloud_connectors: schema.maybe( - schema.object({ - target_csp: schema.maybe( - schema.oneOf([schema.literal('aws'), schema.literal('azure'), schema.literal('gcp')]) - ), - enabled: schema.boolean(), - }) - ), - resources: schema.maybe( - schema.object({ - requests: schema.maybe( - schema.object({ - memory: schema.maybe(schema.string({ validate: validateMemory })), - cpu: schema.maybe(schema.string({ validate: validateCPU })), - }) - ), - }) - ), - cluster_id: schema.maybe(schema.string()), - }) - ), -}); +export const AgentPolicySchemaV6 = AgentPolicySchemaV5.extends( + { + agentless: schema.maybe( + schema.object({ + cloud_connectors: schema.maybe( + schema.object({ + target_csp: schema.maybe( + schema.oneOf([schema.literal('aws'), schema.literal('azure'), schema.literal('gcp')]) + ), + enabled: schema.boolean(), + }) + ), + resources: schema.maybe( + schema.object({ + requests: schema.maybe( + schema.object({ + memory: schema.maybe(schema.string({ validate: validateMemory })), + cpu: schema.maybe(schema.string({ validate: validateCPU })), + }) + ), + }) + ), + cluster_id: schema.maybe(schema.string()), + }) + ), + }, + { meta: { id: 'agent_policy_v6' } } +); -export const NewAgentPolicySchema = AgentPolicySchemaV6.extends({ - supports_agentless: schema.maybe( - schema.oneOf([ - schema.literal(null), - schema.boolean({ - defaultValue: false, - meta: { - description: - 'Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.', - deprecated: true, - }, - }), - ]) - ), - force: schema.maybe(schema.boolean()), -}); +export const NewAgentPolicySchema = AgentPolicySchemaV6.extends( + { + supports_agentless: schema.maybe( + schema.oneOf([ + schema.literal(null), + schema.boolean({ + defaultValue: false, + meta: { + description: + 'Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.', + deprecated: true, + }, + }), + ]) + ), + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'new_agent_policy' } } +); -export const AgentPolicySchema = AgentPolicySchemaV6.extends({ - id: schema.string(), - is_managed: schema.maybe(schema.boolean()), - status: schema.oneOf([ - schema.literal(agentPolicyStatuses.Active), - schema.literal(agentPolicyStatuses.Inactive), - ]), - package_policies: schema.maybe( - schema.oneOf([ - schema.arrayOf(schema.string(), { maxSize: 1000 }), - schema.arrayOf(PackagePolicySchema, { maxSize: 1000 }), - ]) - ), - updated_at: schema.string(), - updated_by: schema.string(), -}); +export const AgentPolicySchema = AgentPolicySchemaV6.extends( + { + id: schema.string(), + is_managed: schema.maybe(schema.boolean()), + status: schema.oneOf([ + schema.literal(agentPolicyStatuses.Active), + schema.literal(agentPolicyStatuses.Inactive), + ]), + package_policies: schema.maybe( + schema.oneOf([ + schema.arrayOf(schema.string(), { maxSize: 1000 }), + schema.arrayOf(PackagePolicySchema, { maxSize: 1000 }), + ]) + ), + updated_at: schema.string(), + updated_by: schema.string(), + }, + { meta: { id: 'agent_policy' } } +); -export const AgentPolicyResponseSchema = AgentPolicySchema.extends({ - revision: schema.number(), - agents: schema.maybe(schema.number()), - unprivileged_agents: schema.maybe(schema.number()), - fips_agents: schema.maybe(schema.number()), - agents_per_version: schema.maybe( - schema.arrayOf( - schema.object({ - version: schema.string(), - count: schema.number(), - }), - { maxSize: 1000 } - ) - ), - is_protected: schema.boolean({ - meta: { - description: - 'Indicates whether the agent policy has tamper protection enabled. Default false.', - }, - }), - version: schema.maybe(schema.string()), - is_preconfigured: schema.maybe(schema.boolean()), - schema_version: schema.maybe(schema.string()), - min_agent_version: schema.maybe(schema.nullable(schema.string())), - package_agent_version_conditions: schema.maybe( - schema.nullable( +export const AgentPolicyResponseSchema = AgentPolicySchema.extends( + { + revision: schema.number(), + agents: schema.maybe(schema.number()), + unprivileged_agents: schema.maybe(schema.number()), + fips_agents: schema.maybe(schema.number()), + agents_per_version: schema.maybe( schema.arrayOf( schema.object({ - name: schema.string(), - title: schema.string(), - version_condition: schema.string(), + version: schema.string(), + count: schema.number(), }), { maxSize: 1000 } ) - ) - ), - created_at: schema.maybe(schema.string()), - package_policies: schema.maybe( - schema.oneOf([ - schema.arrayOf(schema.string(), { maxSize: 10000 }), - schema.arrayOf(PackagePolicyResponseSchema, { - meta: { - description: - 'This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter', - }, - maxSize: 10000, - }), - ]) - ), -}); + ), + is_protected: schema.boolean({ + meta: { + description: + 'Indicates whether the agent policy has tamper protection enabled. Default false.', + }, + }), + version: schema.maybe(schema.string()), + is_preconfigured: schema.maybe(schema.boolean()), + schema_version: schema.maybe(schema.string()), + min_agent_version: schema.maybe(schema.nullable(schema.string())), + package_agent_version_conditions: schema.maybe( + schema.nullable( + schema.arrayOf( + schema.object({ + name: schema.string(), + title: schema.string(), + version_condition: schema.string(), + }), + { maxSize: 1000 } + ) + ) + ), + created_at: schema.maybe(schema.string()), + package_policies: schema.maybe( + schema.oneOf([ + schema.arrayOf(schema.string(), { maxSize: 10000 }), + schema.arrayOf(PackagePolicyResponseSchema, { + meta: { + description: + 'This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter', + }, + maxSize: 10000, + }), + ]) + ), + }, + { meta: { id: 'agent_policy_response' } } +); -export const GetAgentPolicyResponseSchema = schema.object({ - item: AgentPolicyResponseSchema, -}); +export const GetAgentPolicyResponseSchema = schema.object( + { item: AgentPolicyResponseSchema }, + { meta: { id: 'get_agent_policy_response' } } +); export const OTelCollectorPipelineIDSchema = schema.oneOf([ schema.literal('logs'), @@ -466,224 +488,227 @@ export const OtelCollectorConfigSchema = { ), }; -export const FullAgentPolicyResponseSchema = schema.object({ - id: schema.string(), - namespaces: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - outputs: schema - .recordOf( - schema.string(), - schema.object({ - type: schema.string(), - hosts: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - ca_sha256: schema.maybe(schema.oneOf([schema.literal(null), schema.string()])), - proxy_url: schema.maybe(schema.string()), - proxy_headers: schema.maybe(ProxyHeadersSchema), - }) - ) - .extendsDeep({ - unknowns: 'allow', - }), - output_permissions: schema.maybe( - schema.recordOf(schema.string(), schema.recordOf(schema.string(), schema.any())) - ), - fleet: schema.maybe( - schema.oneOf([ - schema.object({ - hosts: schema.arrayOf(schema.string(), { maxSize: 100 }), - proxy_url: schema.maybe(schema.string()), - proxy_headers: schema.maybe(ProxyHeadersSchema), - ssl: schema.maybe(BaseSSLSchema), - secrets: schema.maybe(BaseSecretsSchema), +export const FullAgentPolicyResponseSchema = schema.object( + { + id: schema.string(), + namespaces: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + outputs: schema + .recordOf( + schema.string(), + schema.object({ + type: schema.string(), + hosts: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + ca_sha256: schema.maybe(schema.oneOf([schema.literal(null), schema.string()])), + proxy_url: schema.maybe(schema.string()), + proxy_headers: schema.maybe(ProxyHeadersSchema), + }) + ) + .extendsDeep({ + unknowns: 'allow', }), - schema.object({ - kibana: schema.object({ + output_permissions: schema.maybe( + schema.recordOf(schema.string(), schema.recordOf(schema.string(), schema.any())) + ), + fleet: schema.maybe( + schema.oneOf([ + schema.object({ hosts: schema.arrayOf(schema.string(), { maxSize: 100 }), - protocol: schema.string(), - path: schema.maybe(schema.string()), + proxy_url: schema.maybe(schema.string()), + proxy_headers: schema.maybe(ProxyHeadersSchema), + ssl: schema.maybe(BaseSSLSchema), + secrets: schema.maybe(BaseSecretsSchema), }), - }), - ]) - ), - inputs: schema.arrayOf( - schema - .object({ - id: schema.string(), - name: schema.string(), - revision: schema.number(), - type: schema.string(), - data_stream: schema.object({ - namespace: schema.string(), + schema.object({ + kibana: schema.object({ + hosts: schema.arrayOf(schema.string(), { maxSize: 100 }), + protocol: schema.string(), + path: schema.maybe(schema.string()), + }), }), - use_output: schema.string(), - package_policy_id: schema.string(), - meta: schema.maybe( - schema.object({ - package: schema - .maybe( + ]) + ), + inputs: schema.arrayOf( + schema + .object({ + id: schema.string(), + name: schema.string(), + revision: schema.number(), + type: schema.string(), + data_stream: schema.object({ + namespace: schema.string(), + }), + use_output: schema.string(), + package_policy_id: schema.string(), + meta: schema.maybe( + schema.object({ + package: schema + .maybe( + schema.object({ + name: schema.string(), + version: schema.string(), + }) + ) + .extendsDeep({ + unknowns: 'allow', + }), + }) + ), + streams: schema.maybe( + schema + .arrayOf( schema.object({ - name: schema.string(), - version: schema.string(), - }) + id: schema.string(), + data_stream: schema.object({ + dataset: schema.string(), + type: schema.maybe(schema.string()), + }), + }), + { maxSize: 10000 } ) .extendsDeep({ unknowns: 'allow', - }), - }) - ), - streams: schema.maybe( - schema - .arrayOf( + }) + ), + processors: schema.maybe( + schema.arrayOf( schema.object({ - id: schema.string(), - data_stream: schema.object({ - dataset: schema.string(), - type: schema.maybe(schema.string()), + add_fields: schema.object({ + target: schema.string(), + fields: schema.recordOf( + schema.string(), + schema.oneOf([schema.string(), schema.number()]) + ), }), }), { maxSize: 10000 } ) - .extendsDeep({ - unknowns: 'allow', + ), + }) + .extendsDeep({ + unknowns: 'allow', + }), + { maxSize: 10000 } + ), + revision: schema.maybe(schema.number()), + agent: schema.maybe( + schema.object({ + monitoring: schema.object({ + namespace: schema.maybe(schema.string()), + use_output: schema.maybe(schema.string()), + enabled: schema.boolean(), + metrics: schema.boolean(), + logs: schema.boolean(), + traces: schema.boolean(), + apm: schema.maybe(schema.any()), + _runtime_experimental: schema.maybe(schema.string()), + pprof: schema.maybe( + schema.object({ + enabled: schema.boolean(), }) - ), - processors: schema.maybe( - schema.arrayOf( + ), + http: schema.maybe( schema.object({ - add_fields: schema.object({ - target: schema.string(), - fields: schema.recordOf( - schema.string(), - schema.oneOf([schema.string(), schema.number()]) - ), - }), - }), - { maxSize: 10000 } - ) - ), - }) - .extendsDeep({ - unknowns: 'allow', - }), - { maxSize: 10000 } - ), - revision: schema.maybe(schema.number()), - agent: schema.maybe( - schema.object({ - monitoring: schema.object({ - namespace: schema.maybe(schema.string()), - use_output: schema.maybe(schema.string()), - enabled: schema.boolean(), - metrics: schema.boolean(), - logs: schema.boolean(), - traces: schema.boolean(), - apm: schema.maybe(schema.any()), - _runtime_experimental: schema.maybe(schema.string()), - pprof: schema.maybe( + enabled: schema.maybe(schema.boolean()), + host: schema.maybe(schema.string()), + port: schema.maybe(schema.number()), + }) + ), + diagnostics: schema.maybe( + schema.object({ + limit: schema.maybe( + schema.object({ + interval: schema.maybe(schema.string()), + burst: schema.maybe(schema.number()), + }) + ), + uploader: schema.maybe( + schema.object({ + max_retries: schema.maybe(schema.number()), + init_dur: schema.maybe(schema.string()), + max_dur: schema.maybe(schema.string()), + }) + ), + }) + ), + }), + download: schema.object({ + sourceURI: schema.string(), + ssl: schema.maybe(BaseSSLSchema), + auth: schema.maybe( + schema.object({ + username: schema.maybe(schema.string()), + password: schema.maybe(schema.string()), + api_key: schema.maybe(schema.string()), + headers: schema.maybe( + schema.arrayOf(schema.object({ key: schema.string(), value: schema.string() }), { + maxSize: 100, + }) + ), + }) + ), + secrets: schema.maybe(BaseSecretsSchema), + timeout: schema.maybe(schema.string()), + target_directory: schema.maybe(schema.string()), + proxy_url: schema.maybe(schema.string()), + proxy_headers: schema.maybe(ProxyHeadersSchema), + }), + features: schema.recordOf( + schema.string(), schema.object({ enabled: schema.boolean(), }) ), - http: schema.maybe( + protection: schema.maybe( schema.object({ - enabled: schema.maybe(schema.boolean()), - host: schema.maybe(schema.string()), - port: schema.maybe(schema.number()), + enabled: schema.boolean(), + uninstall_token_hash: schema.string(), + signing_key: schema.string(), }) ), - diagnostics: schema.maybe( + logging: schema.maybe( schema.object({ - limit: schema.maybe( + level: schema.maybe(schema.string()), + to_files: schema.maybe(schema.boolean()), + files: schema.maybe( schema.object({ + rotateeverybytes: schema.maybe(schema.number()), + keepfiles: schema.maybe(schema.number()), interval: schema.maybe(schema.string()), - burst: schema.maybe(schema.number()), }) ), - uploader: schema.maybe( + metrics: schema.maybe( schema.object({ - max_retries: schema.maybe(schema.number()), - init_dur: schema.maybe(schema.string()), - max_dur: schema.maybe(schema.string()), + period: schema.maybe(schema.string()), }) ), }) ), - }), - download: schema.object({ - sourceURI: schema.string(), - ssl: schema.maybe(BaseSSLSchema), - auth: schema.maybe( + limits: schema.maybe( schema.object({ - username: schema.maybe(schema.string()), - password: schema.maybe(schema.string()), - api_key: schema.maybe(schema.string()), - headers: schema.maybe( - schema.arrayOf(schema.object({ key: schema.string(), value: schema.string() }), { - maxSize: 100, - }) - ), + go_max_procs: schema.maybe(schema.number()), }) ), - secrets: schema.maybe(BaseSecretsSchema), - timeout: schema.maybe(schema.string()), - target_directory: schema.maybe(schema.string()), - proxy_url: schema.maybe(schema.string()), - proxy_headers: schema.maybe(ProxyHeadersSchema), - }), - features: schema.recordOf( - schema.string(), - schema.object({ - enabled: schema.boolean(), - }) - ), - protection: schema.maybe( - schema.object({ - enabled: schema.boolean(), - uninstall_token_hash: schema.string(), - signing_key: schema.string(), - }) - ), - logging: schema.maybe( - schema.object({ - level: schema.maybe(schema.string()), - to_files: schema.maybe(schema.boolean()), - files: schema.maybe( - schema.object({ - rotateeverybytes: schema.maybe(schema.number()), - keepfiles: schema.maybe(schema.number()), - interval: schema.maybe(schema.string()), - }) - ), - metrics: schema.maybe( - schema.object({ - period: schema.maybe(schema.string()), - }) - ), - }) - ), - limits: schema.maybe( + internal: schema.maybe(schema.any()), + }) + ), + secret_references: schema.maybe( + schema.arrayOf( schema.object({ - go_max_procs: schema.maybe(schema.number()), - }) - ), - internal: schema.maybe(schema.any()), - }) - ), - secret_references: schema.maybe( - schema.arrayOf( + id: schema.string(), + }), + { maxSize: 10000 } + ) + ), + signed: schema.maybe( schema.object({ - id: schema.string(), - }), - { maxSize: 10000 } - ) - ), - signed: schema.maybe( - schema.object({ - data: schema.string(), - signature: schema.string(), - }) - ), - ...OtelCollectorConfigSchema, -}); + data: schema.string(), + signature: schema.string(), + }) + ), + ...OtelCollectorConfigSchema, + }, + { meta: { id: 'full_agent_policy' } } +); const MinimalOutputSchema = schema.object({ id: schema.string(), name: schema.string(), @@ -710,10 +735,12 @@ const OutputsForAgentPolicySchema = schema.object({ }), }); -export const GetAgentPolicyOutputsResponseSchema = schema.object({ - item: OutputsForAgentPolicySchema, -}); +export const GetAgentPolicyOutputsResponseSchema = schema.object( + { item: OutputsForAgentPolicySchema }, + { meta: { id: 'get_agent_policy_outputs_response' } } +); -export const GetListAgentPolicyOutputsResponseSchema = schema.object({ - items: schema.arrayOf(OutputsForAgentPolicySchema, { maxSize: 10000 }), -}); +export const GetListAgentPolicyOutputsResponseSchema = schema.object( + { items: schema.arrayOf(OutputsForAgentPolicySchema, { maxSize: 10000 }) }, + { meta: { id: 'get_list_agent_policy_outputs_response' } } +); diff --git a/x-pack/platform/plugins/shared/fleet/server/types/models/enrollment_api_key.ts b/x-pack/platform/plugins/shared/fleet/server/types/models/enrollment_api_key.ts index 7de525b9ad61c..15880e0403738 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/models/enrollment_api_key.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/models/enrollment_api_key.ts @@ -7,30 +7,33 @@ import { schema } from '@kbn/config-schema'; -export const EnrollmentAPIKeySchema = schema.object({ - id: schema.string(), - api_key_id: schema.string({ - meta: { description: 'The ID of the API key in the Security API.' }, - }), - api_key: schema.string({ - meta: { description: 'The enrollment API key (token) used for enrolling Elastic Agents.' }, - }), - name: schema.maybe( - schema.string({ - meta: { description: 'The name of the enrollment API key.' }, - }) - ), - active: schema.boolean({ - meta: { - description: - 'When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.', - }, - }), - policy_id: schema.maybe( - schema.string({ - meta: { description: 'The ID of the agent policy the Elastic Agent will be enrolled in.' }, - }) - ), - created_at: schema.string(), - hidden: schema.maybe(schema.boolean()), -}); +export const EnrollmentAPIKeySchema = schema.object( + { + id: schema.string(), + api_key_id: schema.string({ + meta: { description: 'The ID of the API key in the Security API.' }, + }), + api_key: schema.string({ + meta: { description: 'The enrollment API key (token) used for enrolling Elastic Agents.' }, + }), + name: schema.maybe( + schema.string({ + meta: { description: 'The name of the enrollment API key.' }, + }) + ), + active: schema.boolean({ + meta: { + description: + 'When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.', + }, + }), + policy_id: schema.maybe( + schema.string({ + meta: { description: 'The ID of the agent policy the Elastic Agent will be enrolled in.' }, + }) + ), + created_at: schema.string(), + hidden: schema.maybe(schema.boolean()), + }, + { meta: { id: 'enrollment_api_key' } } +); diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent.ts index 205123a963716..ba19e7355f623 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent.ts @@ -23,12 +23,18 @@ const ActionIdSchema = schema.object({ }); const ActionIdOrMessageSchema = schema.oneOf([ - schema.object({ - actionId: schema.string(), - }), - schema.object({ - message: schema.string(), - }), + schema.object( + { + actionId: schema.string(), + }, + { meta: { id: 'action_id_response' } } + ), + schema.object( + { + message: schema.string(), + }, + { meta: { id: 'action_message_response' } } + ), ]); export const GetAgentsRequestSchema = { diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent_policy.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent_policy.ts index b2bbdd892c39f..1f98e8c472269 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/agent_policy.ts @@ -109,9 +109,10 @@ export const BulkGetAgentPoliciesRequestSchema = { }), }; -export const BulkGetAgentPoliciesResponseSchema = schema.object({ - items: schema.arrayOf(AgentPolicyResponseSchema, { maxSize: 10000 }), -}); +export const BulkGetAgentPoliciesResponseSchema = schema.object( + { items: schema.arrayOf(AgentPolicyResponseSchema, { maxSize: 10000 }) }, + { meta: { id: 'bulk_get_agent_policies_response' } } +); export const GetOneAgentPolicyRequestSchema = { params: schema.object({ @@ -163,27 +164,36 @@ export const UpdateAgentPolicyRequestSchema = { export const CopyAgentPolicyRequestSchema = { ...GetOneAgentPolicyRequestSchema, - body: schema.object({ - name: schema.string({ minLength: 1 }), - description: schema.maybe(schema.string()), - }), + body: schema.object( + { + name: schema.string({ minLength: 1 }), + description: schema.maybe(schema.string()), + }, + { meta: { id: 'copy_agent_policy_request' } } + ), }; export const DeleteAgentPolicyRequestSchema = { - body: schema.object({ - agentPolicyId: schema.string({ meta: { description: 'The ID of the agent policy' } }), - force: schema.maybe( - schema.boolean({ - meta: { description: 'bypass validation checks that can prevent agent policy deletion' }, - }) - ), - }), + body: schema.object( + { + agentPolicyId: schema.string({ meta: { description: 'The ID of the agent policy' } }), + force: schema.maybe( + schema.boolean({ + meta: { description: 'bypass validation checks that can prevent agent policy deletion' }, + }) + ), + }, + { meta: { id: 'delete_agent_policy_request' } } + ), }; -export const DeleteAgentPolicyResponseSchema = schema.object({ - id: schema.string(), - name: schema.string(), -}); +export const DeleteAgentPolicyResponseSchema = schema.object( + { + id: schema.string(), + name: schema.string(), + }, + { meta: { id: 'delete_agent_policy_response' } } +); export const GetFullAgentPolicyRequestSchema = { params: schema.object({ @@ -216,9 +226,10 @@ export const GetFullAgentPolicyRequestSchema = { }), }; -export const GetFullAgentPolicyResponseSchema = schema.object({ - item: schema.oneOf([schema.string(), FullAgentPolicyResponseSchema]), -}); +export const GetFullAgentPolicyResponseSchema = schema.object( + { item: schema.oneOf([schema.string(), FullAgentPolicyResponseSchema]) }, + { meta: { id: 'get_full_agent_policy_response' } } +); export const DownloadFullAgentPolicyResponseSchema = schema.string(); @@ -242,9 +253,10 @@ export const GetK8sManifestRequestSchema = { }), }; -export const GetK8sManifestResponseScheme = schema.object({ - item: schema.string(), -}); +export const GetK8sManifestResponseScheme = schema.object( + { item: schema.string() }, + { meta: { id: 'get_k8s_manifest_response' } } +); export const GetAgentPolicyOutputsRequestSchema = { params: schema.object({ @@ -253,34 +265,43 @@ export const GetAgentPolicyOutputsRequestSchema = { }; export const GetListAgentPolicyOutputsRequestSchema = { - body: schema.object({ - ids: schema.arrayOf(schema.string(), { - meta: { description: 'list of package policy ids' }, - maxSize: 1000, - }), - }), + body: schema.object( + { + ids: schema.arrayOf(schema.string(), { + meta: { description: 'list of package policy ids' }, + maxSize: 1000, + }), + }, + { meta: { id: 'get_list_agent_policy_outputs_request' } } + ), }; export const RunAgentPolicyRevisionsCleanupTaskRequestSchema = { - body: schema.object({ - maxRevisions: schema.maybe( - schema.number({ - min: 1, - meta: { description: 'maximum revisions to keep per policy' }, - }) - ), - maxPolicies: schema.maybe( - schema.number({ - min: 1, - meta: { description: 'maximum number of policies to process for this task' }, - }) - ), - }), + body: schema.object( + { + maxRevisions: schema.maybe( + schema.number({ + min: 1, + meta: { description: 'maximum revisions to keep per policy' }, + }) + ), + maxPolicies: schema.maybe( + schema.number({ + min: 1, + meta: { description: 'maximum number of policies to process for this task' }, + }) + ), + }, + { meta: { id: 'run_agent_policy_revisions_cleanup_task_request' } } + ), }; -export const RunAgentPolicyRevisionsCleanupTaskResponseSchema = schema.object({ - success: schema.boolean({ meta: { description: 'whether the cleanup task ran successfully' } }), - totalDeletedRevisions: schema.number({ - meta: { description: 'total number of deleted policy revisions' }, - }), -}); +export const RunAgentPolicyRevisionsCleanupTaskResponseSchema = schema.object( + { + success: schema.boolean({ meta: { description: 'whether the cleanup task ran successfully' } }), + totalDeletedRevisions: schema.number({ + meta: { description: 'total number of deleted policy revisions' }, + }), + }, + { meta: { id: 'run_agent_policy_revisions_cleanup_task_response' } } +); diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/enrollment_api_key.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/enrollment_api_key.ts index f89f754349f43..eb3e1628194a4 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/enrollment_api_key.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/enrollment_api_key.ts @@ -46,9 +46,10 @@ export const GetOneEnrollmentAPIKeyRequestSchema = { }), }; -export const EnrollmentAPIKeyResponseSchema = schema.object({ - item: EnrollmentAPIKeySchema, -}); +export const EnrollmentAPIKeyResponseSchema = schema.object( + { item: EnrollmentAPIKeySchema }, + { meta: { id: 'enrollment_api_key_response' } } +); export const DeleteEnrollmentAPIKeyRequestSchema = { params: schema.object({ @@ -72,16 +73,20 @@ export const DeleteEnrollmentAPIKeyRequestSchema = { }), }; -export const DeleteEnrollmentAPIKeyResponseSchema = schema.object({ - action: schema.literal('deleted'), -}); +export const DeleteEnrollmentAPIKeyResponseSchema = schema.object( + { action: schema.literal('deleted') }, + { meta: { id: 'delete_enrollment_api_key_response' } } +); export const PostEnrollmentAPIKeyRequestSchema = { - body: schema.object({ - name: schema.maybe(schema.string()), - policy_id: schema.string(), - expiration: schema.maybe(schema.string()), - }), + body: schema.object( + { + name: schema.maybe(schema.string()), + policy_id: schema.string(), + expiration: schema.maybe(schema.string()), + }, + { meta: { id: 'new_enrollment_api_key' } } + ), }; export const BulkDeleteEnrollmentAPIKeysRequestSchema = { @@ -125,6 +130,7 @@ export const BulkDeleteEnrollmentAPIKeysRequestSchema = { }), }, { + meta: { id: 'bulk_delete_enrollment_api_keys_request' }, validate: (value) => { const hasTokenIds = value.tokenIds && value.tokenIds.length > 0; const hasKuery = value.kuery && value.kuery.trim() !== ''; @@ -136,9 +142,12 @@ export const BulkDeleteEnrollmentAPIKeysRequestSchema = { ), }; -export const BulkDeleteEnrollmentAPIKeysResponseSchema = schema.object({ - action: schema.string(), - count: schema.number(), - successCount: schema.number(), - errorCount: schema.number(), -}); +export const BulkDeleteEnrollmentAPIKeysResponseSchema = schema.object( + { + action: schema.string(), + count: schema.number(), + successCount: schema.number(), + errorCount: schema.number(), + }, + { meta: { id: 'bulk_delete_enrollment_api_keys_response' } } +); diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts index 5e1c721d2f688..b9f4ff3281cc7 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts @@ -28,17 +28,21 @@ export const GetCategoriesRequestSchema = { }), }; -const CategorySummaryItemSchema = schema.object({ - id: schema.string(), - title: schema.string(), - count: schema.number(), - parent_id: schema.maybe(schema.string()), - parent_title: schema.maybe(schema.string()), -}); +const CategorySummaryItemSchema = schema.object( + { + id: schema.string(), + title: schema.string(), + count: schema.number(), + parent_id: schema.maybe(schema.string()), + parent_title: schema.maybe(schema.string()), + }, + { meta: { id: 'category_summary_item' } } +); -export const GetCategoriesResponseSchema = schema.object({ - items: schema.arrayOf(CategorySummaryItemSchema, { maxSize: 10000 }), -}); +export const GetCategoriesResponseSchema = schema.object( + { items: schema.arrayOf(CategorySummaryItemSchema, { maxSize: 10000 }) }, + { meta: { id: 'get_categories_response' } } +); export const GetPackagesRequestSchema = { query: schema.object({ @@ -63,465 +67,537 @@ export const GetPackagesRequestSchema = { }), }; -export const KibanaAssetReferenceSchema = schema.object({ - id: schema.string(), - originId: schema.maybe(schema.string()), - deferred: schema.maybe(schema.boolean()), - type: schema.oneOf([ - schema.oneOf([ - schema.literal('dashboard'), - schema.literal('lens'), - schema.literal('visualization'), - schema.literal('search'), - schema.literal('index-pattern'), - schema.literal('map'), - schema.literal('ml-module'), - schema.literal('security-rule'), - schema.literal('csp-rule-template'), - schema.literal('osquery-pack-asset'), - schema.literal('osquery-saved-query'), - schema.literal('tag'), +export const KibanaAssetReferenceSchema = schema.object( + { + id: schema.string(), + originId: schema.maybe(schema.string()), + deferred: schema.maybe(schema.boolean()), + type: schema.oneOf([ + schema.oneOf([ + schema.literal('dashboard'), + schema.literal('lens'), + schema.literal('visualization'), + schema.literal('search'), + schema.literal('index-pattern'), + schema.literal('map'), + schema.literal('ml-module'), + schema.literal('security-rule'), + schema.literal('csp-rule-template'), + schema.literal('osquery-pack-asset'), + schema.literal('osquery-saved-query'), + schema.literal('tag'), + ]), + schema.string(), ]), - schema.string(), - ]), -}); - -export const EsAssetReferenceSchema = schema.object({ - id: schema.string(), - type: schema.oneOf([ - schema.literal('index'), - schema.literal('index_template'), - schema.literal('component_template'), - schema.literal('ingest_pipeline'), - schema.literal('ilm_policy'), - schema.literal('data_stream_ilm_policy'), - schema.literal('transform'), - schema.literal('ml_model'), - schema.literal('knowledge_base'), - schema.literal('esql_view'), - ]), - deferred: schema.maybe(schema.boolean()), - version: schema.maybe(schema.string()), -}); - -export const InstallationInfoSchema = schema.object({ - type: schema.string(), - created_at: schema.maybe(schema.string()), - updated_at: schema.maybe(schema.string()), - namespaces: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - installed_kibana: schema.arrayOf(KibanaAssetReferenceSchema, { maxSize: 10000 }), - additional_spaces_installed_kibana: schema.maybe( - schema.recordOf(schema.string(), schema.arrayOf(KibanaAssetReferenceSchema, { maxSize: 100 })) - ), - installed_es: schema.arrayOf(EsAssetReferenceSchema, { maxSize: 10000 }), - name: schema.string(), - version: schema.string(), - install_status: schema.oneOf([ - schema.literal('installed'), - schema.literal('installing'), - schema.literal('install_failed'), - ]), - install_source: schema.oneOf([ - schema.literal('registry'), - schema.literal('upload'), - schema.literal('bundled'), - schema.literal('custom'), - ]), - installed_kibana_space_id: schema.maybe(schema.string()), - install_format_schema_version: schema.maybe(schema.string()), - verification_status: schema.oneOf([ - schema.literal('unverified'), - schema.literal('verified'), - schema.literal('unknown'), - ]), - verification_key_id: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])), - experimental_data_stream_features: schema.maybe(ExperimentalDataStreamFeaturesSchema), - latest_install_failed_attempts: schema.maybe( - schema.arrayOf( - schema.object({ - created_at: schema.string(), - target_version: schema.string(), - error: schema.object({ - name: schema.string(), - message: schema.string(), - stack: schema.maybe(schema.string()), - }), - }), - { maxSize: 10 } - ) - ), - latest_executed_state: schema.maybe( - schema.object({ - name: schema.maybe(schema.string()), - started_at: schema.maybe(schema.string()), - error: schema.maybe(schema.string()), - }) - ), - previous_version: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])), - rolled_back: schema.maybe(schema.boolean()), - is_rollback_ttl_expired: schema.maybe(schema.boolean()), -}); + }, + { meta: { id: 'kibana_asset_reference' } } +); -const PackageIconSchema = schema.object({ - path: schema.maybe(schema.string()), - src: schema.string(), - title: schema.maybe(schema.string()), - type: schema.maybe(schema.string()), - size: schema.maybe(schema.string()), - dark_mode: schema.maybe(schema.boolean()), -}); +export const EsAssetReferenceSchema = schema.object( + { + id: schema.string(), + type: schema.oneOf([ + schema.literal('index'), + schema.literal('index_template'), + schema.literal('component_template'), + schema.literal('ingest_pipeline'), + schema.literal('ilm_policy'), + schema.literal('data_stream_ilm_policy'), + schema.literal('transform'), + schema.literal('ml_model'), + schema.literal('knowledge_base'), + schema.literal('esql_view'), + ]), + deferred: schema.maybe(schema.boolean()), + version: schema.maybe(schema.string()), + }, + { meta: { id: 'es_asset_reference' } } +); -export const PackageInfoSchema = schema - .object({ - status: schema.maybe(schema.string()), - installationInfo: schema.maybe(InstallationInfoSchema), +export const InstallationInfoSchema = schema.object( + { + type: schema.string(), + created_at: schema.maybe(schema.string()), + updated_at: schema.maybe(schema.string()), + namespaces: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + installed_kibana: schema.arrayOf(KibanaAssetReferenceSchema, { maxSize: 10000 }), + additional_spaces_installed_kibana: schema.maybe( + schema.recordOf(schema.string(), schema.arrayOf(KibanaAssetReferenceSchema, { maxSize: 100 })) + ), + installed_es: schema.arrayOf(EsAssetReferenceSchema, { maxSize: 10000 }), name: schema.string(), version: schema.string(), - description: schema.maybe(schema.string()), - title: schema.string(), - icons: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), - deprecated: schema.maybe(DeprecationInfoSchema), - conditions: schema.maybe( - schema.object({ - kibana: schema.maybe(schema.object({ version: schema.maybe(schema.string()) })), - elastic: schema.maybe( - schema.object({ - subscription: schema.maybe(schema.string()), - capabilities: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 10 })), - }) - ), - deprecated: schema.maybe(DeprecationInfoSchema), - }) - ), - release: schema.maybe( - schema.oneOf([schema.literal('ga'), schema.literal('beta'), schema.literal('experimental')]) - ), - type: schema.maybe( - schema.oneOf([ - schema.literal('integration'), - schema.literal('input'), - schema.literal('content'), - schema.string(), - ]) - ), - path: schema.maybe(schema.string()), - download: schema.maybe(schema.string()), - internal: schema.maybe(schema.boolean()), - data_streams: schema.maybe( - schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) - ), - policy_templates: schema.maybe( - schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) - ), - categories: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - owner: schema.maybe( - schema.object({ - github: schema.maybe(schema.string()), - type: schema.maybe( - schema.oneOf([ - schema.literal('elastic'), - schema.literal('partner'), - schema.literal('community'), - ]) - ), - }) - ), - readme: schema.maybe(schema.string()), - signature_path: schema.maybe(schema.string()), - source: schema.maybe( - schema.object({ - license: schema.string(), - }) - ), - format_version: schema.maybe(schema.string()), - vars: schema.maybe( - schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) - ), - var_groups: schema.maybe( + install_status: schema.oneOf([ + schema.literal('installed'), + schema.literal('installing'), + schema.literal('install_failed'), + ]), + install_source: schema.oneOf([ + schema.literal('registry'), + schema.literal('upload'), + schema.literal('bundled'), + schema.literal('custom'), + ]), + installed_kibana_space_id: schema.maybe(schema.string()), + install_format_schema_version: schema.maybe(schema.string()), + verification_status: schema.oneOf([ + schema.literal('unverified'), + schema.literal('verified'), + schema.literal('unknown'), + ]), + verification_key_id: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])), + experimental_data_stream_features: schema.maybe(ExperimentalDataStreamFeaturesSchema), + latest_install_failed_attempts: schema.maybe( schema.arrayOf( schema.object({ - name: schema.string(), - title: schema.string(), - selector_title: schema.string(), - description: schema.maybe(schema.string()), - options: schema.arrayOf( - schema - .object({ - name: schema.string(), - title: schema.string(), - description: schema.maybe(schema.string()), - vars: schema.arrayOf(schema.string(), { maxSize: 100 }), - hide_in_deployment_modes: schema.maybe( - schema.arrayOf( - schema.oneOf([schema.literal('default'), schema.literal('agentless')]), - { maxSize: 2 } - ) - ), - }) - .extendsDeep({ unknowns: 'allow' }), - { maxSize: 100 } - ), + created_at: schema.string(), + target_version: schema.string(), + error: schema.object({ + name: schema.string(), + message: schema.string(), + stack: schema.maybe(schema.string()), + }), }), - { maxSize: 100 } + { maxSize: 10 } ) ), - latestVersion: schema.maybe(schema.string()), - discovery: schema.maybe( + latest_executed_state: schema.maybe( schema.object({ - fields: schema.maybe( - schema.arrayOf(schema.object({ name: schema.string() }), { maxSize: 100 }) - ), - datasets: schema.maybe( - schema.arrayOf(schema.object({ name: schema.string() }), { maxSize: 100 }) - ), + name: schema.maybe(schema.string()), + started_at: schema.maybe(schema.string()), + error: schema.maybe(schema.string()), }) ), - }) + previous_version: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])), + rolled_back: schema.maybe(schema.boolean()), + is_rollback_ttl_expired: schema.maybe(schema.boolean()), + }, + { meta: { id: 'installation_info' } } +); + +const PackageIconSchema = schema.object( + { + path: schema.maybe(schema.string()), + src: schema.string(), + title: schema.maybe(schema.string()), + type: schema.maybe(schema.string()), + size: schema.maybe(schema.string()), + dark_mode: schema.maybe(schema.boolean()), + }, + { meta: { id: 'package_icon' } } +); + +export const PackageInfoSchema = schema + .object( + { + status: schema.maybe(schema.string()), + installationInfo: schema.maybe(InstallationInfoSchema), + name: schema.string(), + version: schema.string(), + description: schema.maybe(schema.string()), + title: schema.string(), + icons: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), + deprecated: schema.maybe(DeprecationInfoSchema), + conditions: schema.maybe( + schema.object({ + kibana: schema.maybe(schema.object({ version: schema.maybe(schema.string()) })), + elastic: schema.maybe( + schema.object({ + subscription: schema.maybe(schema.string()), + capabilities: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 10 })), + }) + ), + deprecated: schema.maybe(DeprecationInfoSchema), + }) + ), + release: schema.maybe( + schema.oneOf([schema.literal('ga'), schema.literal('beta'), schema.literal('experimental')]) + ), + type: schema.maybe( + schema.oneOf([ + schema.literal('integration'), + schema.literal('input'), + schema.literal('content'), + schema.string(), + ]) + ), + path: schema.maybe(schema.string()), + download: schema.maybe(schema.string()), + internal: schema.maybe(schema.boolean()), + data_streams: schema.maybe( + schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) + ), + policy_templates: schema.maybe( + schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) + ), + categories: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + owner: schema.maybe( + schema.object({ + github: schema.maybe(schema.string()), + type: schema.maybe( + schema.oneOf([ + schema.literal('elastic'), + schema.literal('partner'), + schema.literal('community'), + ]) + ), + }) + ), + readme: schema.maybe(schema.string()), + signature_path: schema.maybe(schema.string()), + source: schema.maybe( + schema.object({ + license: schema.string(), + }) + ), + format_version: schema.maybe(schema.string()), + vars: schema.maybe( + schema.arrayOf(schema.recordOf(schema.string(), schema.any()), { maxSize: 1000 }) + ), + var_groups: schema.maybe( + schema.arrayOf( + schema.object({ + name: schema.string(), + title: schema.string(), + selector_title: schema.string(), + description: schema.maybe(schema.string()), + options: schema.arrayOf( + schema + .object({ + name: schema.string(), + title: schema.string(), + description: schema.maybe(schema.string()), + vars: schema.arrayOf(schema.string(), { maxSize: 100 }), + hide_in_deployment_modes: schema.maybe( + schema.arrayOf( + schema.oneOf([schema.literal('default'), schema.literal('agentless')]), + { maxSize: 2 } + ) + ), + }) + .extendsDeep({ unknowns: 'allow' }), + { maxSize: 100 } + ), + }), + { maxSize: 100 } + ) + ), + latestVersion: schema.maybe(schema.string()), + discovery: schema.maybe( + schema.object({ + fields: schema.maybe( + schema.arrayOf(schema.object({ name: schema.string() }), { maxSize: 100 }) + ), + datasets: schema.maybe( + schema.arrayOf(schema.object({ name: schema.string() }), { maxSize: 100 }) + ), + }) + ), + }, + { meta: { id: 'package_info' } } + ) // sometimes package list response contains extra properties, e.g. installed_kibana .extendsDeep({ unknowns: 'allow', }); -export const PackageListItemSchema = PackageInfoSchema.extends({ - id: schema.string(), - integration: schema.maybe(schema.string()), -}); +export const PackageListItemSchema = PackageInfoSchema.extends( + { + id: schema.string(), + integration: schema.maybe(schema.string()), + }, + { meta: { id: 'package_list_item' } } +); -export const GetPackagesResponseSchema = schema.object({ - items: schema.arrayOf(PackageListItemSchema, { maxSize: 10000 }), -}); +export const GetPackagesResponseSchema = schema.object( + { items: schema.arrayOf(PackageListItemSchema, { maxSize: 10000 }) }, + { meta: { id: 'get_packages_response' } } +); -export const InstalledPackageSchema = schema.object({ - name: schema.string(), - version: schema.string(), - status: schema.string(), - title: schema.maybe(schema.string()), - description: schema.maybe(schema.string()), - icons: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), - dataStreams: schema.arrayOf( - schema.object({ - name: schema.string(), - title: schema.string(), - }), - { maxSize: 10000 } - ), -}); +export const InstalledPackageSchema = schema.object( + { + name: schema.string(), + version: schema.string(), + status: schema.string(), + title: schema.maybe(schema.string()), + description: schema.maybe(schema.string()), + icons: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), + dataStreams: schema.arrayOf( + schema.object({ + name: schema.string(), + title: schema.string(), + }), + { maxSize: 10000 } + ), + }, + { meta: { id: 'installed_package' } } +); -export const GetInstalledPackagesResponseSchema = schema.object({ - items: schema.arrayOf(InstalledPackageSchema, { maxSize: 10000 }), - total: schema.number(), - searchAfter: schema.maybe( - schema.arrayOf( - schema.oneOf([ - schema.string(), - schema.number(), - schema.boolean(), - schema.literal(null), - schema.any(), - ]), - { maxSize: 2 } - ) - ), -}); +export const GetInstalledPackagesResponseSchema = schema.object( + { + items: schema.arrayOf(InstalledPackageSchema, { maxSize: 10000 }), + total: schema.number(), + searchAfter: schema.maybe( + schema.arrayOf( + schema.oneOf([ + schema.string(), + schema.number(), + schema.boolean(), + schema.literal(null), + schema.any(), + ]), + { maxSize: 2 } + ) + ), + }, + { meta: { id: 'get_installed_packages_response' } } +); -export const GetLimitedPackagesResponseSchema = schema.object({ - items: schema.arrayOf(schema.string(), { maxSize: 10000 }), -}); +export const GetLimitedPackagesResponseSchema = schema.object( + { items: schema.arrayOf(schema.string(), { maxSize: 10000 }) }, + { meta: { id: 'get_limited_packages_response' } } +); -export const GetStatsResponseSchema = schema.object({ - response: schema.object({ - agent_policy_count: schema.number(), - package_policy_count: schema.number(), - }), -}); +export const GetStatsResponseSchema = schema.object( + { + response: schema.object({ + agent_policy_count: schema.number(), + package_policy_count: schema.number(), + }), + }, + { meta: { id: 'get_stats_response' } } +); export const GetInputsResponseSchema = schema.oneOf([ schema.string(), - schema.object({ - inputs: schema.arrayOf( - schema.object({ - id: schema.string(), - type: schema.string(), - streams: schema.maybe( - schema.arrayOf( - schema - .object({ - id: schema.string(), - data_stream: schema.object({ - dataset: schema.string(), - type: schema.maybe(schema.string()), + schema.object( + { + inputs: schema.arrayOf( + schema.object({ + id: schema.string(), + type: schema.string(), + streams: schema.maybe( + schema.arrayOf( + schema + .object({ + id: schema.string(), + data_stream: schema.object({ + dataset: schema.string(), + type: schema.maybe(schema.string()), + }), + }) + .extendsDeep({ + unknowns: 'allow', }), - }) - .extendsDeep({ - unknowns: 'allow', - }), - { maxSize: 10000 } - ) - ), - }), - { maxSize: 10000 } - ), - ...OtelCollectorConfigSchema, - }), + { maxSize: 10000 } + ) + ), + }), + { maxSize: 10000 } + ), + ...OtelCollectorConfigSchema, + }, + { meta: { id: 'get_inputs_response' } } + ), ]); export const GetFileResponseSchema = schema.any(); -export const PackageMetadataSchema = schema.object({ - has_policies: schema.boolean(), -}); +export const PackageMetadataSchema = schema.object( + { has_policies: schema.boolean() }, + { meta: { id: 'package_metadata' } } +); -export const GetPackageInfoSchema = PackageInfoSchema.extends({ - assets: schema.recordOf(schema.string(), schema.maybe(schema.any())), - notice: schema.maybe(schema.string()), - licensePath: schema.maybe(schema.string()), - keepPoliciesUpToDate: schema.maybe(schema.boolean()), - license: schema.maybe(schema.string()), - screenshots: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), - elasticsearch: schema.maybe(schema.recordOf(schema.string(), schema.any())), - agent: schema.maybe( - schema.object({ - privileges: schema.maybe( - schema.object({ - root: schema.maybe(schema.boolean()), - }) - ), - }) - ), - asset_tags: schema.maybe( - schema.arrayOf( +export const GetPackageInfoSchema = PackageInfoSchema.extends( + { + assets: schema.recordOf(schema.string(), schema.maybe(schema.any())), + notice: schema.maybe(schema.string()), + licensePath: schema.maybe(schema.string()), + keepPoliciesUpToDate: schema.maybe(schema.boolean()), + license: schema.maybe(schema.string()), + screenshots: schema.maybe(schema.arrayOf(PackageIconSchema, { maxSize: 100 })), + elasticsearch: schema.maybe(schema.recordOf(schema.string(), schema.any())), + agent: schema.maybe( schema.object({ - text: schema.string(), - asset_types: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), - asset_ids: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 1000 })), - }), - { maxSize: 1000 } - ) - ), -}); + privileges: schema.maybe( + schema.object({ + root: schema.maybe(schema.boolean()), + }) + ), + }) + ), + asset_tags: schema.maybe( + schema.arrayOf( + schema.object({ + text: schema.string(), + asset_types: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + asset_ids: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 1000 })), + }), + { maxSize: 1000 } + ) + ), + }, + { meta: { id: 'get_package_info' } } +); -export const GetInfoResponseSchema = schema.object({ - item: GetPackageInfoSchema, - metadata: schema.maybe(PackageMetadataSchema), -}); -export const GetKnowledgeBaseResponseSchema = schema.object({ - package: schema.object({ - name: schema.string(), - }), - items: schema.arrayOf( - schema.object({ - fileName: schema.string(), - content: schema.string(), - path: schema.string(), - installed_at: schema.string(), - version: schema.string(), +export const GetInfoResponseSchema = schema.object( + { + item: GetPackageInfoSchema, + metadata: schema.maybe(PackageMetadataSchema), + }, + { meta: { id: 'get_info_response' } } +); +export const GetKnowledgeBaseResponseSchema = schema.object( + { + package: schema.object({ + name: schema.string(), }), - { maxSize: 10000 } - ), -}); + items: schema.arrayOf( + schema.object({ + fileName: schema.string(), + content: schema.string(), + path: schema.string(), + installed_at: schema.string(), + version: schema.string(), + }), + { maxSize: 10000 } + ), + }, + { meta: { id: 'get_knowledge_base_response' } } +); -export const UpdatePackageResponseSchema = schema.object({ - item: GetPackageInfoSchema, -}); +export const UpdatePackageResponseSchema = schema.object( + { item: GetPackageInfoSchema }, + { meta: { id: 'update_package_response' } } +); export const AssetReferenceSchema = schema.oneOf([ KibanaAssetReferenceSchema, EsAssetReferenceSchema, ]); -export const InstallPackageResponseSchema = schema.object({ - items: schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 }), - _meta: schema.object({ - install_source: schema.string(), - name: schema.string(), - }), -}); +export const InstallPackageResponseSchema = schema.object( + { + items: schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 }), + _meta: schema.object({ + install_source: schema.string(), + name: schema.string(), + }), + }, + { meta: { id: 'install_package_response' } } +); -export const InstallKibanaAssetsResponseSchema = schema.object({ - success: schema.boolean(), -}); +export const InstallKibanaAssetsResponseSchema = schema.object( + { success: schema.boolean() }, + { meta: { id: 'install_kibana_assets_response' } } +); -export const DeletePackageDatastreamAssetsResponseSchema = schema.object({ - success: schema.boolean(), -}); +export const DeletePackageDatastreamAssetsResponseSchema = schema.object( + { success: schema.boolean() }, + { meta: { id: 'delete_package_datastream_assets_response' } } +); export const BulkInstallPackagesResponseItemSchema = schema.oneOf([ - schema.object({ - name: schema.string(), - version: schema.string(), - result: schema.object({ - assets: schema.maybe(schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 })), - status: schema.maybe( - schema.oneOf([schema.literal('installed'), schema.literal('already_installed')]) - ), - error: schema.maybe(schema.any()), - installType: schema.string(), - installSource: schema.maybe(schema.string()), - }), - }), - schema.object({ - name: schema.string(), - statusCode: schema.number(), - error: schema.oneOf([schema.string(), schema.any()]), - }), + schema.object( + { + name: schema.string(), + version: schema.string(), + result: schema.object({ + assets: schema.maybe(schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 })), + status: schema.maybe( + schema.oneOf([schema.literal('installed'), schema.literal('already_installed')]) + ), + error: schema.maybe(schema.any()), + installType: schema.string(), + installSource: schema.maybe(schema.string()), + }), + }, + { meta: { id: 'bulk_install_packages_response_item_success' } } + ), + schema.object( + { + name: schema.string(), + statusCode: schema.number(), + error: schema.oneOf([schema.string(), schema.any()]), + }, + { meta: { id: 'bulk_install_packages_response_item_error' } } + ), ]); -export const BulkInstallPackagesFromRegistryResponseSchema = schema.object({ - items: schema.arrayOf(BulkInstallPackagesResponseItemSchema, { maxSize: 10000 }), -}); +export const BulkInstallPackagesFromRegistryResponseSchema = schema.object( + { items: schema.arrayOf(BulkInstallPackagesResponseItemSchema, { maxSize: 10000 }) }, + { meta: { id: 'bulk_install_packages_from_registry_response' } } +); + +export const BulkUpgradePackagesResponseSchema = schema.object( + { taskId: schema.string() }, + { meta: { id: 'bulk_upgrade_packages_response' } } +); -export const BulkUpgradePackagesResponseSchema = schema.object({ taskId: schema.string() }); +export const BulkRollbackPackagesResponseSchema = schema.object( + { taskId: schema.string() }, + { meta: { id: 'bulk_rollback_packages_response' } } +); + +export const GetOneBulkOperationPackagesResponseSchema = schema.object( + { + status: schema.string(), + error: schema.maybe(schema.object({ message: schema.string() })), + results: schema.maybe( + schema.arrayOf( + schema.object({ + name: schema.string(), + success: schema.boolean(), + error: schema.maybe(schema.object({ message: schema.string() })), + }), + { maxSize: 10000 } + ) + ), + }, + { meta: { id: 'get_one_bulk_operation_packages_response' } } +); -export const BulkRollbackPackagesResponseSchema = schema.object({ taskId: schema.string() }); +export const DeletePackageResponseSchema = schema.object( + { items: schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 }) }, + { meta: { id: 'delete_package_response' } } +); -export const GetOneBulkOperationPackagesResponseSchema = schema.object({ - status: schema.string(), - error: schema.maybe(schema.object({ message: schema.string() })), - results: schema.maybe( - schema.arrayOf( +export const GetVerificationKeyIdResponseSchema = schema.object( + { id: schema.oneOf([schema.string(), schema.literal(null)]) }, + { meta: { id: 'get_verification_key_id_response' } } +); + +export const GetDataStreamsResponseSchema = schema.object( + { + items: schema.arrayOf( schema.object({ name: schema.string(), - success: schema.boolean(), - error: schema.maybe(schema.object({ message: schema.string() })), }), { maxSize: 10000 } - ) - ), -}); - -export const DeletePackageResponseSchema = schema.object({ - items: schema.arrayOf(AssetReferenceSchema, { maxSize: 10000 }), -}); - -export const GetVerificationKeyIdResponseSchema = schema.object({ - id: schema.oneOf([schema.string(), schema.literal(null)]), -}); - -export const GetDataStreamsResponseSchema = schema.object({ - items: schema.arrayOf( - schema.object({ - name: schema.string(), - }), - { maxSize: 10000 } - ), -}); + ), + }, + { meta: { id: 'get_data_streams_response' } } +); -export const GetBulkAssetsResponseSchema = schema.object({ - items: schema.arrayOf( - schema.object({ - appLink: schema.maybe(schema.string()), - id: schema.string(), - type: schema.string(), - updatedAt: schema.maybe(schema.string()), - attributes: schema.object({ - service: schema.maybe(schema.string()), - title: schema.maybe(schema.string()), - description: schema.maybe(schema.string()), +export const GetBulkAssetsResponseSchema = schema.object( + { + items: schema.arrayOf( + schema.object({ + appLink: schema.maybe(schema.string()), + id: schema.string(), + type: schema.string(), + updatedAt: schema.maybe(schema.string()), + attributes: schema.object({ + service: schema.maybe(schema.string()), + title: schema.maybe(schema.string()), + description: schema.maybe(schema.string()), + }), }), - }), - { maxSize: 10000 } - ), -}); + { maxSize: 10000 } + ), + }, + { meta: { id: 'get_bulk_assets_response' } } +); export const ReauthorizeTransformResponseSchema = schema.arrayOf( schema.object({ @@ -532,10 +608,13 @@ export const ReauthorizeTransformResponseSchema = schema.arrayOf( { maxSize: 10000 } ); -export const RollbackPackageResponseSchema = schema.object({ - version: schema.string(), - success: schema.boolean(), -}); +export const RollbackPackageResponseSchema = schema.object( + { + version: schema.string(), + success: schema.boolean(), + }, + { meta: { id: 'rollback_package_response' } } +); export const GetInstalledPackagesRequestSchema = { query: schema.object({ @@ -671,39 +750,45 @@ export const GetKnowledgeBaseRequestSchema = { }; export const GetBulkAssetsRequestSchema = { - body: schema.object({ - assetIds: schema.arrayOf(schema.object({ id: schema.string(), type: schema.string() }), { - maxSize: 10000, - }), - }), + body: schema.object( + { + assetIds: schema.arrayOf(schema.object({ id: schema.string(), type: schema.string() }), { + maxSize: 10000, + }), + }, + { meta: { id: 'get_bulk_assets_request' } } + ), }; export const UpdatePackageRequestSchema = { params: PackageVersionRequestParamsSchema, - body: schema.object({ - keepPoliciesUpToDate: schema.maybe(schema.boolean()), - namespace_customization_enabled_for: schema.maybe( - schema.arrayOf( - schema.string({ - validate: (v) => { - if (!v.length) { - return 'Must not be empty'; - } - if (!/^[a-z0-9_]+$/.test(v)) { - return 'Must only contain lowercase letters, numbers, and underscores'; - } - }, - }), - { - maxSize: 100, - meta: { - description: - 'Namespaces for which namespace-level customization is enabled on this package.', - }, - } - ) - ), - }), + body: schema.object( + { + keepPoliciesUpToDate: schema.maybe(schema.boolean()), + namespace_customization_enabled_for: schema.maybe( + schema.arrayOf( + schema.string({ + validate: (v) => { + if (!v.length) { + return 'Must not be empty'; + } + if (!/^[a-z0-9_]+$/.test(v)) { + return 'Must only contain lowercase letters, numbers, and underscores'; + } + }, + }), + { + maxSize: 100, + meta: { + description: + 'Namespaces for which namespace-level customization is enabled on this package.', + }, + } + ) + ), + }, + { meta: { id: 'update_package_request' } } + ), }; export const UpdatePackageWithoutVersionRequestSchema = { @@ -712,64 +797,71 @@ export const UpdatePackageWithoutVersionRequestSchema = { }; export const BulkNamespaceCustomizationRequestSchema = { - body: schema.object({ - packages: schema.arrayOf(schema.string(), { - minSize: 1, - maxSize: 1000, - meta: { - description: 'Package names to apply the customization changes to.', - }, - }), - enable: schema.maybe( - schema.arrayOf( - schema.string({ - validate: (v) => { - if (!v.length) { - return 'Must not be empty'; - } - if (!/^[a-z0-9_]+$/.test(v)) { - return 'Must only contain lowercase letters, numbers, and underscores'; - } - }, - }), - { - maxSize: 100, - meta: { - description: 'Namespaces to enable namespace-level customization for on each package.', - }, - } - ) - ), - disable: schema.maybe( - schema.arrayOf(schema.string(), { - maxSize: 100, + body: schema.object( + { + packages: schema.arrayOf(schema.string(), { + minSize: 1, + maxSize: 1000, meta: { - description: 'Namespaces to disable namespace-level customization for on each package.', + description: 'Package names to apply the customization changes to.', }, - }) - ), - }), -}; - -export const BulkNamespaceCustomizationResponseSchema = schema.object({ - items: schema.arrayOf( - schema.object({ - name: schema.string(), - success: schema.boolean(), - namespace_customization_enabled_for: schema.maybe( + }), + enable: schema.maybe( + schema.arrayOf( + schema.string({ + validate: (v) => { + if (!v.length) { + return 'Must not be empty'; + } + if (!/^[a-z0-9_]+$/.test(v)) { + return 'Must only contain lowercase letters, numbers, and underscores'; + } + }, + }), + { + maxSize: 100, + meta: { + description: + 'Namespaces to enable namespace-level customization for on each package.', + }, + } + ) + ), + disable: schema.maybe( schema.arrayOf(schema.string(), { maxSize: 100, meta: { - description: - 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).', + description: 'Namespaces to disable namespace-level customization for on each package.', }, }) ), - error: schema.maybe(schema.string()), - }), - { maxSize: 1000 } + }, + { meta: { id: 'bulk_namespace_customization_request' } } ), -}); +}; + +export const BulkNamespaceCustomizationResponseSchema = schema.object( + { + items: schema.arrayOf( + schema.object({ + name: schema.string(), + success: schema.boolean(), + namespace_customization_enabled_for: schema.maybe( + schema.arrayOf(schema.string(), { + maxSize: 100, + meta: { + description: + 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).', + }, + }) + ), + error: schema.maybe(schema.string()), + }), + { maxSize: 1000 } + ), + }, + { meta: { id: 'bulk_namespace_customization_response' } } +); export const ReviewUpgradeRequestSchema = { params: schema.object({ @@ -777,19 +869,23 @@ export const ReviewUpgradeRequestSchema = { meta: { description: 'Package name to review upgrade for' }, }), }), - body: schema.object({ - action: schema.oneOf([ - schema.literal('accept'), - schema.literal('decline'), - schema.literal('pending'), - ]), - target_version: schema.string(), - }), + body: schema.object( + { + action: schema.oneOf([ + schema.literal('accept'), + schema.literal('decline'), + schema.literal('pending'), + ]), + target_version: schema.string(), + }, + { meta: { id: 'review_upgrade_request' } } + ), }; -export const ReviewUpgradeResponseSchema = schema.object({ - success: schema.boolean(), -}); +export const ReviewUpgradeResponseSchema = schema.object( + { success: schema.boolean() }, + { meta: { id: 'review_upgrade_response' } } +); export const GetStatsRequestSchema = { params: schema.object({ @@ -804,16 +900,19 @@ export const GetDependenciesRequestSchema = { }), }; -export const GetDependenciesResponseSchema = schema.object({ - items: schema.arrayOf( - schema.object({ - name: schema.string(), - version: schema.string(), - title: schema.string(), - }), - { maxSize: 1000 } - ), -}); +export const GetDependenciesResponseSchema = schema.object( + { + items: schema.arrayOf( + schema.object({ + name: schema.string(), + version: schema.string(), + title: schema.string(), + }), + { maxSize: 1000 } + ), + }, + { meta: { id: 'get_dependencies_response' } } +); export const InstallPackageFromRegistryRequestSchema = { params: PackageVersionRequestParamsSchema, @@ -837,10 +936,13 @@ export const InstallPackageFromRegistryRequestSchema = { }), }), body: schema.nullable( - schema.object({ - force: schema.boolean({ defaultValue: false }), - ignore_constraints: schema.boolean({ defaultValue: false }), - }) + schema.object( + { + force: schema.boolean({ defaultValue: false }), + ignore_constraints: schema.boolean({ defaultValue: false }), + }, + { meta: { id: 'install_package_from_registry_request' } } + ) ), }; @@ -860,9 +962,14 @@ export const ReauthorizeTransformRequestSchema = { schema.boolean({ meta: { description: 'When true, allow prerelease versions' } }) ), }), - body: schema.object({ - transforms: schema.arrayOf(schema.object({ transformId: schema.string() }), { maxSize: 1000 }), - }), + body: schema.object( + { + transforms: schema.arrayOf(schema.object({ transformId: schema.string() }), { + maxSize: 1000, + }), + }, + { meta: { id: 'reauthorize_transform_request' } } + ), }; export const BulkInstallPackagesFromRegistryRequestSchema = { @@ -871,20 +978,23 @@ export const BulkInstallPackagesFromRegistryRequestSchema = { schema.boolean({ meta: { description: 'When true, allow installing prerelease versions' } }) ), }), - body: schema.object({ - packages: schema.arrayOf( - schema.oneOf([ - schema.string(), - schema.object({ - name: schema.string(), - version: schema.string(), - prerelease: schema.maybe(schema.boolean()), - }), - ]), - { minSize: 1, maxSize: 1000 } - ), - force: schema.boolean({ defaultValue: false }), - }), + body: schema.object( + { + packages: schema.arrayOf( + schema.oneOf([ + schema.string(), + schema.object({ + name: schema.string(), + version: schema.string(), + prerelease: schema.maybe(schema.boolean()), + }), + ]), + { minSize: 1, maxSize: 1000 } + ), + force: schema.boolean({ defaultValue: false }), + }, + { meta: { id: 'bulk_install_packages_from_registry_request' } } + ), }; export const GetOneBulkOperationPackagesRequestSchema = { @@ -898,46 +1008,55 @@ export const GetOneBulkOperationPackagesRequestSchema = { }; export const BulkUpgradePackagesRequestSchema = { - body: schema.object({ - packages: schema.arrayOf( - schema.object({ - name: schema.string(), - version: schema.maybe(schema.string()), - }), - { minSize: 1, maxSize: 1000 } - ), - prerelease: schema.maybe(schema.boolean()), - force: schema.boolean({ defaultValue: false }), - upgrade_package_policies: schema.boolean({ defaultValue: false }), - }), + body: schema.object( + { + packages: schema.arrayOf( + schema.object({ + name: schema.string(), + version: schema.maybe(schema.string()), + }), + { minSize: 1, maxSize: 1000 } + ), + prerelease: schema.maybe(schema.boolean()), + force: schema.boolean({ defaultValue: false }), + upgrade_package_policies: schema.boolean({ defaultValue: false }), + }, + { meta: { id: 'bulk_upgrade_packages_request' } } + ), }; export const BulkUninstallPackagesRequestSchema = { - body: schema.object({ - packages: schema.arrayOf( - schema.object({ - name: schema.string(), - version: schema.string(), - }), - { minSize: 1, maxSize: 1000 } - ), - force: schema.boolean({ defaultValue: false }), - }), + body: schema.object( + { + packages: schema.arrayOf( + schema.object({ + name: schema.string(), + version: schema.string(), + }), + { minSize: 1, maxSize: 1000 } + ), + force: schema.boolean({ defaultValue: false }), + }, + { meta: { id: 'bulk_uninstall_packages_request' } } + ), }; export const BulkRollbackPackagesRequestSchema = { - body: schema.object({ - packages: schema.arrayOf( - schema.object({ - name: schema.string({ - meta: { - description: 'Package name to rollback', - }, + body: schema.object( + { + packages: schema.arrayOf( + schema.object({ + name: schema.string({ + meta: { + description: 'Package name to rollback', + }, + }), }), - }), - { minSize: 1, maxSize: 1000 } - ), - }), + { minSize: 1, maxSize: 1000 } + ), + }, + { meta: { id: 'bulk_rollback_packages_request' } } + ), }; export const InstallPackageByUploadRequestSchema = { @@ -955,23 +1074,26 @@ export const InstallPackageByUploadRequestSchema = { }; export const CreateCustomIntegrationRequestSchema = { - body: schema.object({ - integrationName: schema.string(), - datasets: schema.arrayOf( - schema.object({ - name: schema.string(), - type: schema.oneOf([ - schema.literal('logs'), - schema.literal('metrics'), - schema.literal('traces'), - schema.literal('synthetics'), - schema.literal('profiling'), - ]), - }), - { maxSize: 10 } - ), - force: schema.maybe(schema.boolean()), - }), + body: schema.object( + { + integrationName: schema.string(), + datasets: schema.arrayOf( + schema.object({ + name: schema.string(), + type: schema.oneOf([ + schema.literal('logs'), + schema.literal('metrics'), + schema.literal('traces'), + schema.literal('synthetics'), + schema.literal('profiling'), + ]), + }), + { maxSize: 10 } + ), + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'create_custom_integration_request' } } + ), }; export const DeletePackageRequestSchema = { @@ -998,19 +1120,22 @@ export const InstallKibanaAssetsRequestSchema = { pkgVersion: schema.string({ meta: { description: 'Package version' } }), }), body: schema.nullable( - schema.object({ - force: schema.maybe(schema.boolean()), - space_ids: schema.maybe( - schema.arrayOf(schema.string(), { - minSize: 1, - maxSize: 100, - meta: { - description: - 'When provided install assets in the specified spaces instead of the current space.', - }, - }) - ), - }) + schema.object( + { + force: schema.maybe(schema.boolean()), + space_ids: schema.maybe( + schema.arrayOf(schema.string(), { + minSize: 1, + maxSize: 100, + meta: { + description: + 'When provided install assets in the specified spaces instead of the current space.', + }, + }) + ), + }, + { meta: { id: 'install_kibana_assets_request' } } + ) ), }; @@ -1020,9 +1145,12 @@ export const InstallRuleAssetsRequestSchema = { pkgVersion: schema.string({ meta: { description: 'Package version' } }), }), body: schema.nullable( - schema.object({ - force: schema.maybe(schema.boolean()), - }) + schema.object( + { + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'install_rule_assets_request' } } + ) ), }; diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/package_policy.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/package_policy.ts index 0cce483f75ce8..8d3e28990b425 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/package_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/package_policy.ts @@ -86,9 +86,10 @@ export const BulkGetPackagePoliciesRequestSchema = { }), }; -export const BulkGetPackagePoliciesResponseBodySchema = schema.object({ - items: schema.arrayOf(PackagePolicyResponseSchema, { maxSize: 10000 }), -}); +export const BulkGetPackagePoliciesResponseBodySchema = schema.object( + { items: schema.arrayOf(PackagePolicyResponseSchema, { maxSize: 10000 }) }, + { meta: { id: 'bulk_get_package_policies_response' } } +); export const GetOnePackagePolicyRequestSchema = { params: schema.object({ @@ -121,9 +122,10 @@ export const CreatePackagePolicyRequestSchema = { }), }; -export const CreatePackagePolicyResponseSchema = schema.object({ - item: PackagePolicyResponseSchema, -}); +export const CreatePackagePolicyResponseSchema = schema.object( + { item: PackagePolicyResponseSchema }, + { meta: { id: 'create_package_policy_response' } } +); export const UpdatePackagePolicyRequestSchema = { ...GetOnePackagePolicyRequestSchema, @@ -141,10 +143,13 @@ export const UpdatePackagePolicyRequestSchema = { }; export const DeletePackagePoliciesRequestSchema = { - body: schema.object({ - packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }), - force: schema.maybe(schema.boolean()), - }), + body: schema.object( + { + packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }), + force: schema.maybe(schema.boolean()), + }, + { meta: { id: 'delete_package_policies_request' } } + ), }; export const DeletePackagePoliciesResponseBodySchema = schema.arrayOf( @@ -180,14 +185,16 @@ export const DeleteOnePackagePolicyRequestSchema = { }), }; -export const DeleteOnePackagePolicyResponseSchema = schema.object({ - id: schema.string(), -}); +export const DeleteOnePackagePolicyResponseSchema = schema.object( + { id: schema.string() }, + { meta: { id: 'delete_one_package_policy_response' } } +); export const UpgradePackagePoliciesRequestSchema = { - body: schema.object({ - packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }), - }), + body: schema.object( + { packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }) }, + { meta: { id: 'upgrade_package_policies_request' } } + ), }; export const UpgradePackagePoliciesResponseBodySchema = schema.arrayOf( @@ -196,10 +203,13 @@ export const UpgradePackagePoliciesResponseBodySchema = schema.arrayOf( ); export const DryRunPackagePoliciesRequestSchema = { - body: schema.object({ - packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }), - packageVersion: schema.maybe(schema.string()), - }), + body: schema.object( + { + packagePolicyIds: schema.arrayOf(schema.string(), { maxSize: 1000 }), + packageVersion: schema.maybe(schema.string()), + }, + { meta: { id: 'dry_run_package_policies_request' } } + ), }; export const DryRunPackagePoliciesResponseBodySchema = schema.arrayOf( From a6e7af90b13015579fda26609b36a27a98f49442 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 22 May 2026 09:40:48 +0000 Subject: [PATCH 2/7] Changes from node scripts/jest_integration -u src/core/server/integration_tests/ci_checks --- .../check_registered_types.test.ts | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts index e3cf2c0f61061..f54d8e7463cd4 100644 --- a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts +++ b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts @@ -105,11 +105,11 @@ describe('checking migration metadata changes on all registered SO types', () => "file": "5d2da4f1b03f551745b938f4e71b3d328bb65d3ff5ed89ae42a66240fa358346", "file-upload-usage-collection-telemetry": "d6d7e6f366e33ec93a4996229e44d32aea97e04f696259b9915c0d21001ff698", "fileShare": "5f3b4cb0a3aa1d3b03f31b2f0741baa548068f2ec478b8632ef4f02cb65f2b75", - "fleet-agent-policies": "0afcc3826e53382b6b0cf9c1ae6013666508d85647a997ffb0fc561bcf5d8087", + "fleet-agent-policies": "ecb6e5990c46caf46dc7e8323e3f4a5a772cf4d0a3e4e0f148d40e44a7054114", "fleet-cloud-connector": "d7ca8a3de46fc3bc440514943649cb14af6d111b7f490b18f8e34e444b4ed3fa", "fleet-fleet-server-host": "edbc06c4a73586e7820549ab481244989af89ba9191b002cce97d0843a01008e", "fleet-message-signing-keys": "67aecd34e081183b2a99cc1451583977e4ad918074dc5b1579cc4b23750d3829", - "fleet-package-policies": "04d5e251e1b1e0453a1ab91f7776527512d55af5609c612f3fbef3e832cb27ed", + "fleet-package-policies": "5e3e325e40e9470326338bb9aaffd65bf64620d515fcc93ea12abfb6d64862cc", "fleet-preconfiguration-deletion-record": "1154f80d0ef53014ea52c7642131e31365f86909e93b265e7f38c2c317c645cf", "fleet-proxy": "b38a96aa9da6664ff35cd67c4470e0280dbd4b07e8d063a71d6e97dc077d9be4", "fleet-setup-lock": "df3c142ba8907c8ccf004d2240c79d476a70946db092ab4c485d3eb1a3f5bb82", @@ -122,10 +122,10 @@ describe('checking migration metadata changes on all registered SO types', () => "infra-custom-dashboards": "1287737d9b23b8559bf442dafe4275039c5a44969421c5d25b3f1ee60b030d5b", "infrastructure-monitoring-log-view": "a15ae1d2c400f2ea175cd407705dccd85178f9db82def8137b24c4ee4a489ae9", "infrastructure-ui-source": "498c2ba7abd4329a0d8b40efd98b4b16991107512d38141707f9f2e10521b367", - "ingest-agent-policies": "cab3f6654c1f88ce32182a99d996ef2902ea1157cb6a029bf82b9f227cf547a1", + "ingest-agent-policies": "1966acba3d49b5057979b1c8518e359be28e7f21450f75a6ad9246dc334f5f95", "ingest-download-sources": "c87e062ef293585e85fccec0c865d7cef48e0ff9a919d7781d5f7627d275484b", "ingest-outputs": "b377c664edc65976f10f339f4b26271b2d238df90f7c5dd126b0c825926486b9", - "ingest-package-policies": "cb0d8ad6bdfe0c5dec513250f604a74d79d06232d4b1ab873cd26cca1a57197e", + "ingest-package-policies": "3ed764ce00afcaf68baa3054484bb73ebf82124bd25edaa88f72b131545b6be2", "ingest_manager_settings": "d7f88bef81425b890d9d277acd01423556e804269c9e405aeced2629b55695b4", "integration-config": "8fecaf29e55097075e6d8927bf8353ca3cfa8bc9e352389411da05b31ae704e0", "intercept_interaction_record": "d7cb1aad5a2e5f459aa1fea81337ab206987845814dc14f151645d3be13cb293", @@ -733,10 +733,10 @@ describe('checking migration metadata changes on all registered SO types', () => "fleet-agent-policies|global: 21f06d2abf533c0fb63934a6229bd7b0ce7ed97b", "fleet-agent-policies|mappings: 7a6aef21c517facd41e5df4c7fa7f66d1ef68829", "fleet-agent-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "fleet-agent-policies|10.6.0: 153249e09dcbaed854657aeecffe317f2f0b1661d38054454707c7454c830b50", - "fleet-agent-policies|10.5.0: 2f09dc81c8398b0e02589491da420a0a5f159001cc5427ec754ce9f0d788cb4b", - "fleet-agent-policies|10.4.0: 4d8f31802678cc675f596f4ac3f9f50e6691dbce1c5b7c7a9d84c436775d57ed", - "fleet-agent-policies|10.3.0: f45d663cb22d804a33eb71c380faf44efbbfa0ca92cd8aa0c62fcae92919080c", + "fleet-agent-policies|10.6.0: 5fa3667a0a1e89df4d1c7580d12df95436a3fc66b452d1a023c8d0556c6c51b7", + "fleet-agent-policies|10.5.0: 3499a78b02a6673e934b0384511550e61fd215ed71613dc194936424b4395682", + "fleet-agent-policies|10.4.0: 81bcc7106027cc8a1ad698984e2600504983662db6fe948664f5c39bc76ae8a9", + "fleet-agent-policies|10.3.0: a4b4f6078a638dffd52c7cf7499508da1222d2e4ce9717b52f6248ce07dee499", "fleet-agent-policies|10.2.0: b0042f8a6c0373d27acc94bb2ddc913c1d2f8847961d8b75b0c99b2b4ce71b2c", "fleet-agent-policies|10.1.0: 7fce3be244f92bb99b17c8757c39a49aec078ff90cae70971e42e202a574348c", "=============================================================================================", @@ -761,8 +761,8 @@ describe('checking migration metadata changes on all registered SO types', () => "fleet-package-policies|global: b8c5158782fe91d5a5636274dee693a6fef2e457", "fleet-package-policies|mappings: fb3acda96f9119aa483b39736c9a07da565b8489", "fleet-package-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "fleet-package-policies|10.9.0: 89356f02be60fa90201796fb74afd808b4b60d5b20ef15568988a91e5304555b", - "fleet-package-policies|10.8.0: 63afabdb9ed904ad1240d75a808166a98bc23ca9c36851e2262b4507bfa5513e", + "fleet-package-policies|10.9.0: 01adf547740d19d4134ead49770dad5f35ce016dd458ebae9c71495a7ef91085", + "fleet-package-policies|10.8.0: 90b33361501dedad67f46df03095e48c18673a7c4fffaf19e88512e700b4709c", "fleet-package-policies|10.7.0: 175fe637899f2c70d1c5e2b2dbe459962d4b7048367b9930d393f280222093cf", "fleet-package-policies|10.6.0: ef0c3e9699868aa625f197708fda2114eac175a8d3c0f2984634102adf61cb15", "fleet-package-policies|10.5.0: d60de40b75a31ee199487f5a53329033afbfc78767c42d16d987e95173df9516", @@ -839,10 +839,10 @@ describe('checking migration metadata changes on all registered SO types', () => "ingest-agent-policies|global: c3b43ce09de4bc7883a7ef73aec64d7d679b28d2", "ingest-agent-policies|mappings: ebeefa360c807146ea4645800fedad0869063ac1", "ingest-agent-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "ingest-agent-policies|10.11.0: 153249e09dcbaed854657aeecffe317f2f0b1661d38054454707c7454c830b50", - "ingest-agent-policies|10.10.0: 2f09dc81c8398b0e02589491da420a0a5f159001cc5427ec754ce9f0d788cb4b", - "ingest-agent-policies|10.9.0: 4d8f31802678cc675f596f4ac3f9f50e6691dbce1c5b7c7a9d84c436775d57ed", - "ingest-agent-policies|10.8.0: f45d663cb22d804a33eb71c380faf44efbbfa0ca92cd8aa0c62fcae92919080c", + "ingest-agent-policies|10.11.0: 5fa3667a0a1e89df4d1c7580d12df95436a3fc66b452d1a023c8d0556c6c51b7", + "ingest-agent-policies|10.10.0: 3499a78b02a6673e934b0384511550e61fd215ed71613dc194936424b4395682", + "ingest-agent-policies|10.9.0: 81bcc7106027cc8a1ad698984e2600504983662db6fe948664f5c39bc76ae8a9", + "ingest-agent-policies|10.8.0: a4b4f6078a638dffd52c7cf7499508da1222d2e4ce9717b52f6248ce07dee499", "ingest-agent-policies|10.7.0: b0042f8a6c0373d27acc94bb2ddc913c1d2f8847961d8b75b0c99b2b4ce71b2c", "ingest-agent-policies|10.6.0: 5cb51278f489660ab671e971b91569729d498aae1feaceeca2c2f57c93246b65", "ingest-agent-policies|10.5.0: 7fce3be244f92bb99b17c8757c39a49aec078ff90cae70971e42e202a574348c", @@ -880,8 +880,8 @@ describe('checking migration metadata changes on all registered SO types', () => "ingest-package-policies|global: a89e06415e12609fa3575379d06ab1b542da6f04", "ingest-package-policies|mappings: fb3acda96f9119aa483b39736c9a07da565b8489", "ingest-package-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "ingest-package-policies|10.23.0: 35593d9ec9def3cd57253e632160ac7f5b2390ad4bb1f0687b1a8a5d526b5205", - "ingest-package-policies|10.22.0: 63afabdb9ed904ad1240d75a808166a98bc23ca9c36851e2262b4507bfa5513e", + "ingest-package-policies|10.23.0: a3906cfe2257a6c7175fae55c7b4189c57458a4480647dd8fd5972b9f5ee45c3", + "ingest-package-policies|10.22.0: 90b33361501dedad67f46df03095e48c18673a7c4fffaf19e88512e700b4709c", "ingest-package-policies|10.21.0: 175fe637899f2c70d1c5e2b2dbe459962d4b7048367b9930d393f280222093cf", "ingest-package-policies|10.20.0: 522700650b5a10db91d2337e8b82582841a3884049e40c20525aed0a1e1f475e", "ingest-package-policies|10.19.0: d60de40b75a31ee199487f5a53329033afbfc78767c42d16d987e95173df9516", From 4c74cf297a22b08423f85ec1ae98f34d2146c456 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 22 May 2026 10:02:17 +0000 Subject: [PATCH 3/7] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 38798 ++++++++-------------- oas_docs/output/kibana.yaml | 39130 ++++++++--------------- 2 files changed, 27940 insertions(+), 49988 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index f2766644ee1aa..d5337eccdc994 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -28019,857 +28019,7 @@ paths: properties: items: items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' maxItems: 10000 type: array page: @@ -28957,273 +28107,224 @@ paths: name: My agent policy namespace: default schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': + content: + application/json: + examples: + postAgentPolicyExample: + description: The created agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: + ids: + description: list of package policy ids items: type: string - maxItems: 100 + maxItems: 1000 type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true + ignoreMissing: type: boolean - unenroll_timeout: - minimum: 0 - type: number required: - - name - - namespace + - ids responses: '200': content: application/json: examples: - postAgentPolicyExample: - description: The created agent policy + postBulkGetAgentPoliciesExample: + description: The requested agent policies + value: + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyExample: + description: An agent policy value: item: description: A sample agent policy - id: agent-policy-id-2 + id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy @@ -29232,878 +28333,22 @@ paths: status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -30120,23 +28365,33 @@ paths: - message - attributes description: Bad Request - summary: Create an agent policy + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/_bulk_get: - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -30145,6 +28400,12 @@ paths: schema: example: 'true' type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string - description: 'Format for the response: simplified or legacy' in: query name: format @@ -30158,908 +28419,149 @@ paths: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID + putAgentPolicyRequestExample: + description: Update an agent policy value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': + content: + application/json: + examples: + putAgentPolicyExample: + description: The updated agent policy + value: + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 schema: additionalProperties: false type: object properties: - items: + currentVersions: items: additionalProperties: false type: object properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 + type: string + maxItems: 1000 type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version type: number - agents_per_version: + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count + type: string maxItems: 1000 type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: + version: + description: Agent version type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents maxItems: 10000 type: array + totalAgents: + type: number required: - - items + - currentVersions + - totalAgents description: Successful response '400': content: @@ -31090,35 +28592,31 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + summary: Get auto upgrade agent status tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/{agentPolicyId}: - get: + /api/fleet/agent_policies/{agentPolicyId}/copy: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string - description: The ID of the agent policy in: path name: agentPolicyId @@ -31134,884 +28632,128 @@ paths: - simplified - legacy type: string + requestBody: + content: + application/json: + examples: + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + postCopyAgentPolicyExample: + description: The copied agent policy value: item: - description: A sample agent policy - id: agent-policy-id-1 + description: A copy of the original agent policy + id: agent-policy-id-copy-1 is_managed: false is_protected: false - name: My agent policy + name: Copy of my agent policy namespace: default revision: 1 status: active - updated_at: '2024-01-15T10:00:00.000Z' + updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item - description: Successful response + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getDownloadAgentPolicyExample: + description: The agent policy download response + value: + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + schema: + type: string + description: Successful response — returns the agent policy as a YAML file download '400': content: application/json: @@ -32051,1194 +28793,268 @@ paths: error: Not Found message: Agent policy not found statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Not Found - summary: Get an agent policy + summary: Download an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + /api/fleet/agent_policies/{agentPolicyId}/full: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - - description: 'Format for the response: simplified or legacy' + - description: If true, returns the policy as a downloadable file in: query - name: format + name: download required: false schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putAgentPolicyRequestExample: - description: Update an agent policy - value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getFullAgentPolicyExample: + description: The full agent policy configuration + value: + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: + error: type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - putAgentPolicyExample: - description: The updated agent policy + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy value: item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' + responses: + '200': + content: + application/json: + examples: + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted + value: + id: agent-policy-id-1 + name: My agent policy + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' description: Successful response '400': content: @@ -33269,88 +29085,63 @@ paths: - message - attributes description: Bad Request - summary: Update an agent policy + summary: Delete an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: + /api/fleet/agent_policies/outputs: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+
post /s/{space_id}/api/fleet/agent_policies/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' responses: '200': content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 - schema: - additionalProperties: false - type: object - properties: - currentVersions: items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: Number of agents that failed to upgrade to this version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' description: Successful response '400': content: @@ -33381,943 +29172,105 @@ paths: - message - attributes description: Bad Request - summary: Get auto upgrade agent status + summary: Get outputs for agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: + /api/fleet/agent_status: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+
get /s/{space_id}/api/fleet/agent_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter by agent policy ID + in: query + name: policyId + required: false schema: - example: 'true' type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: Filter by one or more agent policy IDs + in: query + name: policyIds + required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results in: query - name: format + name: kuery required: false schema: - enum: - - simplified - - legacy type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - additionalProperties: false - type: object - properties: - description: - type: string - name: - minLength: 1 - type: string - required: - - name responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + getAgentStatusExample: + description: Agent status summary for an agent policy value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 schema: additionalProperties: false type: object properties: - item: + results: additionalProperties: false type: object properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: + active: type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: + all: type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 + error: type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: + events: type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 + inactive: type: number - unprivileged_agents: + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active required: - - item + - results description: Successful response '400': content: @@ -34348,66 +29301,93 @@ paths: - message - attributes description: Bad Request - summary: Copy an agent policy + summary: Get an agent status summary tags: - - Elastic Agent policies + - Elastic Agent status x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/{agentPolicyId}/download: + /api/fleet/agent_status/data: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+
get /s/{space_id}/api/fleet/agent_status/data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: Agent IDs to check data for, as an array or comma-separated string + in: query + name: agentsIds required: true schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name in: query - name: standalone + name: pkgName required: false schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment + type: string + - description: Filter by integration package version in: query - name: kubernetes + name: pkgVersion required: false schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + type: string + - description: When true, return a preview of the ingested data in: query - name: revision + name: previewData required: false schema: - type: number + default: false + type: boolean responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 schema: - type: string - description: Successful response — returns the agent policy as a YAML file download + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response '400': content: application/json: @@ -34437,619 +29417,790 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent policy + summary: Get incoming agent data tags: - - Elastic Agent policies + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/{agentPolicyId}/full: - get: + /api/fleet/agentless_policies: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+
post /s/{space_id}/api/fleet/agentless_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full + Create an agentless policy + operationId: post-fleet-agentless-policies parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + - description: The format of the response package policy. in: query - name: revision + name: format required: false schema: - type: number + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + examples: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies + value: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration + value: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= schema: additionalProperties: false type: object properties: item: - anyOf: - - type: string - - additionalProperties: false + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true type: object properties: - agent: - additionalProperties: false + privileges: + additionalProperties: true type: object properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: - additionalProperties: false - type: object - properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: additionalProperties: false type: object properties: - enabled: + frozen: type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: + type: type: string + value: + nullable: true required: - - hosts - - protocol - required: - - kibana - id: - type: string - inputs: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + - value + description: Package variable (see integration documentation for more information) type: object - properties: - namespace: - type: string - required: - - namespace + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version + keep_enabled: + type: boolean + migrate_from: + type: string name: type: string - package_policy_id: + policy_template: type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number streams: items: - additionalProperties: true + additionalProperties: false type: object properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object data_stream: - additionalProperties: true + additionalProperties: false type: object properties: dataset: type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array type: type: string required: - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id + - enabled - data_stream - maxItems: 10000 + - compiled_stream + - deprecated + maxItems: 1000 type: array type: type: string - use_output: - type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id - - name - - revision - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string + - enabled + - streams + - deprecated + - compiled_input maxItems: 100 type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true + - additionalProperties: + additionalProperties: false type: object properties: - ca_sha256: - nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: additionalProperties: anyOf: - type: string - - type: boolean - type: number - nullable: true + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. type: object - proxy_url: - type: string - type: - type: string required: - - type - type: object - processors: - additionalProperties: - nullable: true + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object - receivers: + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: additionalProperties: nullable: true type: object - revision: - type: number - secret_references: - items: + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: additionalProperties: false type: object properties: - id: + frozen: + type: boolean + type: type: string + value: + nullable: true required: - - id - maxItems: 10000 - type: array - service: - additionalProperties: false + - value + description: Package variable (see integration documentation for more information) type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false type: object properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: - additionalProperties: false + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. type: object - properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - package + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by required: - item - description: Successful response + description: Indicates a successful response '400': content: application/json: @@ -35079,133 +30230,16 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs - parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy - value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - required: - - item - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictErrorResponseExample: + description: Example of a conflict error response value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -35224,35 +30258,25 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy + description: Conflict + summary: Create an agentless policy tags: - - Elastic Agent policies + - Fleet agentless policies + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_policies/delete: - post: + /api/fleet/agentless_policies/{policyId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/delete
+
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -35261,48 +30285,39 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - agentPolicyId: - description: The ID of the agent policy - type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean - required: - - agentPolicyId + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - id: agent-policy-id-1 - name: My agent policy + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: additionalProperties: false + description: Response for deleting an agentless package policy. type: object properties: id: - type: string - name: + description: The ID of the deleted agentless package policy. type: string required: - id - - name - description: Successful response + description: Indicates a successful response '400': content: application/json: @@ -35332,149 +30347,16 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/agent_policies/outputs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: post-fleet-agent-policies-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies - value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictErrorResponseExample: + description: Example of a conflict error response value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -35493,106 +30375,523 @@ paths: required: - message - attributes - description: Bad Request - summary: Get outputs for agent policies + description: Conflict + summary: Delete an agentless policy tags: - - Elastic Agent policies + - Fleet agentless policies + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_status: + /api/fleet/agents: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_status
+
get /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents parameters: - - description: Filter by agent policy ID + - description: Page number in: query - name: policyId + name: page required: false schema: - type: string - - description: Filter by one or more agent policy IDs + type: number + - description: Number of results per page in: query - name: policyIds + name: perPage required: false schema: - items: - type: string - maxItems: 1000 - type: array + default: 20 + type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination + in: query + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive + required: false + schema: + type: string responses: '200': content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + getAgentsExample: + description: List of agents value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number required: - - results + - items + - total + - page + - perPage description: Successful response '400': content: @@ -35623,92 +30922,76 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + summary: Get agents tags: - - Elastic Agent status + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agent_status/data: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_status/data
+
post /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-status-data + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query - name: pkgName - required: false - schema: - type: string - - description: Filter by integration package version - in: query - name: pkgVersion - required: false - schema: + example: 'true' type: string - - description: When true, return a preview of the ingested data - in: query - name: previewData - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs + value: + actionIds: + - action-id-1 + - action-id-2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 1000 + type: array + required: + - actionIds responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online total: 1 - totalMonitoring: 0 schema: additionalProperties: false type: object properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array items: items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object + type: string maxItems: 10000 type: array required: - items - - dataPreview description: Successful response '400': content: @@ -35739,23 +31022,23 @@ paths: - message - attributes description: Bad Request - summary: Get incoming agent data + summary: Get agents by action ids tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agentless_policies: - post: + /api/fleet/agents/{agentId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agentless_policies
+
delete /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create an agentless policy - operationId: post-fleet-agentless-policies + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header @@ -35764,1109 +31047,972 @@ paths: schema: example: 'true' type: string - - description: The format of the response package policy. - in: query - name: format - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - default: simplified - enum: - - legacy - - simplified type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: Example request to create agentless policy reusing an existing AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: Example request to create agentless policy with AWS cloud connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: Example request to create agentless policy with Azure cloud connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: + responses: + '200': + content: + application/json: + examples: + deleteAgentExample: + description: Agent successfully deleted + value: + id: agent-id-1 + success: true + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - deleted type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: - additionalProperties: false - type: object - properties: - cloud_connector_id: - description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. - type: boolean - name: - description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: Target cloud service provider. If not provided, will be auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - global_data_tags: - items: + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: additionalProperties: false type: object properties: - name: - description: The name of the custom field. Cannot contain spaces. + access_api_key: type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - type: array - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + access_api_key_id: type: string - deprecated: - additionalProperties: false + active: + type: boolean + agent: + additionalProperties: true type: object properties: - description: + id: type: string - replaced_by: - additionalProperties: - type: string - type: object - since: + type: + type: string + version: type: string required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: additionalProperties: false type: object properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + id: type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false + message: + type: string + payload: + additionalProperties: + nullable: true type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false + id: + type: string + identifying_attributes: + additionalProperties: + type: string type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_template: - description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: type: string maxItems: 100 type: array - - items: - type: number + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string maxItems: 100 type: array - - additionalProperties: false + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false type: object properties: - id: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: type: string - isSecretRef: - type: boolean required: - - id - - isSecretRef + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux + schema: + additionalProperties: false + type: object + properties: + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. type: object - required: - - name - - package responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + putAgentExample: + description: Updated agent details value: item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false - description: The created agentless package policy. type: object properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: + access_api_key: type: string - created_by: + access_api_key_id: type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + active: type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false + agent: + additionalProperties: true type: object properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name + id: type: string - requires_root: - type: boolean - title: + type: type: string version: - description: Package version type: string required: - - name + - id - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + audit_unenrolled_reason: type: string - policy_ids: + capabilities: items: - description: IDs of the agent policies which that package policy will be added to. type: string - maxItems: 1000 + maxItems: 100 type: array - revision: - description: Package policy revision. - type: number - secret_references: + components: items: additionalProperties: false type: object properties: id: type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array required: - id - maxItems: 1000 + - type + - status + - message + maxItems: 10000 type: array - spaceIds: + default_api_key: + type: string + default_api_key_history: items: - type: string + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at maxItems: 100 type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. + default_api_key_id: + type: string + effective_config: nullable: true - type: boolean - updated_at: + enrolled_at: type: string - updated_by: + health: + additionalProperties: + nullable: true + type: object + id: type: string - var_group_selections: + identifying_attributes: additionalProperties: type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object required: - - name - - enabled - - inputs - id - - revision - - updated_at - - updated_by - - created_at - - created_by + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config required: - item - description: Indicates a successful response + description: Successful response '400': content: application/json: @@ -36896,53 +32042,34 @@ paths: - message - attributes description: Bad Request - '409': + '404': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + notFoundExample: + description: No agent was found with the given ID value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create an agentless policy + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Fleet agentless policies - x-state: Technical Preview + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agentless_policies/{policyId}: - delete: + /api/fleet/agents/{agentId}/actions: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/actions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks in: header @@ -36951,39 +32078,135 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. + - description: The agent ID in: path - name: policyId + name: agentId required: true schema: type: string - - description: Force delete the policy even if the policy is managed. - in: query - name: force - required: false - schema: - type: boolean + requestBody: + content: + application/json: + examples: + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent + value: + action: + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol + postAgentActionExample: + description: Created agent action value: item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: additionalProperties: false - description: Response for deleting an agentless package policy. type: object properties: - id: - description: The ID of the deleted agentless package policy. - type: string + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data required: - - id - description: Indicates a successful response + - item + description: Successful response '400': content: application/json: @@ -37013,16 +32236,54 @@ paths: - message - attributes description: Bad Request - '409': + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config + parameters: + - description: The agent ID to get effective config of + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + successResponse: value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 + effective_config: {} + schema: + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -37041,523 +32302,451 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: A bad request. + summary: Get an agent's effective config tags: - - Fleet agentless policies - x-state: Technical Preview + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents: - get: + /api/fleet/agents/{agentId}/migrate: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents
+
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable - in: query - name: showUpgradeable - required: false + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postMigrateAgentExample: + description: Agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response - in: query - name: getStatusSummary - required: false + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true schema: - default: false - type: boolean - - description: Field to sort results by - in: query - name: sortField - required: false + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - enum: - - asc - - desc type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + requestBody: + content: + application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id + responses: + '200': + content: + application/json: + examples: + postReassignAgentExample: + description: Agent successfully reassigned + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/remove_collector: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false + - description: The collector agent ID + in: path + name: agentId + required: true schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + type: string + responses: + '200': + content: + application/json: + examples: + postRemoveCollectorExample: + description: Collector successfully removed + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Remove an OpAMP collector + tags: + - Elastic Agent actions + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Duration to keep the point-in-time alive, for example, `1m` - in: query - name: pitKeepAlive - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: type: string + requestBody: + content: + application/json: + examples: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent + value: + additional_metrics: + - CPU + schema: + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array responses: '200': content: application/json: examples: - getAgentsExample: - description: List of agents + postRequestDiagnosticsExample: + description: Diagnostics action result value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 + actionId: action-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: - type: string - page: - type: number - perPage: - type: number - pit: + actionId: type: string - statusSummary: - additionalProperties: - type: number - type: object - total: - type: number required: - - items - - total - - page - - perPage + - actionId description: Successful response '400': content: @@ -37567,7 +32756,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Agent agent-id-1 does not support request diagnostics action. statusCode: 400 schema: additionalProperties: false @@ -37588,22 +32777,23 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Request agent diagnostics tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/agents/{agentId}/rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents
+
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -37612,63 +32802,32 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs - value: - actionIds: - - action-id-1 - - action-id-2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds + - description: The agent ID to rollback + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + successResponse: value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + actionId: actionId schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -37687,24 +32846,25 @@ paths: required: - message - attributes - description: Bad Request - summary: Get agents by action ids + description: A bad request. + summary: Rollback an agent tags: - - Elastic Agents + - Elastic Agent actions + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}: - delete: + /api/fleet/agents/{agentId}/unenroll: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agents/{agentId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks in: header @@ -37719,26 +32879,31 @@ paths: required: true schema: type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean responses: '200': content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted - value: - id: agent-id-1 - success: true - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} description: Successful response '400': content: @@ -37750,456 +32915,72 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent + summary: Unenroll an agent tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - get: + /api/fleet/agents/{agentId}/upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string - description: The agent ID in: path name: agentId required: true schema: type: string - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details - value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} schema: additionalProperties: false type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item + properties: {} description: Successful response '400': content: @@ -38230,454 +33011,86 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent + summary: Upgrade an agent tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + /api/fleet/agents/{agentId}/uploads: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/agents/{agentId}
+
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - description: The agent ID in: path name: agentId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + getAgentUploadsExample: + description: List of files uploaded by the agent value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: + createTime: type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: + error: type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: + filePath: type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: + id: type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: + name: type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: + status: enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array required: - - item + - items description: Successful response '400': content: @@ -38708,137 +33121,282 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Get agent uploads tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/actions: - post: + /api/fleet/agents/action_status: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+
get /s/{space_id}/api/fleet/agents/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true + default: 0 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: Return actions created before this date + in: query + name: date + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent - value: - action: - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action + - description: Return only the latest N actions + in: query + name: latest + required: false + schema: + type: number + - description: Number of error details to include per action + in: query + name: errorSize + required: false + schema: + default: 5 + type: number responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + getActionStatusExample: + description: Status of recent agent actions value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: + items: + items: + additionalProperties: false + type: object + properties: + actionId: type: string - maxItems: 10000 - type: array - created_at: - type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} + responses: + '200': + content: + application/json: + examples: + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string data: nullable: true expiration: @@ -38902,54 +33460,58 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action + summary: Cancel an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/effective_config: + /api/fleet/agents/available_versions: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+
get /s/{space_id}/api/fleet/agents/available_versions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] responses: '200': content: application/json: examples: - successResponse: + getAvailableVersionsExample: + description: List of available agent versions for upgrade value: - effective_config: {} + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: additionalProperties: false type: object properties: - effective_config: - nullable: true + items: + items: + type: string + maxItems: 10000 + type: array required: - - effective_config - description: 'OK: A successful request.' + - items + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -38968,24 +33530,24 @@ paths: required: - message - attributes - description: A bad request. - summary: Get an agent's effective config + description: Bad Request + summary: Get available agent versions tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/migrate: + /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+
post /s/{space_id}/api/fleet/agents/bulk_migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate parameters: - description: A required header to protect against CSRF attacks in: header @@ -38994,19 +33556,16 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster value: + agents: + - agent-id-1 + - agent-id-2 enrollment_token: enrollment-token-value settings: retry_max: 5 @@ -39015,6 +33574,15 @@ paths: additionalProperties: false type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number enrollment_token: type: string settings: @@ -39045,8 +33613,6 @@ paths: type: object proxy_url: type: string - replace_token: - type: string staging: type: string tags: @@ -39058,6 +33624,7 @@ paths: format: uri type: string required: + - agents - uri - enrollment_token responses: @@ -39065,8 +33632,8 @@ paths: content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: actionId: action-id-1 schema: @@ -39107,23 +33674,23 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + summary: Migrate multiple agents tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/privilege_level_change: + /api/fleet/agents/bulk_privilege_level_change: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header @@ -39132,27 +33699,30 @@ paths: schema: example: 'true' type: string - - description: The agent ID to change privilege level for - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - changeAgentPrivilegeLevelRequest: + bulkChangeAgentPrivilegeLevelRequest: value: + agents: agent user_info: groupname: groupname password: password username: username schema: additionalProperties: false - nullable: true type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number user_info: additionalProperties: false type: object @@ -39163,6 +33733,8 @@ paths: type: string username: type: string + required: + - agents responses: '200': content: @@ -39172,21 +33744,13 @@ paths: value: actionId: actionId schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: 'OK: A successful request.' '400': content: @@ -39214,24 +33778,24 @@ paths: - message - attributes description: A bad request. - summary: Change agent privilege level + summary: Bulk change agent privilege level tags: - Elastic Agents x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/reassign: + /api/fleet/agents/bulk_reassign: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+
post /s/{space_id}/api/fleet/agents/bulk_reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks in: header @@ -39240,40 +33804,55 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy value: + agents: + - agent-id-1 + - agent-id-2 policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean policy_id: type: string required: - policy_id + - agents responses: '200': content: application/json: examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} + postBulkReassignAgentsExample: + description: Bulk reassign action result + value: + actionId: action-id-1 schema: additionalProperties: false type: object - properties: {} + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -39304,23 +33883,23 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent + summary: Bulk reassign agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/remove_collector: + /api/fleet/agents/bulk_remove_collectors: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors parameters: - description: A required header to protect against CSRF attacks in: header @@ -39329,20 +33908,51 @@ paths: schema: example: 'true' type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors + value: + agents: + - collector-id-1 + - collector-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean + required: + - agents responses: '200': content: application/json: examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -39354,25 +33964,43 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Remove an OpAMP collector + summary: Bulk remove OpAMP collectors tags: - Elastic Agent actions x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/request_diagnostics: + /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header @@ -39381,24 +34009,20 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents value: additional_metrics: - CPU + agents: + - agent-id-1 + - agent-id-2 schema: additionalProperties: false - nullable: true type: object properties: additional_metrics: @@ -39408,13 +34032,24 @@ paths: type: string maxItems: 1 type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents responses: '200': content: application/json: examples: - postRequestDiagnosticsExample: - description: Diagnostics action result + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: actionId: action-id-1 schema: @@ -39434,7 +34069,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Agent agent-id-1 does not support request diagnostics action. + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -39455,23 +34090,23 @@ paths: - message - attributes description: Bad Request - summary: Request agent diagnostics + summary: Bulk request diagnostics from agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/rollback: + /api/fleet/agents/bulk_rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+
post /s/{space_id}/api/fleet/agents/bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -39480,12 +34115,35 @@ paths: schema: example: 'true' type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents responses: '200': content: @@ -39493,23 +34151,20 @@ paths: examples: successResponse: value: - actionId: actionId + actionIds: + - actionId1 + - actionId2 schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds description: 'OK: A successful request.' '400': content: @@ -39537,24 +34192,24 @@ paths: - message - attributes description: A bad request. - summary: Rollback an agent + summary: Bulk rollback agents tags: - Elastic Agent actions x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/unenroll: + /api/fleet/agents/bulk_unenroll: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+
post /s/{space_id}/api/fleet/agents/bulk_unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks in: header @@ -39563,37 +34218,60 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents value: + agents: + - agent-id-1 + - agent-id-2 revoke: false schema: additionalProperties: false - nullable: true type: object properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too type: boolean revoke: + description: Revokes API keys of agents type: boolean + required: + - agents responses: '200': content: application/json: examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -39605,24 +34283,42 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Unenroll an agent + summary: Bulk unenroll agents tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/upgrade: + /api/fleet/agents/bulk_update_agent_tags: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks in: header @@ -39631,46 +34327,65 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents value: - version: 8.17.0 + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging schema: additionalProperties: false type: object properties: - force: - type: boolean - skipRateLimitCheck: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false type: boolean - source_uri: - type: string - version: - type: string + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array required: - - version + - agents responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + postBulkUpdateAgentTagsExample: + description: Bulk action result + value: + actionId: action-id-1 schema: additionalProperties: false type: object - properties: {} + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -39701,86 +34416,92 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent + summary: Bulk update agent tags tags: - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/{agentId}/uploads: - get: + /api/fleet/agents/bulk_upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+
post /s/{space_id}/api/fleet/agents/bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version + value: + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version responses: '200': content: application/json: examples: - getAgentUploadsExample: - description: List of files uploaded by the agent + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY + actionId: action-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array + actionId: + type: string required: - - items + - actionId description: Successful response '400': content: @@ -39811,183 +34532,58 @@ paths: - message - attributes description: Bad Request - summary: Get agent uploads + summary: Bulk upgrade agents tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/action_status: - get: + /api/fleet/agents/files/{fileId}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/action_status
+
delete /s/{space_id}/api/fleet/agents/files/{fileId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 0 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: Return actions created before this date - in: query - name: date - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Return only the latest N actions - in: query - name: latest - required: false - schema: - type: number - - description: Number of error details to include per action - in: query - name: errorSize - required: false + - description: The ID of the uploaded file + in: path + name: fileId + required: true schema: - default: 5 - type: number + type: string responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + deleted: true + id: file-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: latest errors that happened when the agents executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array + deleted: + type: boolean + id: + type: string required: - - items + - id + - deleted description: Successful response '400': content: @@ -40018,109 +34614,47 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Delete an uploaded file tags: - - Elastic Agent actions + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/actions/{actionId}/cancel: - post: + /api/fleet/agents/files/{fileId}/{fileName}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - description: The ID of the uploaded file + in: path + name: fileId required: true schema: - example: 'true' type: string - - description: The ID of the action to cancel + - description: The name of the uploaded file in: path - name: actionId + name: fileName required: true schema: type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: schema: - additionalProperties: false type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response + description: Successful response — returns the uploaded file content '400': content: application/json: @@ -40150,48 +34684,93 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + summary: Get an uploaded file tags: - - Elastic Agent actions + - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/available_versions: + /api/fleet/agents/setup: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/available_versions
+
get /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-available-versions + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup parameters: [] responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: - items: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: items: + enum: + - encrypted_saved_object_encryption_key_required type: string - maxItems: 10000 + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 type: array + package_verification_key_id: + type: string required: - - items - description: Successful response + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status '400': content: application/json: @@ -40221,23 +34800,22 @@ paths: - message - attributes description: Bad Request - summary: Get available agent versions + summary: Get agent setup info tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_migrate
+
post /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks in: header @@ -40246,95 +34824,41 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token responses: '200': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors value: - actionId: action-id-1 + isInitialized: true + nonFatalErrors: [] schema: additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - actionId: - type: string + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array required: - - actionId - description: Successful response + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: @@ -40364,91 +34888,71 @@ paths: - message - attributes description: Bad Request - summary: Migrate multiple agents + summary: Initiate Fleet setup tags: - Elastic Agents x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_privilege_level_change: - post: + /api/fleet/agents/tags: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+
get /s/{space_id}/api/fleet/agents/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents + - description: When true, include tags from inactive agents + in: query + name: showInactive + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - successResponse: + getAgentTagsExample: + description: List of tags used across agents value: - actionId: actionId + items: + - production + - linux + - datacenter-1 schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + type: string + maxItems: 10000 + type: array required: - - actionId - description: 'OK: A successful request.' + - items + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -40467,82 +34971,59 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk change agent privilege level + description: Bad Request + summary: Get agent tags tags: - Elastic Agents - x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_reassign: - post: + /api/fleet/check-permissions: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_reassign
+
get /s/{space_id}/api/fleet/check-permissions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges + in: query + name: fleetServerSetup + required: false schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents + type: boolean responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - actionId: action-id-1 + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true schema: additionalProperties: false type: object properties: - actionId: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES type: string + success: + type: boolean required: - - actionId + - success description: Successful response '400': content: @@ -40573,76 +35054,106 @@ paths: - message - attributes description: Bad Request - summary: Bulk reassign agents + summary: Check permissions tags: - - Elastic Agent actions + - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_remove_collectors: - post: + /api/fleet/cloud_connectors: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+
get /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number for pagination. + in: query + name: page + required: false + schema: + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors - value: - agents: - - collector-id-1 - - collector-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: When passing collectors by KQL query, also removes inactive collectors - type: boolean - required: - - agents responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array required: - - actionId + - items description: Successful response '400': content: @@ -40673,24 +35184,23 @@ paths: - message - attributes description: Bad Request - summary: Bulk remove OpAMP collectors + summary: Get cloud connectors tags: - - Elastic Agent actions + - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+
post /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors parameters: - description: A required header to protect against CSRF attacks in: header @@ -40703,53 +35213,134 @@ paths: content: application/json: examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} schema: additionalProperties: false type: object properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object required: - - agents + - name + - cloudProvider + - vars responses: '200': content: application/json: examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result + postCloudConnectorExample: + description: The created Fleet cloud connector value: - actionId: action-id-1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - actionId + - item description: Successful response '400': content: @@ -40780,23 +35371,24 @@ paths: - message - attributes description: Bad Request - summary: Bulk request diagnostics from agents + summary: Create cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_rollback: - post: + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_rollback
+
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header @@ -40805,64 +35397,46 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - successResponse: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - actionIds: - - actionId1 - - actionId2 + id: cloud-connector-id-1 schema: additionalProperties: false type: object properties: - actionIds: - items: - type: string - maxItems: 10000 - type: array + id: + type: string required: - - actionIds - description: 'OK: A successful request.' + - id + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -40881,87 +35455,92 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback agents + description: Bad Request + summary: Delete cloud connector (supports force deletion) tags: - - Elastic Agent actions + - Fleet cloud connectors x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_unenroll: - post: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: When passing agents by KQL query, unenrolls inactive agents too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents responses: '200': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + getCloudConnectorExample: + description: A Fleet cloud connector value: - actionId: action-id-1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - actionId + - item description: Successful response '400': content: @@ -40992,23 +35571,23 @@ paths: - message - attributes description: Bad Request - summary: Bulk unenroll agents + summary: Get cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_update_agent_tags: - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header @@ -41017,65 +35596,131 @@ paths: schema: example: 'true' type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging + name: Updated AWS connector + vars: {} schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} + schema: + additionalProperties: false + type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - actionId + - item description: Successful response '400': content: @@ -41106,93 +35751,124 @@ paths: - message - attributes description: Bad Request - summary: Bulk update agent tags + summary: Update cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/bulk_upgrade: - post: + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector value: - actionId: action-id-1 + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - actionId - description: Successful response + - items + - total + - page + - perPage + description: 'OK: A successful request.' '400': content: application/json: @@ -41201,7 +35877,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Cloud connector not found statusCode: 400 schema: additionalProperties: false @@ -41221,59 +35897,130 @@ paths: required: - message - attributes - description: Bad Request - summary: Bulk upgrade agents + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/files/{fileId}: - delete: + /api/fleet/data_streams: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+
get /s/{space_id}/api/fleet/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the uploaded file - in: path - name: fileId - required: true - schema: - type: string + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] responses: '200': content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + getDataStreamsExample: + description: List of Fleet-managed data streams value: - deleted: true - id: file-id-1 + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: additionalProperties: false type: object properties: - deleted: - type: boolean - id: - type: string + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array required: - - id - - deleted + - data_streams description: Successful response '400': content: @@ -41304,34 +36051,42 @@ paths: - message - attributes description: Bad Request - summary: Delete an uploaded file + summary: Get data streams tags: - - Elastic Agents + - Data streams x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/files/{fileId}/{fileName}: + /api/fleet/enrollment_api_keys: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+
get /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: The ID of the uploaded file - in: path - name: fileId - required: true + - description: Page number + in: query + name: page + required: false schema: - type: string - - description: The name of the uploaded file - in: path - name: fileName - required: true + default: 1 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: type: string responses: @@ -41339,12 +36094,56 @@ paths: content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + getEnrollmentApiKeysExample: + description: List of enrollment API keys + value: + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object - description: Successful response — returns the uploaded file content + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + description: Successful response '400': content: application/json: @@ -41374,93 +36173,149 @@ paths: - message - attributes description: Bad Request - summary: Get an uploaded file + summary: Get enrollment API keys tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/setup: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/setup
+
post /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: application/json: examples: - agentsSetupNotReadyExample: - description: Fleet is not ready — a Fleet Server and API keys are required + postEnrollmentApiKeyExample: + description: The created enrollment API key value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + description: Generic Error type: object properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string + statusCode: + type: number required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs + value: + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' + responses: + '200': + content: + application/json: + examples: + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed + value: + action: deleted + count: 2 + errorCount: 0 + successCount: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' + description: Successful response '400': content: application/json: @@ -41469,7 +36324,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Either tokenIds or kuery must be provided statusCode: 400 schema: additionalProperties: false @@ -41490,22 +36345,24 @@ paths: - message - attributes description: Bad Request - summary: Get agent setup info + summary: Bulk revoke or delete enrollment API keys tags: - - Elastic Agents + - Fleet enrollment API keys + x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - post: + /api/fleet/enrollment_api_keys/{keyId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/setup
+
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-agents-setup + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -41514,41 +36371,38 @@ paths: schema: example: 'true' type: string + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + in: query + name: forceDelete + required: false + schema: + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + in: query + name: includeHidden + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - agentsSetupSuccessExample: - description: Fleet setup initialized successfully with no non-fatal errors + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked value: - isInitialized: true - nonFatalErrors: [] + action: deleted schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' + description: Successful response '400': content: application/json: @@ -41578,60 +36432,58 @@ paths: - message - attributes description: Bad Request - summary: Initiate Fleet setup + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/agents/tags: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/tags
+
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid parameters: - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: The ID of the enrollment API key + in: path + name: keyId + required: true schema: type: string - - description: When true, include tags from inactive agents - in: query - name: showInactive - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + getEnrollmentApiKeyExample: + description: An enrollment API key value: - items: - - production - - linux - - datacenter-1 + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: @@ -41662,58 +36514,72 @@ paths: - message - attributes description: Bad Request - summary: Get agent tags + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/check-permissions: - get: + /api/fleet/epm/bulk_assets: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/check-permissions
+
post /s/{space_id}/api/fleet/epm/bulk_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets parameters: - - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges - in: query - name: fleetServerSetup - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' responses: '200': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + postBulkGetAssetsExample: + description: Requested assets value: - success: true + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' description: Successful response '400': content: @@ -41744,106 +36610,53 @@ paths: - message - attributes description: Bad Request - summary: Check permissions + summary: Bulk get assets tags: - - Fleet internals + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/cloud_connectors: + /api/fleet/epm/categories: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors
+
get /s/{space_id}/api/fleet/epm/categories
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. + - description: When true, include prerelease packages in the results in: query - name: perPage + name: prerelease required: false schema: - type: string - - description: KQL query to filter cloud connectors. + type: boolean + - description: When true, include categories that only contain policy templates in: query - name: kuery + name: include_policy_templates required: false schema: - type: string + type: boolean responses: '200': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + getCategoriesExample: + description: List of integration categories value: items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: @@ -41874,23 +36687,23 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connectors + summary: Get package categories tags: - - Fleet cloud connectors - x-state: Technical Preview + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/epm/custom_integrations: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/cloud_connectors
+
post /s/{space_id}/api/fleet/epm/custom_integrations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header @@ -41903,134 +36716,30 @@ paths: content: application/json: examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - required: - - name - - cloudProvider - - vars + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' responses: '200': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -42061,24 +36770,23 @@ paths: - message - attributes description: Bad Request - summary: Create cloud connector + summary: Create a custom integration tags: - - Fleet cloud connectors - x-state: Technical Preview + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: + /api/fleet/epm/custom_integrations/{pkgName}: + put: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -42087,35 +36795,44 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to delete. + - description: Package name in: path - name: cloudConnectorId + name: pkgName required: true schema: type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted - value: - id: cloud-connector-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} description: Successful response '400': content: @@ -42146,91 +36863,76 @@ paths: - message - attributes description: Bad Request - summary: Delete cloud connector (supports force deletion) + summary: Update a custom integration tags: - - Fleet cloud connectors - x-state: Technical Preview + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/epm/data_streams: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
get /s/{space_id}/api/fleet/epm/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true + - description: Filter by data stream type + in: query + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: Filter data streams by dataset name + in: query + name: datasetQuery + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false schema: + default: asc + enum: + - asc + - desc type: string + - description: When true, only return data streams that are not associated with a package + in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + getDataStreamsExample: + description: List of data streams from installed packages value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' description: Successful response '400': content: @@ -42261,156 +36963,69 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connector + summary: Get data streams tags: - - Fleet cloud connectors - x-state: Technical Preview + - Data streams x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + /api/fleet/epm/packages: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
get /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter packages by category + in: query + name: category + required: false schema: - example: 'true' type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true + - description: When true, include prerelease packages in the results + in: query + name: prerelease + required: false schema: - type: string - requestBody: - content: - application/json: - examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector - value: - name: Updated AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object + type: boolean + - description: When true, exclude the install status from the response + in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - description: When true, include the number of package policies per package + in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + getPackagesExample: + description: List of available integration packages value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' description: Successful response '400': content: @@ -42441,137 +37056,98 @@ paths: - message - attributes description: Bad Request - summary: Update cloud connector + summary: Get packages tags: - - Fleet cloud connectors - x-state: Technical Preview + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+
post /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The page number for pagination. + - description: When true, ignore mapping update errors during installation in: query - name: page + name: ignoreMappingUpdateErrors required: false schema: - minimum: 1 - type: number - - description: The number of items per page. + default: false + type: boolean + - description: When true, skip data stream rollover after installation in: query - name: perPage + name: skipDataStreamRollover required: false schema: - minimum: 1 - type: number + default: false + type: boolean + requestBody: + content: + application/gzip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + schema: + format: binary + type: string responses: '200': content: + application/gzip; application/zip: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' application/json: examples: - getCloudConnectorUsageResponseExample: - description: Example response showing package policies using the cloud connector + postInstallByUploadExample: + description: Package successfully installed from upload value: + _meta: + install_source: upload items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + - id: my-custom-package-logs-default + type: index_template + description: Successful response + '400': + content: + application/gzip; application/zip: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: Cloud connector not found - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -42587,133 +37163,6 @@ paths: required: - message - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) - tags: - - Fleet cloud connectors - x-state: Technical Preview - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/data_streams: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/data_streams
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of Fleet-managed data streams - value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics - schema: - additionalProperties: false - type: object - properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response - '400': - content: application/json: examples: genericErrorResponseExample: @@ -42722,175 +37171,69 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes description: Bad Request - summary: Get data streams + summary: Install a package by upload tags: - - Data streams + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/enrollment_api_keys: - get: + /api/fleet/epm/packages/_bulk: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/enrollment_api_keys
+
post /s/{space_id}/api/fleet/epm/packages/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - type: number - - description: Number of results per page - in: query - name: perPage - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: 20 - type: number - - description: A KQL query string to filter results + example: 'true' + type: string + - description: When true, allow installing prerelease versions in: query - name: kuery + name: prerelease required: false schema: - type: string + type: boolean + requestBody: + content: + application/json: + examples: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + postBulkInstallPackagesExample: + description: Bulk install results value: items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - list: - deprecated: true - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' description: Successful response '400': content: @@ -42921,22 +37264,23 @@ paths: - message - attributes description: Bad Request - summary: Get enrollment API keys + summary: Bulk install packages tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/epm/packages/_bulk_namespace_customization: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/enrollment_api_keys
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization parameters: - description: A required header to protect against CSRF attacks in: header @@ -42949,93 +37293,45 @@ paths: content: application/json: examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy + bulkNamespaceCustomizationRequest: value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx schema: - additionalProperties: false - type: object - properties: - expiration: - type: string - name: - type: string - policy_id: - type: string - required: - - policy_id + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key + successResponse: value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + items: + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false schema: - additionalProperties: false - type: object - properties: - action: - enum: - - created - type: string - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - - action - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: error: Bad Request - message: An error message describing what went wrong + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: additionalProperties: false @@ -43055,24 +37351,24 @@ paths: required: - message - attributes - description: Bad Request - summary: Create an enrollment API key + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/enrollment_api_keys/_bulk_delete: + /api/fleet/epm/packages/_bulk_rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -43085,79 +37381,30 @@ paths: content: application/json: examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs - value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query + bulkRollbackRequest: value: - forceDelete: false - kuery: policy_id:"policy-id-1" + packages: + - name: system schema: - additionalProperties: false - type: object - properties: - forceDelete: - default: false - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. - type: boolean - includeHidden: - default: false - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. - type: string - tokenIds: - description: List of enrollment token IDs to delete. - items: - type: string - maxItems: 10000 - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' responses: '200': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed + successResponse: value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 + taskId: taskId schema: - additionalProperties: false - type: object - properties: - action: - type: string - count: - type: number - errorCount: - type: number - successCount: - type: number - required: - - action - - count - - successCount - - errorCount - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: Either tokenIds or kuery must be provided - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -43176,83 +37423,49 @@ paths: required: - message - attributes - description: Bad Request - summary: Bulk revoke or delete enrollment API keys + description: A bad request. + summary: Bulk rollback packages tags: - - Fleet enrollment API keys - x-state: Generally available + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/enrollment_api_keys/{keyId}: - delete: + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the enrollment API key + - description: Task ID of the bulk operation in: path - name: keyId + name: taskId required: true schema: type: string - - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. - in: query - name: forceDelete - required: false - schema: - default: false - type: boolean - - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. - in: query - name: includeHidden - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked + successResponse: value: - action: deleted + status: success schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -43271,94 +37484,55 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key + description: A bad request. + summary: Get Bulk rollback packages details tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - get: + /api/fleet/epm/packages/_bulk_uninstall: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall parameters: - - description: The ID of the enrollment API key - in: path - name: keyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages + value: + packages: + - name: aws + - name: gcp + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - getEnrollmentApiKeyExample: - description: An enrollment API key + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 + taskId: task-id-1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -43389,123 +37563,46 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key + summary: Bulk uninstall packages tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/bulk_assets: - post: + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/bulk_assets
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Task ID of the bulk operation + in: path + name: taskId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - additionalProperties: false - type: object - properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - assetIds responses: '200': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -43536,78 +37633,54 @@ paths: - message - attributes description: Bad Request - summary: Bulk get assets + summary: Get Bulk uninstall packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/categories: - get: + /api/fleet/epm/packages/_bulk_upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/categories
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-categories + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade parameters: - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, include categories that only contain policy templates - in: query - name: include_policy_templates - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions + value: + packages: + - name: system + - name: elastic_agent + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' responses: '200': content: application/json: examples: - getCategoriesExample: - description: List of integration categories + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability + taskId: task-id-1 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - count: - type: number - id: - type: string - parent_id: - type: string - parent_title: - type: string - title: - type: string - required: - - id - - title - - count - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -43638,163 +37711,46 @@ paths: - message - attributes description: Bad Request - summary: Get package categories + summary: Bulk upgrade packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/custom_integrations: - post: + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/custom_integrations
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Task ID of the bulk operation + in: path + name: taskId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - datasets: - items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 - type: array - force: - type: boolean - integrationName: - type: string - required: - - integrationName - - datasets responses: '200': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -43825,23 +37781,23 @@ paths: - message - attributes description: Bad Request - summary: Create a custom integration + summary: Get Bulk upgrade packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/custom_integrations/{pkgName}: - put: + /api/fleet/epm/packages/{pkgName}: + delete: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -43856,38 +37812,25 @@ paths: required: true schema: type: string - requestBody: - content: - application/json: - examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -43918,55 +37861,50 @@ paths: - message - attributes description: Bad Request - summary: Update a custom integration + summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/data_streams: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/data_streams
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname parameters: - - description: Filter by data stream type + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified in: query - name: type + name: ignoreUnverified required: false schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: Filter data streams by dataset name + type: boolean + - description: When true, include prerelease versions in: query - name: datasetQuery + name: prerelease required: false schema: - type: string - - description: Sort order, ascending or descending + type: boolean + - description: When true, return the full package info including assets in: query - name: sortOrder + name: full required: false schema: - default: asc - enum: - - asc - - desc - type: string - - description: When true, only return data streams that are not associated with a package + type: boolean + - description: When true, include package metadata such as whether it has package policies in: query - name: uncategorisedOnly + name: withMetadata required: false schema: default: false @@ -43976,33 +37914,23 @@ paths: content: application/json: examples: - getDataStreamsExample: - description: List of data streams from installed packages + getPackageInfoExample: + description: Package details and installation status value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -44033,543 +37961,90 @@ paths: - message - attributes description: Bad Request - summary: Get data streams + summary: Get a package tags: - - Data streams + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname parameters: - - description: Filter packages by category - in: query - name: category - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include prerelease packages in the results + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - - description: When true, exclude the install status from the response + - description: When true, ignore mapping update errors during installation in: query - name: excludeInstallStatus + name: ignoreMappingUpdateErrors required: false schema: + default: false type: boolean - - description: When true, include the number of package policies per package + - description: When true, skip data stream rollover after installation in: query - name: withPackagePoliciesCount + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck required: false schema: + default: false type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - getPackagesExample: - description: List of available integration packages + postInstallPackageExample: + description: Package successfully installed value: + _meta: + install_source: registry items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: true - type: object - properties: - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - id: - type: string - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - integration: - type: string - internal: - type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - id - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -44600,22 +38075,22 @@ paths: - message - attributes description: Bad Request - summary: Get packages + summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages
+
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -44624,139 +38099,46 @@ paths: schema: example: 'true' type: string - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - default: false - type: boolean + type: string requestBody: content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - format: binary - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + putUpdatePackageExample: + description: Updated package settings value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - application/json: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: - application/gzip; application/zip: + application/json: examples: genericErrorResponseExample: description: Example of a generic error response @@ -44782,32 +38164,24 @@ paths: required: - message - attributes - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 description: Bad Request - summary: Install a package by upload + summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -44816,180 +38190,37 @@ paths: schema: example: 'true' type: string - - description: When true, allow installing prerelease versions + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies in: query - name: prerelease + name: force required: false schema: type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages responses: '200': content: application/json: examples: - postBulkInstallPackagesExample: - description: Bulk install results + deletePackageExample: + description: Package successfully deleted value: items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - name: - type: string - result: - additionalProperties: false - type: object - properties: - assets: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: - type: string - required: - - name - - version - - result - - additionalProperties: false - type: object - properties: - error: - anyOf: - - type: string - - nullable: true - name: - type: string - statusCode: - type: number - required: - - name - - statusCode - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -45020,123 +38251,92 @@ paths: - message - attributes description: Bad Request - summary: Bulk install packages + summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_namespace_customization: - post: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkNamespaceCustomizationRequest: - value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx - schema: - additionalProperties: false - type: object - properties: - disable: - description: Namespaces to disable namespace-level customization for on each package. - items: - type: string - maxItems: 100 - type: array - enable: - description: Namespaces to enable namespace-level customization for on each package. - items: - type: string - maxItems: 100 - type: array - packages: - description: Package names to apply the customization changes to. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - packages + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - successResponse: + getPackageInfoExample: + description: Package details and installation status value: - items: - - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - error: - type: string - name: - type: string - namespace_customization_enabled_for: - description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' - items: - type: string - maxItems: 100 - type: array - success: - type: boolean - required: - - name - - success - maxItems: 1000 - type: array - required: - - items - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: 'Namespaces must not appear in both enable and disable: production' + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -45156,24 +38356,23 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages + description: Bad Request + summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -45182,57 +38381,83 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - bulkRollbackRequest: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints value: - packages: - - name: system + ignore_constraints: false schema: - additionalProperties: false - type: object - properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - required: - - packages + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - successResponse: + postInstallPackageExample: + description: Package successfully installed value: - taskId: taskId + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -45251,85 +38476,159 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback packages + description: Bad Request + summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: + put: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - - description: Task ID of the bulk operation + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: taskId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - successResponse: + putUpdatePackageExample: + description: Updated package settings value: - status: success + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status - description: 'OK: A successful request.' + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -45348,24 +38647,24 @@ paths: required: - message - attributes - description: A bad request. - summary: Get Bulk rollback packages details + description: Bad Request + summary: Get a package file tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_uninstall: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -45374,57 +38673,37 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: The ID of the package policy + in: query + name: packagePolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted value: - taskId: task-id-1 + items: + - id: logs-my_package.access-default + type: index_template schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' description: Successful response '400': content: @@ -45455,27 +38734,33 @@ paths: - message - attributes description: Bad Request - summary: Bulk uninstall packages + summary: Delete assets for an input package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - - description: Task ID of the bulk operation + - description: Package name in: path - name: taskId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string @@ -45484,64 +38769,28 @@ paths: content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + dependenciesResponse: value: - packages: + items: + - name: aws + title: AWS + version: ^2.0.0 - name: system - result: installed - - name: elastic_agent - result: installed - status: success + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + packageNotFoundResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false description: Generic Error @@ -45560,24 +38809,25 @@ paths: required: - message - attributes - description: Bad Request - summary: Get Bulk uninstall packages details + description: A bad request. + summary: Get package dependencies tags: - Elastic Package Manager (EPM) + x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_upgrade: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -45586,61 +38836,31 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string responses: '200': content: application/json: examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted value: - taskId: task-id-1 + items: + - id: dashboard-id-1 + type: dashboard schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -45671,82 +38891,66 @@ paths: - message - attributes description: Bad Request - summary: Bulk upgrade packages + summary: Delete Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - - description: Task ID of the bulk operation + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: taskId + name: pkgName required: true schema: type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -45777,23 +38981,23 @@ paths: - message - attributes description: Bad Request - summary: Get Bulk upgrade packages details + summary: Install Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}: - delete: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -45808,88 +39012,36 @@ paths: required: true schema: type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - type: boolean + type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + postInstallRuleAssetsExample: + description: Rule assets successfully installed value: items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + - id: rule-asset-id-1 + type: security_rule schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -45920,619 +39072,89 @@ paths: - message - attributes description: Bad Request - summary: Delete a package + summary: Install Kibana alert rule for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - get: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get information about a package by name, returning the latest installed or available version. - operationId: get-fleet-epm-packages-pkgname + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string - description: Package name in: path name: pkgName required: true schema: type: string - - description: When true, returns the package even if the signature cannot be verified - in: query - name: ignoreUnverified - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - type: boolean - - description: When true, include prerelease versions + type: string + - description: When true, allow prerelease versions in: query name: prerelease required: false schema: type: boolean - - description: When true, return the full package info including assets - in: query - name: full - required: false - schema: - type: boolean - - description: When true, include package metadata such as whether it has package policies - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + - success: true + transformId: logs-transform-1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -46563,22 +39185,23 @@ paths: - message - attributes description: Bad Request - summary: Get a package + summary: Authorize transforms tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -46587,162 +39210,43 @@ paths: schema: example: 'true' type: string - - description: Package name + - description: Package name to review upgrade for in: path name: pkgName required: true schema: type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean requestBody: content: application/json: examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints + acceptUpgrade: value: - ignore_constraints: false + action: accept + target_version: 2.0.0 schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + successResponse: value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + success: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -46758,23 +39262,25 @@ paths: required: - message - attributes - description: Bad Request - summary: Install a package from the registry + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations tags: - Elastic Package Manager (EPM) + x-state: Generally available x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + /api/fleet/epm/packages/{pkgName}/rollback: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -46783,598 +39289,31 @@ paths: schema: example: 'true' type: string - - description: Package name + - description: Package name to roll back in: path name: pkgName required: true schema: type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: Enable namespace-level customization for the `production` and `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: Namespaces for which namespace-level customization is enabled on this package. - items: - type: string - maxItems: 100 - type: array responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + successResponse: value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + success: true + version: 1.0.0 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -47393,126 +39332,44 @@ paths: required: - message - attributes - description: Bad Request - summary: Update package settings + description: A bad request. + summary: Rollback a package to previous version tags: - Elastic Package Manager (EPM) + x-state: Technical Preview x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: + /api/fleet/epm/packages/{pkgName}/stats: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - description: Package name in: path name: pkgName required: true schema: type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + getPackageStatsExample: + description: Usage stats for a specific package value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + response: + agent_policy_count: 3 schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -47543,625 +39400,97 @@ paths: - message - attributes description: Bad Request - summary: Delete a package + summary: Get package stats tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/fleet/epm/packages/installed: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
get /s/{space_id}/api/fleet/epm/packages/installed
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + - description: Filter by data stream type + in: query + name: dataStreamType + required: false schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: When true, returns the package even if the signature cannot be verified + - description: When true, only return packages with active data streams in: query - name: ignoreUnverified + name: showOnlyActiveDataStreams required: false schema: type: boolean - - description: When true, include prerelease versions + - description: Filter packages by name in: query - name: prerelease + name: nameQuery required: false schema: - type: boolean - - description: When true, return the full package info including assets + type: string + - description: Sort values from the previous page for `search_after` pagination in: query - name: full + name: searchAfter required: false schema: - type: boolean - - description: When true, include package metadata such as whether it has package policies + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page in: query - name: withMetadata + name: perPage required: false schema: - default: false - type: boolean + default: 15 + type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + getInstalledPackagesExample: + description: List of installed integration packages value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' description: Successful response '400': content: @@ -48192,30 +39521,85 @@ paths: - message - attributes description: Bad Request - summary: Get a package + summary: Get installed packages tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - post: + /api/fleet/epm/packages/limited: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
get /s/{space_id}/api/fleet/epm/packages/limited
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': + content: + application/json: + examples: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled + value: + items: + - elastic_agent + - fleet_server + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a limited package list + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + parameters: - description: Package name in: path name: pkgName @@ -48228,142 +39612,298 @@ paths: required: true schema: type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation + - description: 'Output format for the inputs template: json, yml, or yaml' in: query - name: ignoreMappingUpdateErrors + name: format required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions in: query - name: skipDataStreamRollover + name: prerelease required: false schema: - default: false type: boolean - - description: Skip dependency validation when installing a package with dependencies + - description: When true, return inputs even if the package signature cannot be verified in: query - name: skipDependencyCheck + name: ignoreUnverified required: false schema: - default: false type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + getInputsTemplateExample: + description: Inputs template for a package + value: + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an inputs template + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] + responses: + '200': + content: + application/json: + examples: + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures + value: + id: D27D666CD88E42B4 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] + responses: + '200': + content: + application/json: + examples: + getFleetServerHostsExample: + description: List of Fleet Server hosts value: - _meta: - install_source: registry items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name items: items: - anyOf: - - additionalProperties: false + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false type: object properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true type: object properties: - deferred: - type: boolean - id: + agent_certificate: type: string - type: + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view + - optional + - required + - none type: string - version: + es_certificate: type: string - required: - - id - - type + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items - - _meta + - total + - page + - perPage description: Successful response '400': content: @@ -48394,22 +39934,22 @@ paths: - message - attributes description: Bad Request - summary: Install a package from the registry + summary: Get Fleet Server hosts tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
post /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header @@ -48418,591 +39958,245 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: Enable namespace-level customization for the `production` and `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + postFleetServerHostRequestExample: + description: Create a new Fleet Server host value: - keepPoliciesUpToDate: true + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server schema: additionalProperties: false type: object properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: Namespaces for which namespace-level customization is enabled on this package. + host_urls: items: type: string - maxItems: 100 + maxItems: 10 + minItems: 1 type: array - responses: - '200': - content: - application/json: - examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false type: object properties: - deferred: - type: boolean id: type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string required: - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true + - type: string + es_key: + anyOf: + - additionalProperties: false type: object properties: - deferred: - type: boolean id: type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string required: - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true + - type: string + key: + anyOf: + - additionalProperties: false type: object properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: + id: type: string required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - notice: + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: type: string - policy_templates: + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json: + examples: + postFleetServerHostExample: + description: The created Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string + maxItems: 10 + minItems: 1 type: array - readme: + id: type: string - release: - enum: - - ga - - beta - - experimental + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: + proxy_id: + nullable: true type: string - source: - additionalProperties: true + secrets: + additionalProperties: false type: object properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: type: string - - enum: - - input + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: type: string - - enum: - - content + certificate: type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: + certificate_authorities: + items: type: string - title: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - name - - version - - title - - assets + - host_urls + - id required: - item description: Successful response @@ -49035,39 +40229,34 @@ paths: - message - attributes description: Bad Request - summary: Update package settings + summary: Create a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: + /api/fleet/fleet_server_hosts/{itemId}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: File path within the package + - description: The ID of the Fleet Server host in: path - name: filePath + name: itemId required: true schema: type: string @@ -49076,11 +40265,19 @@ paths: content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response '400': content: application/json: @@ -49110,46 +40307,37 @@ paths: - message - attributes description: Bad Request - summary: Get a package file + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the Fleet Server host in: path - name: pkgVersion - required: true - schema: - type: string - - description: The ID of the package policy - in: query - name: packagePolicyId + name: itemId required: true schema: type: string @@ -49158,20 +40346,127 @@ paths: content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted + getFleetServerHostExample: + description: A Fleet Server host value: - items: - - id: logs-my_package.access-default - type: index_template + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: additionalProperties: false type: object properties: - success: - type: boolean + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - success + - item description: Successful response '400': content: @@ -49202,84 +40497,292 @@ paths: - message - attributes description: Bad Request - summary: Delete assets for an input package + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: + put: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid parameters: - - description: Package name - in: path - name: pkgName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: Package version + - description: The ID of the Fleet Server host in: path - name: pkgVersion + name: itemId required: true schema: type: string + requestBody: + content: + application/json: + examples: + putFleetServerHostRequestExample: + description: Update a Fleet Server host + value: + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id responses: '200': content: application/json: examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + putFleetServerHostExample: + description: The updated Fleet Server host value: - items: [] + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: type: string - required: - - name - - version - - title - maxItems: 1000 - type: array + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - items - description: 'OK: A successful request.' + - item + description: Successful response '400': content: application/json: examples: - packageNotFoundResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: '[my-package-1.0.0] package not found in registry' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -49298,25 +40801,35 @@ paths: required: - message - attributes - description: A bad request. - summary: Get package dependencies + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Elastic Package Manager (EPM) - x-state: Generally available + - Fleet Server hosts x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: + /api/fleet/health_check: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+
post /s/{space_id}/api/fleet/health_check
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header @@ -49325,47 +40838,59 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id responses: '200': content: application/json: examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy value: - items: - - id: dashboard-id-1 - type: dashboard + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE schema: additionalProperties: false type: object properties: - success: - type: boolean + host_id: + type: string + name: + type: string + status: + type: string required: - - success - description: Successful response + - status + description: Successful health check response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestExample: + description: The host ID exists but has no associated host URLs configured value: error: Bad Request - message: An error message describing what went wrong + message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false @@ -49386,82 +40911,82 @@ paths: - message - attributes description: Bad Request - summary: Delete Kibana assets for a package + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Check Fleet Server health tags: - - Elastic Package Manager (EPM) + - Fleet internals x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - post: + /api/fleet/kubernetes: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+
get /s/{space_id}/api/fleet/kubernetes
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: type: string - - description: Package version - in: path - name: pkgVersion - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - space_ids: - description: When provided install assets in the specified spaces instead of the current space. - items: - type: string - maxItems: 100 - minItems: 1 - type: array responses: '200': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent value: - items: - - id: dashboard-id-1 - type: dashboard + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' description: Successful response '400': content: @@ -49492,77 +41017,53 @@ paths: - message - attributes description: Bad Request - summary: Install Kibana assets for a package + summary: Get a full K8s agent manifest tags: - - Elastic Package Manager (EPM) + - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: + /api/fleet/kubernetes/download: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+
get /s/{space_id}/api/fleet/kubernetes/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: type: string - - description: Package version - in: path - name: pkgVersion - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean responses: '200': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed - value: - items: - - id: rule-asset-id-1 - type: security_rule + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: @@ -49592,23 +41093,52 @@ paths: - message - attributes description: Bad Request - summary: Install Kibana alert rule for a package + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest tags: - - Elastic Package Manager (EPM) + - Elastic Agent policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + /api/fleet/logstash_api_keys: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+
post /s/{space_id}/api/fleet/logstash_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header @@ -49617,79 +41147,23 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 - schema: - additionalProperties: false - type: object - properties: - transforms: - items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 - type: array - required: - - transforms responses: '200': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + postLogstashApiKeyExample: + description: The generated Logstash API key value: - - success: true - transformId: logs-transform-1 + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array + additionalProperties: false + type: object + properties: + api_key: + type: string + required: + - api_key description: Successful response '400': content: @@ -49720,23 +41194,23 @@ paths: - message - attributes description: Bad Request - summary: Authorize transforms + summary: Generate a Logstash API key tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/review_upgrade: + /api/fleet/message_signing_service/rotate_key_pair: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header @@ -49745,59 +41219,41 @@ paths: schema: example: 'true' type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true + - description: Set to true to confirm you understand the risks of rotating the key pair + in: query + name: acknowledge + required: false schema: - type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - accept - - decline - - pending - type: string - target_version: - type: string - required: - - action - - target_version + default: false + type: boolean responses: '200': content: application/json: examples: - successResponse: + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - success: true + message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: - success: - type: boolean + message: + type: string required: - - success - description: 'OK: A successful request.' + - message + description: Key pair rotated successfully '400': content: application/json: examples: - badRequestResponse: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true value: - message: Bad Request + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -49816,67 +41272,17 @@ paths: required: - message - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations - tags: - - Elastic Package Manager (EPM) - x-state: Generally available - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/epm/packages/{pkgName}/rollback: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - success: true - version: 1.0.0 - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - version: - type: string - required: - - version - - success - description: 'OK: A successful request.' - '400': + description: Bad Request + '500': content: application/json: examples: - badRequestResponse: + serviceUnavailableExample: + description: The message signing service is not available value: - message: Bad Request + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 schema: additionalProperties: false description: Generic Error @@ -49895,59 +41301,68 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback a package to previous version + description: Internal Server Error + summary: Rotate a Fleet message signing key pair tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview + - Message Signing Service x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/{pkgName}/stats: + /api/fleet/outputs: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+
get /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] responses: '200': content: application/json: examples: - getPackageStatsExample: - description: Usage stats for a specific package + getOutputsExample: + description: List of Fleet outputs value: - response: - agent_policy_count: 3 + items: + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - response: - additionalProperties: false - type: object - properties: - agent_policy_count: - type: number - package_policy_count: - type: number - required: - - agent_policy_count - - package_policy_count + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - response + - items + - total + - page + - perPage description: Successful response '400': content: @@ -49978,171 +41393,77 @@ paths: - message - attributes description: Bad Request - summary: Get package stats + summary: Get outputs tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/installed: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/installed
+
post /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs parameters: - - description: Filter by data stream type - in: query - name: dataStreamType - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: When true, only return packages with active data streams - in: query - name: showOnlyActiveDataStreams - required: false - schema: - type: boolean - - description: Filter packages by name - in: query - name: nameQuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Sort values from the previous page for `search_after` pagination - in: query - name: searchAfter - required: false - schema: - items: + requestBody: + content: + application/json: + examples: + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 15 - type: number - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + postOutputExample: + description: The created Fleet output value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - name: - type: string - status: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - status - - dataStreams - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: - type: number + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - items - - total + - item description: Successful response '400': content: @@ -50173,46 +41494,54 @@ paths: - message - attributes description: Bad Request - summary: Get installed packages + summary: Create output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/packages/limited: - get: + /api/fleet/outputs/{outputId}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/limited
+
delete /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string responses: '200': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + deleteOutputExample: + description: The output was successfully deleted value: - items: - - elastic_agent - - fleet_server + id: output-id-1 schema: additionalProperties: false type: object properties: - items: - items: - type: string - maxItems: 10000 - type: array + id: + type: string required: - - items + - id description: Successful response '400': content: @@ -50243,171 +41572,86 @@ paths: - message - attributes description: Bad Request - summary: Get a limited package list + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+
get /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the output in: path - name: pkgVersion + name: outputId required: true schema: type: string - - description: 'Output format for the inputs template: json, yml, or yaml' - in: query - name: format - required: false - schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return inputs even if the package signature cannot be verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - getInputsTemplateExample: - description: Inputs template for a package + getOutputExample: + description: A Fleet output value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - required: - - inputs + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item description: Successful response '400': content: @@ -50438,42 +41682,91 @@ paths: - message - attributes description: Bad Request - summary: Get an inputs template + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/epm/verification_key_id: - get: + put: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/verification_key_id
+
put /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putOutputRequestExample: + description: Update a Fleet output + value: + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures + putOutputExample: + description: The updated Fleet output value: - id: D27D666CD88E42B4 + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: additionalProperties: false type: object properties: - id: - nullable: true - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - id + - item description: Successful response '400': content: @@ -50504,165 +41797,69 @@ paths: - message - attributes description: Bad Request - summary: Get a package signature verification key ID + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/fleet_server_hosts: + /api/fleet/outputs/{outputId}/health: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/fleet_server_hosts
+
get /s/{space_id}/api/fleet/outputs/{outputId}/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health + parameters: + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string responses: '200': content: application/json: examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts + getOutputHealthExample: + description: The latest health status of a Fleet output value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string required: - - items - - total - - page - - perPage + - state + - message + - timestamp description: Successful response '400': content: @@ -50693,271 +41890,123 @@ paths: - message - attributes description: Bad Request - summary: Get Fleet Server hosts + summary: Get the latest output health tags: - - Fleet Server hosts + - Fleet outputs x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - post: + /api/fleet/package_policies: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/fleet_server_hosts
+
get /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts + List all package policies. + operationId: get-fleet-package-policies parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host - value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - postFleetServerHostExample: - description: The created Fleet Server host + getPackagePoliciesExample: + description: List of package policies value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage description: Successful response '400': content: @@ -50988,23 +42037,22 @@ paths: - message - attributes description: Bad Request - summary: Create a Fleet Server host + summary: Get package policies tags: - - Fleet Server hosts + - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/fleet/fleet_server_hosts/{itemId}: - delete: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+
post /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header @@ -51013,29 +42061,59 @@ paths: schema: example: 'true' type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted - value: - id: fleet-server-host-id-1 + requestBody: + content: + application/json: + examples: + postPackagePolicyRequestExample: + description: Create a new nginx package policy + value: + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. + responses: + '200': + content: + application/json: + examples: + postPackagePolicyExample: + description: The created package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' description: Successful response '400': content: @@ -51066,177 +42144,16 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid - parameters: - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetServerHostExample: - description: A Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictExample: + description: A package policy with the same name already exists value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -51255,34 +42172,24 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host + description: Conflict + summary: Create a package policy tags: - - Fleet Server hosts + - Fleet package policies x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - put: + /api/fleet/package_policies/_bulk_get: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+
post /s/{space_id}/api/fleet/package_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -51291,246 +42198,63 @@ paths: schema: example: 'true' type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string requestBody: content: application/json: examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server + ids: + - package-policy-id-1 + - package-policy-id-2 schema: additionalProperties: false type: object properties: - host_urls: + ids: + description: list of package policy ids items: type: string - maxItems: 10 - minItems: 1 + maxItems: 1000 type: array - is_default: - type: boolean - is_internal: + ignoreMissing: type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string required: - - proxy_id + - ids responses: '200': content: application/json: examples: - putFleetServerHostExample: - description: The updated Fleet Server host + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' description: Successful response '400': content: @@ -51550,5696 +42274,312 @@ paths: attributes: nullable: true error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/health_check: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/health_check
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - responses: - '200': - content: - application/json: - examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: Fleet Server host is not reachable (request timed out or aborted) - value: - host_id: fleet-server-host-id-1 - status: OFFLINE - schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': - content: - application/json: - examples: - badRequestExample: - description: The host ID exists but has no associated host URLs configured - value: - error: Bad Request - message: The requested host id fleet-server-host-id-1 does not have associated host urls. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: The requested host id fleet-server-host-id-1 does not exist. - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health - tags: - - Fleet internals - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/kubernetes: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes - parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: Fleet Server host URL to include in the manifest - in: query - name: fleetServer - required: false - schema: - type: string - - description: Enrollment token to include in the manifest - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - additionalProperties: false - type: object - properties: - item: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/kubernetes/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download - parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: Fleet Server host URL to include in the manifest - in: query - name: fleetServer - required: false - schema: - type: string - - description: Enrollment token to include in the manifest - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - type: string - description: Successful response — returns the Kubernetes manifest as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/logstash_api_keys: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/logstash_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Set to true to confirm you understand the risks of rotating the key pair - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - rotateKeyPairSuccessExample: - description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. - value: - message: Key pair rotated successfully. - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': - content: - application/json: - examples: - acknowledgeRequiredExample: - description: Request was rejected because the acknowledge query parameter was not set to true - value: - error: Bad Request - message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available - value: - error: Internal Server Error - message: Failed to rotate key pair. Message signing service is unavailable! - statusCode: 500 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair - tags: - - Message Signing Service - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] - responses: - '200': - content: - application/json: - examples: - getOutputsExample: - description: List of Fleet outputs - value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postOutputRequestExample: - description: Create a new Elasticsearch output - value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' - responses: - '200': - content: - application/json: - examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs/{outputId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid - parameters: - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputExample: - description: A Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putOutputRequestExample: - description: Update a Fleet output - value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' - responses: - '200': - content: - application/json: - examples: - putOutputExample: - description: The updated Fleet output - value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/outputs/{outputId}/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health - parameters: - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health - tags: - - Fleet outputs - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all package policies. - operationId: get-fleet-package-policies - parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with available upgrades - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - - description: When true, include the agent count per package policy - in: query - name: withAgentCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - name - - inputs - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - description: You should use inputs as an object and not use the deprecated inputs array. - responses: - '200': - content: - application/json: - examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID - value: - ids: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getPackagePolicyExample: - description: A package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No package policy was found with the given ID - value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - type: string - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackagePolicyExample: + description: The package policy was successfully deleted + value: + id: package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid + parameters: + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getPackagePolicyExample: + description: A package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string + name: nginx + title: Nginx + version: 1.20.0 policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No package policy was found with the given ID + value: + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + responses: + '200': + content: + application/json: + examples: + putPackagePolicyExample: + description: The updated package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - item description: Successful response @@ -57337,112 +42677,22 @@ paths: - package-policy-id-1 - package-policy-id-2 schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: '200': content: application/json: examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation - value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Use `policy_ids` instead - nullable: true - type: string - policy_ids: - items: - type: string - maxItems: 10000 - type: array - statusCode: - type: number - success: - type: boolean - required: - - id - - success - - policy_ids - - package + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation + value: + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' maxItems: 10000 type: array description: Successful response @@ -57510,16 +42760,7 @@ paths: packagePolicyIds: - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' responses: '200': content: @@ -57533,28 +42774,7 @@ paths: success: true schema: items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - statusCode: - type: number - success: - type: boolean - required: - - id - - success + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' maxItems: 10000 type: array description: Successful response @@ -57622,18 +42842,7 @@ paths: packagePolicyIds: - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: - type: string - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: @@ -57770,949 +42979,8 @@ paths: diff: items: anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - - additionalProperties: true - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - is_managed: - type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' maxItems: 2 type: array hasErrors: @@ -88527,6 +72795,336 @@ components: type: boolean required: - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: additionalProperties: false properties: @@ -89777,6 +74375,314 @@ components: - type title: Auto Color type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object Kibana_HTTP_APIs_byteFormat: additionalProperties: false description: Data size format in bits or bytes, with optional decimal places and suffix. @@ -89841,6 +74747,25 @@ components: - unassigned title: Categorical Color Mapping type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object Kibana_HTTP_APIs_ClassicFieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' @@ -90317,6 +75242,18 @@ components: - routing required: - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. @@ -90670,6 +75607,338 @@ components: - operation title: Count Metric Operation type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - deprecated + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - package + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object Kibana_HTTP_APIs_cumulativeSumOperation: additionalProperties: false properties: @@ -93029,6 +78298,104 @@ components: - field title: Date Histogram Operation type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + x-oas-optional: true Kibana_HTTP_APIs_differencesOperation: additionalProperties: false properties: @@ -93063,6 +78430,363 @@ components: - of title: Differences Operation type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - deprecated + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - package + - inputs + title: dry_run_package_policy + type: object Kibana_HTTP_APIs_durationFormat: additionalProperties: false description: Duration format between time units. @@ -93086,6 +78810,79 @@ components: - to title: Duration Format type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object Kibana_HTTP_APIs_es-query-create-rule-body-alerting: additionalProperties: false properties: @@ -93866,6 +79663,513 @@ components: - filter title: Formula Operation type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object Kibana_HTTP_APIs_gaugeESQL: additionalProperties: false description: Gauge configuration using an ES|QL query. @@ -94469,7 +80773,101 @@ components: - operation title: Percentile Operation type: object - Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - format + - filter + - time_scale + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_gaugeMetricStatsMetric: additionalProperties: false properties: color: @@ -94511,12 +80909,12 @@ components: title: Field Metric, Static Value, or Formula Operation operation: enum: - - percentile_rank + - min + - max + - average + - median + - standard_deviation type: string - rank: - default: 0 - description: Percentile Rank - type: number reduced_time_range: description: Reduced time range title: Operation Reduced Time Range Setting @@ -94561,9 +80959,9 @@ components: - time_scale - field - operation - title: Percentile Ranks Operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_gaugeMetricStatsMetric: + Kibana_HTTP_APIs_gaugeMetricSumMetric: additionalProperties: false properties: color: @@ -94572,6 +80970,10 @@ components: - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean field: description: Field to be used for the metric type: string @@ -94605,11 +81007,7 @@ components: title: Field Metric, Static Value, or Formula Operation operation: enum: - - min - - max - - average - - median - - standard_deviation + - sum type: string reduced_time_range: description: Reduced time range @@ -94655,9 +81053,9 @@ components: - time_scale - field - operation - title: Stats Metric Operation + title: Sum Metric Operation type: object - Kibana_HTTP_APIs_gaugeMetricSumMetric: + Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: additionalProperties: false properties: color: @@ -94703,7 +81101,7 @@ components: title: Field Metric, Static Value, or Formula Operation operation: enum: - - sum + - unique_count type: string reduced_time_range: description: Reduced time range @@ -94732,615 +81130,1291 @@ components: description: Time shift title: Operation Time Shift Setting type: string - title: + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - format + - filter + - time_scale + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - filters + - query + - data_source + - styling + - metric + - time_range + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + - orientation + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + x-oas-optional: true + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: additionalProperties: false - description: Title configuration + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - text: - description: Title text. + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - visible: - description: When `true`, displays the title. - type: boolean + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - - format - - filter - - time_scale - - field - - operation - title: Sum Metric Operation + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment type: object - Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: + Kibana_HTTP_APIs_get_agent_policy_outputs_response: additionalProperties: false properties: - color: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' - description: Color configuration for the gauge fill. - empty_as_null: - default: false - description: When `true`, treats empty buckets as null instead of zero. - type: boolean - field: - description: Field to be used for the metric - type: string - filter: - $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' - format: - $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' - goal: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' - description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. - title: Field Metric, Static Value, or Formula Operation - label: - description: Label for the operation - type: string - max: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' - description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. - title: Field Metric, Static Value, or Formula Operation - min: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' - description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. - title: Field Metric, Static Value, or Formula Operation - operation: - enum: - - unique_count - type: string - reduced_time_range: - description: Reduced time range - title: Operation Reduced Time Range Setting - type: string - subtitle: - description: Subtitle below the gauge value. - type: string - ticks: - additionalProperties: false - description: Ticks configuration - type: object - properties: - mode: - description: Tick placement mode. - enum: - - auto - - bands - type: string - visible: - description: When `true`, displays tick marks on the gauge. - type: boolean - time_scale: - $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' - time_shift: - description: Time shift - title: Operation Time Shift Setting - type: string - title: + item: additionalProperties: false - description: Title configuration type: object properties: - text: - description: Title text. + agentPolicyId: type: string - visible: - description: When `true`, displays the title. - type: boolean + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data required: - - format - - filter - - time_scale - - field - - operation - title: Unique Count Metric Operation + - item + title: get_agent_policy_outputs_response type: object - Kibana_HTTP_APIs_gaugeNoESQL: + Kibana_HTTP_APIs_get_agent_policy_response: additionalProperties: false - description: Gauge configuration using a data view. properties: - data_source: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' - description: - type: string - drilldowns: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: items: - anyOf: - - additionalProperties: false - default: - open_in_new_tab: false - use_filters: true - use_time_range: true - properties: - dashboard_id: - type: string - label: - type: string - open_in_new_tab: - default: false - description: When enabled, the dashboard opens in a new browser tab. - type: boolean - trigger: - enum: - - on_apply_filter - type: string - type: - enum: - - dashboard_drilldown - type: string - use_filters: - default: true - description: When enabled, filters are passed to the opening dashboard. - type: boolean - use_time_range: - default: true - description: When enabled, time range is passed to the opening dashboard. - type: boolean - required: - - dashboard_id - - label - - trigger - - type - title: dashboard_drilldown - type: object - - additionalProperties: false - properties: - label: - type: string - open_in_new_tab: - default: true - type: boolean - trigger: - enum: - - on_apply_filter - type: string - type: - enum: - - discover_drilldown - type: string - required: - - label - - trigger - - type - title: discover_drilldown + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false type: object - - additionalProperties: false properties: - encode_url: - default: true - description: When true, URL is escaped using percent encoding - type: boolean - label: - type: string - open_in_new_tab: - default: true - type: boolean - trigger: - enum: - - on_click_row - - on_click_value - - on_open_panel_menu - - on_select_range + description: type: string - type: - enum: - - url_drilldown + service: type: string - url: - description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + title: type: string - required: - - url - - label - - trigger - - type - title: url_drilldown - type: object - maxItems: 100 + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 type: array - filters: - $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' - hide_border: - type: boolean - hide_title: - type: boolean - ignore_global_filters: - default: false - description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. - type: boolean - metric: + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: anyOf: - - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' - query: - $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' - references: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + - metadata + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 type: array - sampling: - default: 1 - description: Sampling factor between 0 (no sampling) and 1 (full sampling). - maximum: 1 - minimum: 0 - type: number - styling: - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' - time_range: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' - title: - type: string - type: - enum: - - gauge - type: string + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object required: - - type - - filters - - query - - data_source - - styling - - metric - - time_range - title: Gauge Chart (DSL) + - inputs + title: get_inputs_response type: object - Kibana_HTTP_APIs_gaugeShapeBullet: + Kibana_HTTP_APIs_get_installed_packages_response: additionalProperties: false - description: Bullet gauge shape. properties: - orientation: - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' - type: - enum: - - bullet - type: string + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number required: - - type - - orientation - title: Shape (Bullet) + - items + - total + title: get_installed_packages_response type: object - Kibana_HTTP_APIs_gaugeShapeCircular: + Kibana_HTTP_APIs_get_k8s_manifest_response: additionalProperties: false - description: Circular gauge shape. properties: - type: - enum: - - circle - - semi_circle - - arc + item: type: string required: - - type - title: Shape (Circular) + - item + title: get_k8s_manifest_response type: object - Kibana_HTTP_APIs_gaugeStyling: + Kibana_HTTP_APIs_get_limited_packages_response: additionalProperties: false - description: Visual chart styling options properties: - shape: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' - title: Gauge styling + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + title: get_limited_packages_response type: object - x-oas-optional: true - Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: additionalProperties: false properties: - actions: - default: [] + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + additionalProperties: false + properties: + items: items: additionalProperties: false - description: An action that runs under defined conditions. type: object properties: - alerts_filter: + agentPolicyId: + type: string + data: additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: - query: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: additionalProperties: false type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + id: type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + name: type: string required: - - kql - - filters - timeframe: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: additionalProperties: false - description: Defines a period that limits whether the action runs. type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + id: + type: string + name: type: string required: - - days - - hours - - timezone - frequency: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: additionalProperties: false type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: type: string required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. + - message + name: type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. + success: type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string required: - - id + - name + - success + maxItems: 10000 type: array - alert_delay: + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string required: - - active - artifacts: - additionalProperties: false + - deprecated + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true type: object properties: - dashboards: + datasets: items: - additionalProperties: false + additionalProperties: true type: object properties: - id: + name: type: string required: - - id - maxItems: 10 + - name + maxItems: 100 type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true + elasticsearch: + additionalProperties: + nullable: true type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + notice: type: string - params: - additionalProperties: false - description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + owner: + additionalProperties: true + type: object properties: - boundaryGeoField: - minLength: 1 + github: type: string - boundaryIndexId: - minLength: 1 + type: + enum: + - elastic + - partner + - community type: string - boundaryIndexQuery: + path: + type: string + policy_templates: + items: + additionalProperties: nullable: true - boundaryIndexTitle: - minLength: 1 - type: string - boundaryNameField: - minLength: 1 - type: string - boundaryType: - minLength: 1 - type: string - dateField: - minLength: 1 - type: string - entity: - minLength: 1 + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: type: string - geoField: - minLength: 1 + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration type: string - index: - minLength: 1 + - enum: + - input type: string - indexId: - minLength: 1 + - enum: + - content type: string - indexQuery: + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: nullable: true - required: - - index - - indexId - - geoField - - entity - - dateField - - boundaryType - - boundaryIndexTitle - - boundaryIndexId - - boundaryGeoField - - indexQuery - - boundaryIndexQuery - title: Geo Containment Rule Params - type: object - rule_type_id: - enum: - - .geo-containment + type: object + maxItems: 1000 + type: array + version: type: string - schedule: + required: + - installationInfo + - name + - version + - title + - deprecated + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string + agent_policy_count: + type: number + package_policy_count: + type: number required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: nullable: true type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Geo containment + - id + title: get_verification_key_id_response type: object Kibana_HTTP_APIs_gradientColorMapping: additionalProperties: false @@ -96845,6 +83919,254 @@ components: properties: {} required: - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided install assets in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + x-oas-optional: true + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: additionalProperties: false description: A filter that evaluates a single field condition such as equality, range, or existence. @@ -99636,6 +86958,37 @@ components: - geo_point title: Type type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object Kibana_HTTP_APIs_lastValueOperation: additionalProperties: false properties: @@ -109255,6 +96608,279 @@ components: - keys title: Multi Field Key type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + title: new_agent_policy + type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + title: new_enrollment_api_key + type: object Kibana_HTTP_APIs_new_output_elasticsearch: additionalProperties: false properties: @@ -110881,193 +98507,965 @@ components: - hosts title: output_logstash type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true + properties: + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper + type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + title: package_icon + type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + required: + - deprecated + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + id: + type: string + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - installationInfo + - name + - version + - title + - deprecated + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + x-oas-optional: true + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + title: package_policy_package + type: object + x-oas-optional: true + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false properties: - allow_edit: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. nullable: true type: string - kibana_url: + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 nullable: true type: string - name: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + created_at: type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency + created_by: type: string - proxy_id: - nullable: true + description: + description: Package policy description type: string - secrets: + elasticsearch: additionalProperties: true type: object properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + privileges: additionalProperties: true type: object properties: - key: - anyOf: - - additionalProperties: true + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false type: object properties: - hash: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true required: - - id - - type: string - service_token: - nullable: true + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - deprecated + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch type: string - write_to_logs_streams: + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true - properties: - compression_level: + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: default: false + description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean - disk_queue_encryption_enabled: + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. type: string - loadbalance: - nullable: true - type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true - type: number required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + - name + - enabled + - package + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: type: string - verification_mode: - enum: - - full - - none - - certificate - - strict + name: type: string - title: output_ssl + statusCode: + type: number + success: + type: boolean + required: + - id + - success + title: package_policy_status_response type: object Kibana_HTTP_APIs_percentileOperation: additionalProperties: false @@ -112511,6 +100909,24 @@ components: - ranges title: Ranges Operation type: object + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + title: reauthorize_transform_request + type: object Kibana_HTTP_APIs_RecursiveRecord: additionalProperties: anyOf: @@ -113142,6 +101558,43 @@ components: - fields title: Terms Operation type: object + Kibana_HTTP_APIs_review_upgrade_request: + additionalProperties: false + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version + title: review_upgrade_request + type: object + Kibana_HTTP_APIs_review_upgrade_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: review_upgrade_response + type: object + Kibana_HTTP_APIs_rollback_package_response: + additionalProperties: false + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + title: rollback_package_response + type: object Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: additionalProperties: false description: The response payload for the bulk create-or-update roles API. @@ -113577,6 +102030,210 @@ components: - roles title: security_roles_bulk_create_or_update_payload type: object + Kibana_HTTP_APIs_simplified_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + type: array + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + title: simplified_create_package_policy_request + type: object Kibana_HTTP_APIs_slo-alerts-embeddable: additionalProperties: false description: SLO Alerts embeddable schema @@ -118625,6 +107282,325 @@ components: type: boolean title: update_output_remote_elasticsearch type: object + Kibana_HTTP_APIs_update_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - deprecated + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + required: + - package + title: update_package_policy_request + type: object + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false + properties: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. + items: + type: string + maxItems: 100 + type: array + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_upgrade_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: upgrade_package_policies_request + type: object Kibana_HTTP_APIs_valueDisplay: additionalProperties: false description: Configure the visibility and the format of the values rendered on each chart partition section diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 7347c4ba301b2..72f5b8709adcb 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -31193,857 +31193,7 @@ paths: properties: items: items: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' maxItems: 10000 type: array page: @@ -32131,273 +31281,224 @@ paths: name: My agent policy namespace: default schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': + content: + application/json: + examples: + postAgentPolicyExample: + description: The created agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: + ids: + description: list of package policy ids items: type: string - maxItems: 100 + maxItems: 1000 type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true + ignoreMissing: type: boolean - unenroll_timeout: - minimum: 0 - type: number required: - - name - - namespace + - ids responses: '200': content: application/json: examples: - postAgentPolicyExample: - description: The created agent policy + postBulkGetAgentPoliciesExample: + description: The requested agent policies + value: + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyExample: + description: An agent policy value: item: description: A sample agent policy - id: agent-policy-id-2 + id: agent-policy-id-1 is_managed: false is_protected: false name: My agent policy @@ -32406,878 +31507,22 @@ paths: status: active updated_at: '2024-01-15T10:00:00.000Z' updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -33294,23 +31539,33 @@ paths: - message - attributes description: Bad Request - summary: Create an agent policy + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/_bulk_get: - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -33319,6 +31574,12 @@ paths: schema: example: 'true' type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string - description: 'Format for the response: simplified or legacy' in: query name: format @@ -33332,908 +31593,149 @@ paths: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID + putAgentPolicyRequestExample: + description: Update an agent policy value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': + content: + application/json: + examples: + putAgentPolicyExample: + description: The updated agent policy + value: + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 schema: additionalProperties: false type: object properties: - items: + currentVersions: items: additionalProperties: false type: object properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string agents: + description: Number of agents that upgraded to this version type: number - agents_per_version: + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count + type: string maxItems: 1000 type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version type: number - updated_at: - type: string - updated_by: - type: string version: + description: Agent version type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents maxItems: 10000 type: array + totalAgents: + type: number required: - - items + - currentVersions + - totalAgents description: Successful response '400': content: @@ -34264,35 +31766,31 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + summary: Get auto upgrade agent status tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/{agentPolicyId}: - get: + /api/fleet/agent_policies/{agentPolicyId}/copy: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string - description: The ID of the agent policy in: path name: agentPolicyId @@ -34308,884 +31806,128 @@ paths: - simplified - legacy type: string + requestBody: + content: + application/json: + examples: + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + postCopyAgentPolicyExample: + description: The copied agent policy value: item: - description: A sample agent policy - id: agent-policy-id-1 + description: A copy of the original agent policy + id: agent-policy-id-copy-1 is_managed: false is_protected: false - name: My agent policy + name: Copy of my agent policy namespace: default revision: 1 status: active - updated_at: '2024-01-15T10:00:00.000Z' + updated_at: '2024-01-15T11:00:00.000Z' updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item - description: Successful response + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getDownloadAgentPolicyExample: + description: The agent policy download response + value: + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + schema: + type: string + description: Successful response — returns the agent policy as a YAML file download '400': content: application/json: @@ -35225,1194 +31967,268 @@ paths: error: Not Found message: Agent policy not found statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Not Found - summary: Get an agent policy + summary: Download an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - put: + /api/fleet/agent_policies/{agentPolicyId}/full: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - description: The ID of the agent policy in: path name: agentPolicyId required: true schema: type: string - - description: 'Format for the response: simplified or legacy' + - description: If true, returns the policy as a downloadable file in: query - name: format + name: download required: false schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putAgentPolicyRequestExample: - description: Update an agent policy - value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default - schema: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - type: boolean - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': + content: + application/json: + examples: + getFullAgentPolicyExample: + description: The full agent policy configuration + value: + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: - items: + error: type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - putAgentPolicyExample: - description: The updated agent policy + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy value: item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string - required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' + responses: + '200': + content: + application/json: + examples: + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted + value: + id: agent-policy-id-1 + name: My agent policy + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' description: Successful response '400': content: @@ -36443,88 +32259,63 @@ paths: - message - attributes description: Bad Request - summary: Update an agent policy + summary: Delete an agent policy tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: + /api/fleet/agent_policies/outputs: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+
post /s/{space_id}/api/fleet/agent_policies/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' responses: '200': content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 - schema: - additionalProperties: false - type: object - properties: - currentVersions: items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: Number of agents that failed to upgrade to this version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' description: Successful response '400': content: @@ -36555,943 +32346,105 @@ paths: - message - attributes description: Bad Request - summary: Get auto upgrade agent status + summary: Get outputs for agent policies tags: - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: + /api/fleet/agent_status: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+
get /s/{space_id}/api/fleet/agent_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter by agent policy ID + in: query + name: policyId + required: false schema: - example: 'true' type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: Filter by one or more agent policy IDs + in: query + name: policyIds + required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results in: query - name: format + name: kuery required: false schema: - enum: - - simplified - - legacy type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - additionalProperties: false - type: object - properties: - description: - type: string - name: - minLength: 1 - type: string - required: - - name responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + getAgentStatusExample: + description: Agent status summary for an agent policy value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 + schema: + additionalProperties: false + type: object + properties: + results: + additionalProperties: false type: object properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: + active: type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fips_agents: + all: type: number - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 + error: type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: Indicates whether the agent policy has tamper protection enabled. Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: + events: type: number - schema_version: - type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 + inactive: type: number - unprivileged_agents: + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: type: number - updated_at: - type: string - updated_by: - type: string - version: - type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active required: - - item + - results description: Successful response '400': content: @@ -37522,66 +32475,93 @@ paths: - message - attributes description: Bad Request - summary: Copy an agent policy + summary: Get an agent status summary tags: - - Elastic Agent policies + - Elastic Agent status x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/{agentPolicyId}/download: + /api/fleet/agent_status/data: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+
get /s/{space_id}/api/fleet/agent_status/data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: Agent IDs to check data for, as an array or comma-separated string + in: query + name: agentsIds required: true schema: - type: string - - description: If true, returns the policy as a downloadable file + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name in: query - name: download + name: pkgName required: false schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents + type: string + - description: Filter by integration package version in: query - name: standalone + name: pkgVersion required: false schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment + type: string + - description: When true, return a preview of the ingested data in: query - name: kubernetes + name: previewData required: false schema: + default: false type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 schema: - type: string - description: Successful response — returns the agent policy as a YAML file download + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response '400': content: application/json: @@ -37611,619 +32591,790 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent policy + summary: Get incoming agent data tags: - - Elastic Agent policies + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/{agentPolicyId}/full: - get: + /api/fleet/agentless_policies: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+
post /s/{space_id}/api/fleet/agentless_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full + Create an agentless policy + operationId: post-fleet-agentless-policies parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + - description: The format of the response package policy. in: query - name: revision + name: format required: false schema: - type: number + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + examples: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies + value: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration + value: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= schema: additionalProperties: false type: object properties: item: - anyOf: - - type: string - - additionalProperties: false + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true type: object properties: - agent: - additionalProperties: false + privileges: + additionalProperties: true type: object properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: - additionalProperties: false - type: object - properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: additionalProperties: false type: object properties: - enabled: + frozen: type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: + type: type: string + value: + nullable: true required: - - hosts - - protocol - required: - - kibana - id: - type: string - inputs: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + - value + description: Package variable (see integration documentation for more information) type: object - properties: - namespace: - type: string - required: - - namespace + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version + keep_enabled: + type: boolean + migrate_from: + type: string name: type: string - package_policy_id: + policy_template: type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number streams: items: - additionalProperties: true + additionalProperties: false type: object properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object data_stream: - additionalProperties: true + additionalProperties: false type: object properties: dataset: type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array type: type: string required: - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id + - enabled - data_stream - maxItems: 10000 + - compiled_stream + - deprecated + maxItems: 1000 type: array type: type: string - use_output: - type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id - - name - - revision - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string + - enabled + - streams + - deprecated + - compiled_input maxItems: 100 type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true + - additionalProperties: + additionalProperties: false type: object properties: - ca_sha256: - nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: additionalProperties: anyOf: - type: string - - type: boolean - type: number - nullable: true + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. type: object - proxy_url: - type: string - type: - type: string required: - - type - type: object - processors: - additionalProperties: - nullable: true + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. type: object - receivers: + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: additionalProperties: nullable: true type: object - revision: - type: number - secret_references: - items: + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: additionalProperties: false type: object properties: - id: + frozen: + type: boolean + type: type: string + value: + nullable: true required: - - id - maxItems: 10000 - type: array - service: - additionalProperties: false + - value + description: Package variable (see integration documentation for more information) type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false type: object properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: - additionalProperties: false + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. type: object - properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - package + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by required: - item - description: Successful response + description: Indicates a successful response '400': content: application/json: @@ -38253,133 +33404,16 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs - parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy - value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - required: - - item - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictErrorResponseExample: + description: Example of a conflict error response value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -38398,35 +33432,25 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy + description: Conflict + summary: Create an agentless policy tags: - - Elastic Agent policies + - Fleet agentless policies + x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_policies/delete: - post: + /api/fleet/agentless_policies/{policyId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agent_policies/delete
+
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -38435,48 +33459,39 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - agentPolicyId: - description: The ID of the agent policy - type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean - required: - - agentPolicyId + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - id: agent-policy-id-1 - name: My agent policy + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: additionalProperties: false + description: Response for deleting an agentless package policy. type: object properties: id: - type: string - name: + description: The ID of the deleted agentless package policy. type: string required: - id - - name - description: Successful response + description: Indicates a successful response '400': content: application/json: @@ -38506,149 +33521,16 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/agent_policies/outputs: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/agent_policies/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. - operationId: post-fleet-agent-policies-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - required: - - ids - responses: - '200': - content: - application/json: - examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies - value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictErrorResponseExample: + description: Example of a conflict error response value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -38667,106 +33549,523 @@ paths: required: - message - attributes - description: Bad Request - summary: Get outputs for agent policies + description: Conflict + summary: Delete an agentless policy tags: - - Elastic Agent policies + - Fleet agentless policies + x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_status: + /api/fleet/agents: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_status
+
get /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents parameters: - - description: Filter by agent policy ID + - description: Page number in: query - name: policyId + name: page required: false schema: - type: string - - description: Filter by one or more agent policy IDs + type: number + - description: Number of results per page in: query - name: policyIds + name: perPage required: false schema: - items: - type: string - maxItems: 1000 - type: array + default: 20 + type: number - description: A KQL query string to filter results in: query name: kuery required: false schema: type: string + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination + in: query + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive + required: false + schema: + type: string responses: '200': content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + getAgentsExample: + description: List of agents value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - results: - additionalProperties: false + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active + total: + type: number required: - - results + - items + - total + - page + - perPage description: Successful response '400': content: @@ -38797,92 +34096,76 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + summary: Get agents tags: - - Elastic Agent status + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agent_status/data: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agent_status/data
+
post /s/{space_id}/api/fleet/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agent-status-data + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query - name: pkgName - required: false - schema: - type: string - - description: Filter by integration package version - in: query - name: pkgVersion - required: false - schema: + example: 'true' type: string - - description: When true, return a preview of the ingested data - in: query - name: previewData - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs + value: + actionIds: + - action-id-1 + - action-id-2 + schema: + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 1000 + type: array + required: + - actionIds responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online total: 1 - totalMonitoring: 0 schema: additionalProperties: false type: object properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array items: items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object + type: string maxItems: 10000 type: array required: - items - - dataPreview description: Successful response '400': content: @@ -38913,23 +34196,23 @@ paths: - message - attributes description: Bad Request - summary: Get incoming agent data + summary: Get agents by action ids tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agentless_policies: - post: + /api/fleet/agents/{agentId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agentless_policies
+
delete /s/{space_id}/api/fleet/agents/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create an agentless policy - operationId: post-fleet-agentless-policies + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header @@ -38938,1109 +34221,972 @@ paths: schema: example: 'true' type: string - - description: The format of the response package policy. - in: query - name: format - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - default: simplified - enum: - - legacy - - simplified type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: Example request to create agentless policy reusing an existing AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: Example request to create agentless policy with AWS cloud connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: Example request to create agentless policy with Azure cloud connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: + responses: + '200': + content: + application/json: + examples: + deleteAgentExample: + description: Agent successfully deleted + value: + id: agent-id-1 + success: true + schema: + additionalProperties: false + type: object + properties: + action: + enum: + - deleted type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: - additionalProperties: false - type: object - properties: - cloud_connector_id: - description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. - type: boolean - name: - description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: Target cloud service provider. If not provided, will be auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - global_data_tags: - items: + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: additionalProperties: false type: object properties: - name: - description: The name of the custom field. Cannot contain spaces. + access_api_key: type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - type: array - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + access_api_key_id: type: string - deprecated: - additionalProperties: false + active: + type: boolean + agent: + additionalProperties: true type: object properties: - description: + id: type: string - replaced_by: - additionalProperties: - type: string - type: object - since: + type: + type: string + version: type: string required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: additionalProperties: false type: object properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + id: type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false + message: + type: string + payload: + additionalProperties: + nullable: true type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false + id: + type: string + identifying_attributes: + additionalProperties: + type: string type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_template: - description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: type: string maxItems: 100 type: array - - items: - type: number + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string maxItems: 100 type: array - - additionalProperties: false + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false type: object properties: - id: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: type: string - isSecretRef: - type: boolean required: - - id - - isSecretRef + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux + schema: + additionalProperties: false + type: object + properties: + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. type: object - required: - - name - - package responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + putAgentExample: + description: Updated agent details value: item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: item: additionalProperties: false - description: The created agentless package policy. type: object properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + access_api_key: type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + access_api_key_id: type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + active: type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false + agent: + additionalProperties: true type: object properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name + id: type: string - requires_root: - type: boolean - title: + type: type: string version: - description: Package version type: string required: - - name + - id - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + audit_unenrolled_reason: type: string - policy_ids: + capabilities: items: - description: IDs of the agent policies which that package policy will be added to. type: string - maxItems: 1000 + maxItems: 100 type: array - revision: - description: Package policy revision. - type: number - secret_references: + components: items: additionalProperties: false type: object properties: id: type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array required: - id - maxItems: 1000 + - type + - status + - message + maxItems: 10000 type: array - spaceIds: + default_api_key: + type: string + default_api_key_history: items: - type: string + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at maxItems: 100 type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. + default_api_key_id: + type: string + effective_config: nullable: true - type: boolean - updated_at: + enrolled_at: type: string - updated_by: + health: + additionalProperties: + nullable: true + type: object + id: type: string - var_group_selections: + identifying_attributes: additionalProperties: type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object required: - - name - - enabled - - inputs - id - - revision - - updated_at - - updated_by - - created_at - - created_by + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config required: - item - description: Indicates a successful response + description: Successful response '400': content: application/json: @@ -40070,53 +35216,34 @@ paths: - message - attributes description: Bad Request - '409': + '404': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + notFoundExample: + description: No agent was found with the given ID value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create an agentless policy + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agentless_policies/{policyId}: - delete: + /api/fleet/agents/{agentId}/actions: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/actions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks in: header @@ -40125,39 +35252,135 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. + - description: The agent ID in: path - name: policyId + name: agentId required: true schema: type: string - - description: Force delete the policy even if the policy is managed. - in: query - name: force - required: false - schema: - type: boolean + requestBody: + content: + application/json: + examples: + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent + value: + action: + type: UNENROLL + schema: + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: Example response showing the successful result of communication initialisation over MCP protocol + postAgentActionExample: + description: Created agent action value: item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: additionalProperties: false - description: Response for deleting an agentless package policy. type: object properties: - id: - description: The ID of the deleted agentless package policy. - type: string + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data required: - - id - description: Indicates a successful response + - item + description: Successful response '400': content: application/json: @@ -40187,16 +35410,54 @@ paths: - message - attributes description: Bad Request - '409': + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config + parameters: + - description: The agent ID to get effective config of + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + successResponse: value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 + effective_config: {} + schema: + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -40215,523 +35476,451 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: A bad request. + summary: Get an agent's effective config tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents: - get: + /api/fleet/agents/{agentId}/migrate: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents
+
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable - in: query - name: showUpgradeable - required: false + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token + responses: + '200': + content: + application/json: + examples: + postMigrateAgentExample: + description: Agent migration initiated + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response - in: query - name: getStatusSummary - required: false + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true schema: - default: false - type: boolean - - description: Field to sort results by - in: query - name: sortField - required: false + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + actionId: actionId + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level + tags: + - Elastic Agents + x-state: Technical Preview; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - enum: - - asc - - desc type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + requestBody: + content: + application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id + responses: + '200': + content: + application/json: + examples: + postReassignAgentExample: + description: Agent successfully reassigned + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/remove_collector: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false + - description: The collector agent ID + in: path + name: agentId + required: true schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + type: string + responses: + '200': + content: + application/json: + examples: + postRemoveCollectorExample: + description: Collector successfully removed + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Remove an OpAMP collector + tags: + - Elastic Agent actions + x-state: Technical Preview; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Duration to keep the point-in-time alive, for example, `1m` - in: query - name: pitKeepAlive - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: type: string + requestBody: + content: + application/json: + examples: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent + value: + additional_metrics: + - CPU + schema: + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array responses: '200': content: application/json: examples: - getAgentsExample: - description: List of agents + postRequestDiagnosticsExample: + description: Diagnostics action result value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 + actionId: action-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: - type: string - page: - type: number - perPage: - type: number - pit: + actionId: type: string - statusSummary: - additionalProperties: - type: number - type: object - total: - type: number required: - - items - - total - - page - - perPage + - actionId description: Successful response '400': content: @@ -40741,7 +35930,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Agent agent-id-1 does not support request diagnostics action. statusCode: 400 schema: additionalProperties: false @@ -40762,22 +35951,23 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Request agent diagnostics tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana name: product_name + /api/fleet/agents/{agentId}/rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents
+
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -40786,63 +35976,32 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs - value: - actionIds: - - action-id-1 - - action-id-2 - schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds + - description: The agent ID to rollback + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + successResponse: value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + actionId: actionId schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -40861,24 +36020,25 @@ paths: required: - message - attributes - description: Bad Request - summary: Get agents by action ids + description: A bad request. + summary: Rollback an agent tags: - - Elastic Agents + - Elastic Agent actions + x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}: - delete: + /api/fleet/agents/{agentId}/unenroll: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agents/{agentId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks in: header @@ -40893,26 +36053,31 @@ paths: required: true schema: type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean responses: '200': content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted - value: - id: agent-id-1 - success: true - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} description: Successful response '400': content: @@ -40924,456 +36089,72 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent + summary: Unenroll an agent tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - get: + /api/fleet/agents/{agentId}/upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}
+
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string - description: The agent ID in: path name: agentId required: true schema: type: string - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details - value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} schema: additionalProperties: false type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - required: - - item + properties: {} description: Successful response '400': content: @@ -41404,454 +36185,86 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent + summary: Upgrade an agent tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - put: + /api/fleet/agents/{agentId}/uploads: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/agents/{agentId}
+
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - description: The agent ID in: path name: agentId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + getAgentUploadsExample: + description: List of files uploaded by the agent value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: + createTime: type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: + error: type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: + filePath: type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: + id: type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: + name: type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: + status: enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array required: - - item + - items description: Successful response '400': content: @@ -41882,134 +36295,279 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Get agent uploads tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/actions: - post: + /api/fleet/agents/action_status: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+
get /s/{space_id}/api/fleet/agents/action_status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true + default: 0 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: Return actions created before this date + in: query + name: date + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent - value: - action: - type: UNENROLL - schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action + - description: Return only the latest N actions + in: query + name: latest + required: false + schema: + type: number + - description: Number of error details to include per action + in: query + name: errorSize + required: false + schema: + default: 5 + type: number responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + getActionStatusExample: + description: Status of recent agent actions value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: + items: + items: + additionalProperties: false + type: object + properties: + actionId: type: string - maxItems: 10000 + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} + responses: + '200': + content: + application/json: + examples: + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 type: array created_at: type: string @@ -42076,54 +36634,58 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action + summary: Cancel an agent action tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/effective_config: + /api/fleet/agents/available_versions: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+
get /s/{space_id}/api/fleet/agents/available_versions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] responses: '200': content: application/json: examples: - successResponse: + getAvailableVersionsExample: + description: List of available agent versions for upgrade value: - effective_config: {} + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: additionalProperties: false type: object properties: - effective_config: - nullable: true + items: + items: + type: string + maxItems: 10000 + type: array required: - - effective_config - description: 'OK: A successful request.' + - items + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -42142,24 +36704,24 @@ paths: required: - message - attributes - description: A bad request. - summary: Get an agent's effective config + description: Bad Request + summary: Get available agent versions tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/migrate: + /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+
post /s/{space_id}/api/fleet/agents/bulk_migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate parameters: - description: A required header to protect against CSRF attacks in: header @@ -42168,19 +36730,16 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster value: + agents: + - agent-id-1 + - agent-id-2 enrollment_token: enrollment-token-value settings: retry_max: 5 @@ -42189,6 +36748,15 @@ paths: additionalProperties: false type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number enrollment_token: type: string settings: @@ -42219,8 +36787,6 @@ paths: type: object proxy_url: type: string - replace_token: - type: string staging: type: string tags: @@ -42232,6 +36798,7 @@ paths: format: uri type: string required: + - agents - uri - enrollment_token responses: @@ -42239,8 +36806,8 @@ paths: content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: actionId: action-id-1 schema: @@ -42281,23 +36848,23 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + summary: Migrate multiple agents tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/privilege_level_change: + /api/fleet/agents/bulk_privilege_level_change: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change parameters: - description: A required header to protect against CSRF attacks in: header @@ -42306,27 +36873,30 @@ paths: schema: example: 'true' type: string - - description: The agent ID to change privilege level for - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - changeAgentPrivilegeLevelRequest: + bulkChangeAgentPrivilegeLevelRequest: value: + agents: agent user_info: groupname: groupname password: password username: username schema: additionalProperties: false - nullable: true type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number user_info: additionalProperties: false type: object @@ -42337,6 +36907,8 @@ paths: type: string username: type: string + required: + - agents responses: '200': content: @@ -42346,21 +36918,13 @@ paths: value: actionId: actionId schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: 'OK: A successful request.' '400': content: @@ -42388,24 +36952,24 @@ paths: - message - attributes description: A bad request. - summary: Change agent privilege level + summary: Bulk change agent privilege level tags: - Elastic Agents x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/reassign: + /api/fleet/agents/bulk_reassign: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+
post /s/{space_id}/api/fleet/agents/bulk_reassign
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks in: header @@ -42414,40 +36978,55 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy value: + agents: + - agent-id-1 + - agent-id-2 policy_id: agent-policy-id-2 schema: additionalProperties: false type: object properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean policy_id: type: string required: - policy_id + - agents responses: '200': content: application/json: examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} + postBulkReassignAgentsExample: + description: Bulk reassign action result + value: + actionId: action-id-1 schema: additionalProperties: false type: object - properties: {} + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -42478,23 +37057,23 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent + summary: Bulk reassign agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/remove_collector: + /api/fleet/agents/bulk_remove_collectors: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors parameters: - description: A required header to protect against CSRF attacks in: header @@ -42503,20 +37082,51 @@ paths: schema: example: 'true' type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors + value: + agents: + - collector-id-1 + - collector-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean + required: + - agents responses: '200': content: application/json: examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -42528,25 +37138,43 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Remove an OpAMP collector + summary: Bulk remove OpAMP collectors tags: - Elastic Agent actions x-state: Technical Preview; added in 9.5.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/request_diagnostics: + /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header @@ -42555,24 +37183,20 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents value: additional_metrics: - CPU + agents: + - agent-id-1 + - agent-id-2 schema: additionalProperties: false - nullable: true type: object properties: additional_metrics: @@ -42582,13 +37206,24 @@ paths: type: string maxItems: 1 type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents responses: '200': content: application/json: examples: - postRequestDiagnosticsExample: - description: Diagnostics action result + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: actionId: action-id-1 schema: @@ -42608,7 +37243,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Agent agent-id-1 does not support request diagnostics action. + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -42629,23 +37264,23 @@ paths: - message - attributes description: Bad Request - summary: Request agent diagnostics + summary: Bulk request diagnostics from agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/rollback: + /api/fleet/agents/bulk_rollback: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+
post /s/{space_id}/api/fleet/agents/bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback parameters: - description: A required header to protect against CSRF attacks in: header @@ -42654,12 +37289,35 @@ paths: schema: example: 'true' type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents responses: '200': content: @@ -42667,23 +37325,20 @@ paths: examples: successResponse: value: - actionId: actionId + actionIds: + - actionId1 + - actionId2 schema: - anyOf: - - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds description: 'OK: A successful request.' '400': content: @@ -42711,24 +37366,24 @@ paths: - message - attributes description: A bad request. - summary: Rollback an agent + summary: Bulk rollback agents tags: - Elastic Agent actions x-state: Technical Preview; added in 9.4.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/unenroll: + /api/fleet/agents/bulk_unenroll: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+
post /s/{space_id}/api/fleet/agents/bulk_unenroll
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks in: header @@ -42737,37 +37392,60 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents value: + agents: + - agent-id-1 + - agent-id-2 revoke: false schema: additionalProperties: false - nullable: true type: object properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too type: boolean revoke: + description: Revokes API keys of agents type: boolean + required: + - agents responses: '200': content: application/json: examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result + value: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -42779,24 +37457,42 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Unenroll an agent + summary: Bulk unenroll agents tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/upgrade: + /api/fleet/agents/bulk_update_agent_tags: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks in: header @@ -42805,46 +37501,65 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents value: - version: 8.17.0 + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging schema: additionalProperties: false type: object properties: - force: - type: boolean - skipRateLimitCheck: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false type: boolean - source_uri: - type: string - version: - type: string + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array required: - - version + - agents responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + postBulkUpdateAgentTagsExample: + description: Bulk action result + value: + actionId: action-id-1 schema: additionalProperties: false type: object - properties: {} + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: @@ -42875,86 +37590,92 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent + summary: Bulk update agent tags tags: - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/{agentId}/uploads: - get: + /api/fleet/agents/bulk_upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+
post /s/{space_id}/api/fleet/agents/bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version + value: + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version responses: '200': content: application/json: examples: - getAgentUploadsExample: - description: List of files uploaded by the agent + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY + actionId: action-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array + actionId: + type: string required: - - items + - actionId description: Successful response '400': content: @@ -42985,183 +37706,58 @@ paths: - message - attributes description: Bad Request - summary: Get agent uploads + summary: Bulk upgrade agents tags: - - Elastic Agents + - Elastic Agent actions x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/action_status: - get: + /api/fleet/agents/files/{fileId}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/action_status
+
delete /s/{space_id}/api/fleet/agents/files/{fileId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 0 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: Return actions created before this date - in: query - name: date - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Return only the latest N actions - in: query - name: latest - required: false - schema: - type: number - - description: Number of error details to include per action - in: query - name: errorSize - required: false + - description: The ID of the uploaded file + in: path + name: fileId + required: true schema: - default: 5 - type: number + type: string responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + deleted: true + id: file-id-1 schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: latest errors that happened when the agents executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array + deleted: + type: boolean + id: + type: string required: - - items + - id + - deleted description: Successful response '400': content: @@ -43192,109 +37788,47 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Delete an uploaded file tags: - - Elastic Agent actions + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/actions/{actionId}/cancel: - post: + /api/fleet/agents/files/{fileId}/{fileName}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the uploaded file + in: path + name: fileId required: true schema: - example: 'true' type: string - - description: The ID of the action to cancel + - description: The name of the uploaded file in: path - name: actionId + name: fileName required: true schema: type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created - value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: schema: - additionalProperties: false type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item - description: Successful response + description: Successful response — returns the uploaded file content '400': content: application/json: @@ -43324,48 +37858,93 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + summary: Get an uploaded file tags: - - Elastic Agent actions + - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/available_versions: + /api/fleet/agents/setup: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/available_versions
+
get /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-available-versions + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup parameters: [] responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: - items: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: items: + enum: + - encrypted_saved_object_encryption_key_required type: string - maxItems: 10000 + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 type: array + package_verification_key_id: + type: string required: - - items - description: Successful response + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status '400': content: application/json: @@ -43395,23 +37974,22 @@ paths: - message - attributes description: Bad Request - summary: Get available agent versions + summary: Get agent setup info tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_migrate: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_migrate
+
post /s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks in: header @@ -43420,95 +37998,41 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token responses: '200': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors value: - actionId: action-id-1 + isInitialized: true + nonFatalErrors: [] schema: additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - actionId: - type: string + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array required: - - actionId - description: Successful response + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: @@ -43538,91 +38062,71 @@ paths: - message - attributes description: Bad Request - summary: Migrate multiple agents + summary: Initiate Fleet setup tags: - Elastic Agents x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_privilege_level_change: - post: + /api/fleet/agents/tags: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+
get /s/{space_id}/api/fleet/agents/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents + - description: When true, include tags from inactive agents + in: query + name: showInactive + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - successResponse: + getAgentTagsExample: + description: List of tags used across agents value: - actionId: actionId + items: + - production + - linux + - datacenter-1 schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + type: string + maxItems: 10000 + type: array required: - - actionId - description: 'OK: A successful request.' + - items + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -43641,82 +38145,59 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk change agent privilege level + description: Bad Request + summary: Get agent tags tags: - Elastic Agents - x-state: Technical Preview; added in 9.3.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_reassign: - post: + /api/fleet/check-permissions: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_reassign
+
get /s/{space_id}/api/fleet/check-permissions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges + in: query + name: fleetServerSetup + required: false schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents + type: boolean responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - actionId: action-id-1 + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true schema: additionalProperties: false type: object properties: - actionId: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES type: string + success: + type: boolean required: - - actionId + - success description: Successful response '400': content: @@ -43747,76 +38228,106 @@ paths: - message - attributes description: Bad Request - summary: Bulk reassign agents + summary: Check permissions tags: - - Elastic Agent actions + - Fleet internals x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_remove_collectors: - post: + /api/fleet/cloud_connectors: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+
get /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number for pagination. + in: query + name: page + required: false + schema: + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors - value: - agents: - - collector-id-1 - - collector-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: When passing collectors by KQL query, also removes inactive collectors - type: boolean - required: - - agents responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - actionId: action-id-1 + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array required: - - actionId + - items description: Successful response '400': content: @@ -43847,24 +38358,23 @@ paths: - message - attributes description: Bad Request - summary: Bulk remove OpAMP collectors + summary: Get cloud connectors tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.5.0 + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_request_diagnostics: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+
post /s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors parameters: - description: A required header to protect against CSRF attacks in: header @@ -43877,53 +38387,134 @@ paths: content: application/json: examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} schema: additionalProperties: false type: object properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object required: - - agents + - name + - cloudProvider + - vars responses: '200': content: application/json: examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result + postCloudConnectorExample: + description: The created Fleet cloud connector value: - actionId: action-id-1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - actionId + - item description: Successful response '400': content: @@ -43954,23 +38545,24 @@ paths: - message - attributes description: Bad Request - summary: Bulk request diagnostics from agents + summary: Create cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_rollback: - post: + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_rollback
+
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header @@ -43979,64 +38571,46 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - successResponse: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - actionIds: - - actionId1 - - actionId2 + id: cloud-connector-id-1 schema: additionalProperties: false type: object properties: - actionIds: - items: - type: string - maxItems: 10000 - type: array + id: + type: string required: - - actionIds - description: 'OK: A successful request.' + - id + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -44055,87 +38629,92 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback agents + description: Bad Request + summary: Delete cloud connector (supports force deletion) tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_unenroll: - post: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: When passing agents by KQL query, unenrolls inactive agents too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents responses: '200': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + getCloudConnectorExample: + description: A Fleet cloud connector value: - actionId: action-id-1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at required: - - actionId + - item description: Successful response '400': content: @@ -44166,23 +38745,23 @@ paths: - message - attributes description: Bad Request - summary: Bulk unenroll agents + summary: Get cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_update_agent_tags: - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid parameters: - description: A required header to protect against CSRF attacks in: header @@ -44191,65 +38770,131 @@ paths: schema: example: 'true' type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging + name: Updated AWS connector + vars: {} schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - actionId: action-id-1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: additionalProperties: false type: object properties: - actionId: - type: string - required: - - actionId + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: @@ -44280,93 +38925,124 @@ paths: - message - attributes description: Bad Request - summary: Bulk update agent tags + summary: Update cloud connector tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/bulk_upgrade: - post: + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector value: - actionId: action-id-1 + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - actionId - description: Successful response + - items + - total + - page + - perPage + description: 'OK: A successful request.' '400': content: application/json: @@ -44375,7 +39051,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Cloud connector not found statusCode: 400 schema: additionalProperties: false @@ -44395,59 +39071,130 @@ paths: required: - message - attributes - description: Bad Request - summary: Bulk upgrade agents + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) tags: - - Elastic Agent actions + - Fleet cloud connectors + x-state: Technical Preview; added in 9.2.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/files/{fileId}: - delete: + /api/fleet/data_streams: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+
get /s/{space_id}/api/fleet/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the uploaded file - in: path - name: fileId - required: true - schema: - type: string + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] responses: '200': content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + getDataStreamsExample: + description: List of Fleet-managed data streams value: - deleted: true - id: file-id-1 + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: additionalProperties: false type: object properties: - deleted: - type: boolean - id: - type: string + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array required: - - id - - deleted + - data_streams description: Successful response '400': content: @@ -44478,34 +39225,42 @@ paths: - message - attributes description: Bad Request - summary: Delete an uploaded file + summary: Get data streams tags: - - Elastic Agents + - Data streams x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/files/{fileId}/{fileName}: + /api/fleet/enrollment_api_keys: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+
get /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: The ID of the uploaded file - in: path - name: fileId - required: true + - description: Page number + in: query + name: page + required: false schema: - type: string - - description: The name of the uploaded file - in: path - name: fileName - required: true + default: 1 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: type: string responses: @@ -44513,12 +39268,56 @@ paths: content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + getEnrollmentApiKeysExample: + description: List of enrollment API keys + value: + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object - description: Successful response — returns the uploaded file content + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + description: Successful response '400': content: application/json: @@ -44548,93 +39347,149 @@ paths: - message - attributes description: Bad Request - summary: Get an uploaded file + summary: Get enrollment API keys tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/setup: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/setup
+
post /s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: application/json: examples: - agentsSetupNotReadyExample: - description: Fleet is not ready — a Fleet Server and API keys are required + postEnrollmentApiKeyExample: + description: The created enrollment API key value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + description: Generic Error type: object properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string + statusCode: + type: number required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs + value: + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' + responses: + '200': + content: + application/json: + examples: + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed + value: + action: deleted + count: 2 + errorCount: 0 + successCount: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' + description: Successful response '400': content: application/json: @@ -44643,7 +39498,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Either tokenIds or kuery must be provided statusCode: 400 schema: additionalProperties: false @@ -44664,22 +39519,24 @@ paths: - message - attributes description: Bad Request - summary: Get agent setup info + summary: Bulk revoke or delete enrollment API keys tags: - - Elastic Agents + - Fleet enrollment API keys + x-state: Generally available; added in 9.5.0 x-metaTags: - content: Kibana name: product_name - post: + /api/fleet/enrollment_api_keys/{keyId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/agents/setup
+
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. - operationId: post-fleet-agents-setup + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -44688,41 +39545,38 @@ paths: schema: example: 'true' type: string + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + in: query + name: forceDelete + required: false + schema: + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + in: query + name: includeHidden + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - agentsSetupSuccessExample: - description: Fleet setup initialized successfully with no non-fatal errors + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked value: - isInitialized: true - nonFatalErrors: [] + action: deleted schema: - additionalProperties: false - description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' + description: Successful response '400': content: application/json: @@ -44752,60 +39606,58 @@ paths: - message - attributes description: Bad Request - summary: Initiate Fleet setup + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name - /api/fleet/agents/tags: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/agents/tags
+
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid parameters: - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: The ID of the enrollment API key + in: path + name: keyId + required: true schema: type: string - - description: When true, include tags from inactive agents - in: query - name: showInactive - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + getEnrollmentApiKeyExample: + description: An enrollment API key value: - items: - - production - - linux - - datacenter-1 + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: @@ -44836,58 +39688,72 @@ paths: - message - attributes description: Bad Request - summary: Get agent tags + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key tags: - - Elastic Agents + - Fleet enrollment API keys x-metaTags: - content: Kibana name: product_name - /api/fleet/check-permissions: - get: + /api/fleet/epm/bulk_assets: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/check-permissions
+
post /s/{space_id}/api/fleet/epm/bulk_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets parameters: - - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges - in: query - name: fleetServerSetup - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' responses: '200': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + postBulkGetAssetsExample: + description: Requested assets value: - success: true + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' description: Successful response '400': content: @@ -44918,106 +39784,53 @@ paths: - message - attributes description: Bad Request - summary: Check permissions + summary: Bulk get assets tags: - - Fleet internals + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/cloud_connectors: + /api/fleet/epm/categories: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors
+
get /s/{space_id}/api/fleet/epm/categories
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. + - description: When true, include prerelease packages in the results in: query - name: perPage + name: prerelease required: false schema: - type: string - - description: KQL query to filter cloud connectors. + type: boolean + - description: When true, include categories that only contain policy templates in: query - name: kuery + name: include_policy_templates required: false schema: - type: string + type: boolean responses: '200': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + getCategoriesExample: + description: List of integration categories value: items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: @@ -45048,23 +39861,23 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connectors + summary: Get package categories tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name + /api/fleet/epm/custom_integrations: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/cloud_connectors
+
post /s/{space_id}/api/fleet/epm/custom_integrations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header @@ -45077,134 +39890,123 @@ paths: content: application/json: examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - required: - - name - - cloudProvider - - vars + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' responses: '200': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData + responses: + '200': + content: + application/json: + examples: + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} description: Successful response '400': content: @@ -45235,61 +40037,76 @@ paths: - message - attributes description: Bad Request - summary: Create cloud connector + summary: Update a custom integration tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: + /api/fleet/epm/data_streams: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
get /s/{space_id}/api/fleet/epm/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter by data stream type + in: query + name: type + required: false schema: - example: 'true' + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: The unique identifier of the cloud connector to delete. - in: path - name: cloudConnectorId - required: true + - description: Filter data streams by dataset name + in: query + name: datasetQuery + required: false schema: type: string - - description: If true, forces deletion even if the cloud connector is in use. + - description: Sort order, ascending or descending in: query - name: force + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + - description: When true, only return data streams that are not associated with a package + in: query + name: uncategorisedOnly required: false schema: + default: false type: boolean responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted + getDataStreamsExample: + description: List of data streams from installed packages value: - id: cloud-connector-id-1 + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' description: Successful response '400': content: @@ -45320,91 +40137,69 @@ paths: - message - attributes description: Bad Request - summary: Delete cloud connector (supports force deletion) + summary: Get data streams tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Data streams x-metaTags: - content: Kibana name: product_name + /api/fleet/epm/packages: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
get /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true + - description: Filter packages by category + in: query + name: category + required: false schema: type: string + - description: When true, include prerelease packages in the results + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, exclude the install status from the response + in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - description: When true, include the number of package policies per package + in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + getPackagesExample: + description: List of available integration packages value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' description: Successful response '400': content: @@ -45435,23 +40230,22 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connector + summary: Get packages tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - put: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+
post /s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header @@ -45460,135 +40254,64 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false schema: - type: string + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean requestBody: content: - application/json: + application/gzip: examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector - value: - name: Updated AWS connector - vars: {} + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: schema: - additionalProperties: false - type: object - properties: - accountType: - description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' - enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object + format: binary + type: string responses: '200': content: - application/json: + application/gzip; application/zip: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + postInstallByUploadExample: + description: Package successfully installed from upload value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + application/json: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template description: Successful response '400': content: - application/json: + application/gzip; application/zip: examples: genericErrorResponseExample: description: Example of a generic error response @@ -45614,125 +40337,78 @@ paths: required: - message - attributes + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 description: Bad Request - summary: Update cloud connector + summary: Install a package by upload tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: + /api/fleet/epm/packages/_bulk: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+
post /s/{space_id}/api/fleet/epm/packages/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. + - description: When true, allow installing prerelease versions in: query - name: perPage + name: prerelease required: false schema: - minimum: 1 - type: number + type: boolean + requestBody: + content: + application/json: + examples: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - getCloudConnectorUsageResponseExample: - description: Example response showing package policies using the cloud connector + postBulkInstallPackagesExample: + description: Bulk install results value: items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' + description: Successful response '400': content: application/json: @@ -45741,7 +40417,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Cloud connector not found + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -45761,140 +40437,75 @@ paths: required: - message - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) + description: Bad Request + summary: Bulk install packages tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/data_streams: - get: + /api/fleet/epm/packages/_bulk_namespace_customization: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/data_streams
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkNamespaceCustomizationRequest: + value: + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of Fleet-managed data streams + successResponse: value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics - schema: - additionalProperties: false - type: object - properties: - data_streams: items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: error: Bad Request - message: An error message describing what went wrong + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: additionalProperties: false @@ -45914,168 +40525,60 @@ paths: required: - message - attributes - description: Bad Request - summary: Get data streams + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages tags: - - Data streams + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/enrollment_api_keys: - get: + /api/fleet/epm/packages/_bulk_rollback: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/enrollment_api_keys
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + bulkRollbackRequest: + value: + packages: + - name: system + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' responses: '200': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + successResponse: value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + taskId: taskId schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - list: - deprecated: true - items: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -46094,123 +40597,49 @@ paths: required: - message - attributes - description: Bad Request - summary: Get enrollment API keys + description: A bad request. + summary: Bulk rollback packages tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - post: + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/enrollment_api_keys
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Task ID of the bulk operation + in: path + name: taskId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy - value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 - schema: - additionalProperties: false - type: object - properties: - expiration: - type: string - name: - type: string - policy_id: - type: string - required: - - policy_id responses: '200': content: application/json: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key + successResponse: value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + status: success schema: - additionalProperties: false - type: object - properties: - action: - enum: - - created - type: string - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item - - action - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -46229,24 +40658,24 @@ paths: required: - message - attributes - description: Bad Request - summary: Create an enrollment API key + description: A bad request. + summary: Get Bulk rollback packages details tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/enrollment_api_keys/_bulk_delete: + /api/fleet/epm/packages/_bulk_uninstall: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall parameters: - description: A required header to protect against CSRF attacks in: header @@ -46259,68 +40688,25 @@ paths: content: application/json: examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs - value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages value: - forceDelete: false - kuery: policy_id:"policy-id-1" + packages: + - name: aws + - name: gcp schema: - additionalProperties: false - type: object - properties: - forceDelete: - default: false - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. - type: boolean - includeHidden: - default: false - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. - type: string - tokenIds: - description: List of enrollment token IDs to delete. - items: - type: string - maxItems: 10000 - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 + taskId: task-id-1 schema: - additionalProperties: false - type: object - properties: - action: - type: string - count: - type: number - errorCount: - type: number - successCount: - type: number - required: - - action - - count - - successCount - - errorCount + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -46330,7 +40716,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Either tokenIds or kuery must be provided + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -46351,71 +40737,46 @@ paths: - message - attributes description: Bad Request - summary: Bulk revoke or delete enrollment API keys + summary: Bulk uninstall packages tags: - - Fleet enrollment API keys - x-state: Generally available; added in 9.5.0 + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/enrollment_api_keys/{keyId}: - delete: + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the enrollment API key + - description: Task ID of the bulk operation in: path - name: keyId + name: taskId required: true schema: type: string - - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. - in: query - name: forceDelete - required: false - schema: - default: false - type: boolean - - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. - in: query - name: includeHidden - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - action: deleted + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -46446,93 +40807,54 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key + summary: Get Bulk uninstall packages details tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - get: + /api/fleet/epm/packages/_bulk_upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade parameters: - - description: The ID of the enrollment API key - in: path - name: keyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions + value: + packages: + - name: system + - name: elastic_agent + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' responses: '200': content: application/json: examples: - getEnrollmentApiKeyExample: - description: An enrollment API key + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 + taskId: task-id-1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - active: - description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -46563,123 +40885,46 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key + summary: Bulk upgrade packages tags: - - Fleet enrollment API keys + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/bulk_assets: - post: + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/bulk_assets
+
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Task ID of the bulk operation + in: path + name: taskId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - additionalProperties: false - type: object - properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - assetIds responses: '200': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -46710,33 +40955,40 @@ paths: - message - attributes description: Bad Request - summary: Bulk get assets + summary: Get Bulk upgrade packages details tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/categories: - get: + /api/fleet/epm/packages/{pkgName}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/categories
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-categories + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname parameters: - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean - - description: When true, include categories that only contain policy templates + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies in: query - name: include_policy_templates + name: force required: false schema: type: boolean @@ -46745,43 +40997,14 @@ paths: content: application/json: examples: - getCategoriesExample: - description: List of integration categories + deletePackageExample: + description: Package successfully deleted value: items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - count: - type: number - id: - type: string - parent_id: - type: string - parent_title: - type: string - title: - type: string - required: - - id - - title - - count - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -46812,163 +41035,76 @@ paths: - message - attributes description: Bad Request - summary: Get package categories + summary: Delete a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/custom_integrations: - post: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/custom_integrations
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - datasets: - items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 - type: array - force: - type: boolean - integrationName: - type: string - required: - - integrationName - - datasets + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created + getPackageInfoExample: + description: Package details and installation status value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -46999,23 +41135,22 @@ paths: - message - attributes description: Bad Request - summary: Create a custom integration + summary: Get a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/custom_integrations/{pkgName}: - put: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -47030,38 +41165,150 @@ paths: required: true schema: type: string - requestBody: - content: - application/json: - examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false schema: - additionalProperties: false - type: object - properties: - categories: - items: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: @@ -47092,55 +41339,142 @@ paths: - message - attributes description: Bad Request - summary: Update a custom integration + summary: Update package settings tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/data_streams: - get: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/data_streams
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - - description: Filter by data stream type + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies in: query - name: type + name: force required: false schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: type: string - - description: Filter data streams by dataset name + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified in: query - name: datasetQuery + name: ignoreUnverified required: false schema: - type: string - - description: Sort order, ascending or descending + type: boolean + - description: When true, include prerelease versions in: query - name: sortOrder + name: prerelease required: false schema: - default: asc - enum: - - asc - - desc - type: string - - description: When true, only return data streams that are not associated with a package + type: boolean + - description: When true, return the full package info including assets in: query - name: uncategorisedOnly + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata required: false schema: default: false @@ -47150,33 +41484,23 @@ paths: content: application/json: examples: - getDataStreamsExample: - description: List of data streams from installed packages + getPackageInfoExample: + description: Package details and installation status value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -47207,557 +41531,110 @@ paths: - message - attributes description: Bad Request - summary: Get data streams + summary: Get a package tags: - - Data streams + - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - - description: Filter packages by category - in: query - name: category - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include prerelease packages in the results + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow installing prerelease versions in: query name: prerelease required: false schema: type: boolean - - description: When true, exclude the install status from the response + - description: When true, ignore mapping update errors during installation in: query - name: excludeInstallStatus + name: ignoreMappingUpdateErrors required: false schema: + default: false type: boolean - - description: When true, include the number of package policies per package + - description: When true, skip data stream rollover after installation in: query - name: withPackagePoliciesCount + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck required: false schema: + default: false type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - getPackagesExample: - description: List of available integration packages + postInstallPackageExample: + description: Package successfully installed value: + _meta: + install_source: registry items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: true - type: object - properties: - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - id: - type: string - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - integration: - type: string - internal: - type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - id - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -47774,22 +41651,22 @@ paths: - message - attributes description: Bad Request - summary: Get packages + summary: Install a package from the registry tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages
+
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -47798,139 +41675,52 @@ paths: schema: example: 'true' type: string - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false + type: string + - description: Package version + in: path + name: pkgVersion + required: true schema: - default: false - type: boolean + type: string requestBody: content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - format: binary - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: - application/gzip; application/zip: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + putUpdatePackageExample: + description: Updated package settings value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: - application/gzip; application/zip: + application/json: examples: genericErrorResponseExample: description: Example of a generic error response @@ -47956,6 +41746,55 @@ paths: required: - message - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content + '400': + content: application/json: examples: genericErrorResponseExample: @@ -47964,24 +41803,42 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Install a package by upload + summary: Get a package file tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -47990,180 +41847,37 @@ paths: schema: example: 'true' type: string - - description: When true, allow installing prerelease versions + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: The ID of the package policy in: query - name: prerelease - required: false + name: packagePolicyId + required: true schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages + type: string responses: '200': content: application/json: examples: - postBulkInstallPackagesExample: - description: Bulk install results + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted value: items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed + - id: logs-my_package.access-default + type: index_template schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - name: - type: string - result: - additionalProperties: false - type: object - properties: - assets: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: - type: string - required: - - name - - version - - result - - additionalProperties: false - type: object - properties: - error: - anyOf: - - type: string - - nullable: true - name: - type: string - statusCode: - type: number - required: - - name - - statusCode - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' description: Successful response '400': content: @@ -48194,124 +41908,63 @@ paths: - message - attributes description: Bad Request - summary: Bulk install packages + summary: Delete assets for an input package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_namespace_customization: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
+
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkNamespaceCustomizationRequest: - value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx - schema: - additionalProperties: false - type: object - properties: - disable: - description: Namespaces to disable namespace-level customization for on each package. - items: - type: string - maxItems: 100 - type: array - enable: - description: Namespaces to enable namespace-level customization for on each package. - items: - type: string - maxItems: 100 - type: array - packages: - description: Package names to apply the customization changes to. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - packages responses: '200': content: application/json: examples: - successResponse: + dependenciesResponse: value: items: + - name: aws + title: AWS + version: ^2.0.0 - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - error: - type: string - name: - type: string - namespace_customization_enabled_for: - description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' - items: - type: string - maxItems: 100 - type: array - success: - type: boolean - required: - - name - - success - maxItems: 1000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' description: 'OK: A successful request.' '400': content: application/json: examples: - badRequestResponse: + packageNotFoundResponse: value: - error: Bad Request - message: 'Namespaces must not appear in both enable and disable: production' - statusCode: 400 + message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false description: Generic Error @@ -48331,23 +41984,24 @@ paths: - message - attributes description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages + summary: Get package dependencies tags: - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_rollback: - post: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -48356,97 +42010,15 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackRequest: - value: - packages: - - name: system - schema: - additionalProperties: false - type: object - properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - taskId: taskId - schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid - parameters: - - description: Task ID of the bulk operation + - description: Package name in: path - name: taskId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string @@ -48455,55 +42027,25 @@ paths: content: application/json: examples: - successResponse: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted value: - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status - description: 'OK: A successful request.' + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -48522,24 +42064,23 @@ paths: required: - message - attributes - description: A bad request. - summary: Get Bulk rollback packages details + description: Bad Request + summary: Delete Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_uninstall: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -48548,57 +42089,42 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed value: - taskId: task-id-1 + items: + - id: dashboard-id-1 + type: dashboard schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -48629,82 +42155,67 @@ paths: - message - attributes description: Bad Request - summary: Bulk uninstall packages + summary: Install Kibana assets for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: - get: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - - description: Task ID of the bulk operation + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: taskId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + postInstallRuleAssetsExample: + description: Rule assets successfully installed value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: - type: string - required: - - status + - id: rule-asset-id-1 + type: security_rule + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -48735,23 +42246,23 @@ paths: - message - attributes description: Bad Request - summary: Get Bulk uninstall packages details + summary: Install Kibana alert rule for a package tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_upgrade: + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - description: A required header to protect against CSRF attacks in: header @@ -48760,61 +42271,64 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 schema: - additionalProperties: false - type: object - properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' responses: '200': content: application/json: examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized value: - taskId: task-id-1 + - success: true + transformId: logs-transform-1 schema: - additionalProperties: false - type: object - properties: - taskId: - type: string - required: - - taskId + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -48845,82 +42359,191 @@ paths: - message - attributes description: Bad Request - summary: Bulk upgrade packages + summary: Authorize transforms tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - - description: Task ID of the bulk operation + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to review upgrade for in: path - name: taskId + name: pkgName required: true schema: type: string + requestBody: + content: + application/json: + examples: + acceptUpgrade: + value: + action: accept + target_version: 2.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + successResponse: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + success: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status + - message + - attributes + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations + tags: + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back + in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + success: true + version: 1.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback a package to previous version + tags: + - Elastic Package Manager (EPM) + x-state: Technical Preview; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageStatsExample: + description: Usage stats for a specific package + value: + response: + agent_policy_count: 3 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -48951,119 +42574,158 @@ paths: - message - attributes description: Bad Request - summary: Get Bulk upgrade packages details + summary: Get package stats tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}: - delete: + /api/fleet/epm/packages/installed: + get: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
get /s/{space_id}/api/fleet/epm/packages/installed
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Filter by data stream type + in: query + name: dataStreamType + required: false schema: - example: 'true' + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: Package name - in: path - name: pkgName - required: true + - description: When true, only return packages with active data streams + in: query + name: showOnlyActiveDataStreams + required: false + schema: + type: boolean + - description: Filter packages by name + in: query + name: nameQuery + required: false schema: type: string - - description: When true, delete the package even if it has active package policies + - description: Sort values from the previous page for `search_after` pagination in: query - name: force + name: searchAfter required: false schema: - type: boolean + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 15 + type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + getInstalledPackagesExample: + description: List of installed integration packages value: items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - items + - message + - attributes + description: Bad Request + summary: Get installed packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': + content: + application/json: + examples: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled + value: + items: + - elastic_agent + - fleet_server + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' description: Successful response '400': content: @@ -49094,22 +42756,23 @@ paths: - message - attributes description: Bad Request - summary: Delete a package + summary: Get a limited package list tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get information about a package by name, returning the latest installed or available version. - operationId: get-fleet-epm-packages-pkgname + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - description: Package name in: path @@ -49117,596 +42780,56 @@ paths: required: true schema: type: string - - description: When true, returns the package even if the signature cannot be verified - in: query - name: ignoreUnverified - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - type: boolean - - description: When true, include prerelease versions + type: string + - description: 'Output format for the inputs template: json, yml, or yaml' in: query - name: prerelease + name: format required: false schema: - type: boolean - - description: When true, return the full package info including assets + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions in: query - name: full + name: prerelease required: false schema: type: boolean - - description: When true, include package metadata such as whether it has package policies + - description: When true, return inputs even if the package signature cannot be verified in: query - name: withMetadata + name: ignoreUnverified required: false schema: - default: false type: boolean responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + getInputsTemplateExample: + description: Inputs template for a package value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies - required: - - item + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' description: Successful response '400': content: @@ -49737,172 +42860,35 @@ paths: - message - attributes description: Bad Request - summary: Get a package + summary: Get an inputs template tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - post: + /api/fleet/epm/verification_key_id: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
get /s/{space_id}/api/fleet/epm/verification_key_id
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - default: false - type: boolean - ignore_constraints: - default: false - type: boolean + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + id: D27D666CD88E42B4 schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - required: - - items - - _meta + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' description: Successful response '400': content: @@ -49933,611 +42919,165 @@ paths: - message - attributes description: Bad Request - summary: Install a package from the registry + summary: Get a package signature verification key ID tags: - Elastic Package Manager (EPM) x-metaTags: - content: Kibana name: product_name - put: + /api/fleet/fleet_server_hosts: + get: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+
get /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: Enable namespace-level customization for the `production` and `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - additionalProperties: false - type: object - properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: Namespaces for which namespace-level customization is enabled on this package. - items: - type: string - maxItems: 100 - type: array + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + getFleetServerHostsExample: + description: List of Fleet Server hosts value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true + type: string + secrets: + additionalProperties: false type: object properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true + ssl: + additionalProperties: false type: object properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: + agent_key: anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: additionalProperties: false + nullable: true type: object properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: + agent_certificate: type: string - title: + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: type: string - type: + certificate: type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none type: string - name: + es_certificate: type: string - options: + es_certificate_authorities: items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 + type: string + maxItems: 10 type: array - selector_title: + es_key: type: string - title: + key: type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage description: Successful response '400': content: @@ -50568,23 +43108,22 @@ paths: - message - attributes description: Bad Request - summary: Update package settings + summary: Get Fleet Server hosts tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
post /s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header @@ -50593,100 +43132,325 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName + requestBody: + content: + application/json: + examples: + postFleetServerHostRequestExample: + description: Create a new Fleet Server host + value: + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json: + examples: + postFleetServerHostExample: + description: The created Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: Package version + - description: The ID of the Fleet Server host in: path - name: pkgVersion + name: itemId required: true schema: type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array + id: + type: string required: - - items + - id description: Successful response '400': content: @@ -50717,9 +43481,20 @@ paths: - message - attributes description: Bad Request - summary: Delete a package + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana name: product_name @@ -50727,613 +43502,143 @@ paths: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the Fleet Server host in: path - name: pkgVersion + name: itemId required: true schema: type: string - - description: When true, returns the package even if the signature cannot be verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - description: When true, include prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return the full package info including assets - in: query - name: full - required: false - schema: - type: boolean - - description: When true, include package metadata such as whether it has package policies - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + getFleetServerHostExample: + description: A Fleet Server host value: item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: additionalProperties: false type: object properties: item: - additionalProperties: true + additionalProperties: false type: object properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: + host_urls: items: type: string - maxItems: 100 + maxItems: 10 + minItems: 1 type: array - conditions: - additionalProperties: true + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false type: object properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true + ssl: + additionalProperties: false type: object properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true type: object properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: + agent_certificate: type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: + agent_certificate_authorities: items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error maxItems: 10 type: array - name: + agent_key: type: string - namespaces: + certificate: + type: string + certificate_authorities: items: type: string - maxItems: 100 + maxItems: 10 type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: + client_auth: enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: + - optional + - required + - none type: string - type: - enum: - - elastic - - partner - - community + es_certificate: type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: + es_certificate_authorities: + items: type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input + maxItems: 10 + type: array + es_key: type: string - - enum: - - content + key: type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string required: - name - - version - - title - - assets - metadata: - additionalProperties: false - type: object - properties: - has_policies: - type: boolean - required: - - has_policies + - host_urls + - id required: - item description: Successful response @@ -51366,22 +43671,33 @@ paths: - message - attributes description: Bad Request - summary: Get a package + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana name: product_name - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -51390,154 +43706,246 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the Fleet Server host in: path - name: pkgVersion + name: itemId required: true schema: type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: Skip dependency validation when installing a package with dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean requestBody: content: application/json: examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints + putFleetServerHostRequestExample: + description: Update a Fleet Server host value: - ignore_constraints: false + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server schema: additionalProperties: false - nullable: true type: object properties: - force: - default: false + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: type: boolean - ignore_constraints: - default: false + is_internal: type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + putFleetServerHostExample: + description: The updated Fleet Server host value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - additionalProperties: false - type: object - properties: - _meta: - additionalProperties: false - type: object + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object properties: - install_source: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean name: type: string - required: - - install_source - - name - items: - items: - anyOf: - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - - additionalProperties: false - type: object - properties: - deferred: - type: boolean - id: + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: type: string - version: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: type: string - required: - - id - - type - maxItems: 10000 - type: array + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - items - - _meta + - item description: Successful response '400': content: @@ -51568,22 +43976,34 @@ paths: - message - attributes description: Bad Request - summary: Install a package from the registry + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Elastic Package Manager (EPM) + - Fleet Server hosts x-metaTags: - content: Kibana name: product_name - put: + /api/fleet/health_check: + post: description: |- **Spaces method and path for this operation:** -
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+
post /s/{space_id}/api/fleet/health_check
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header @@ -51592,607 +44012,169 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: Enable namespace-level customization for the `production` and `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID value: - keepPoliciesUpToDate: true + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: Namespaces for which namespace-level customization is enabled on this package. - items: + id: + type: string + required: + - id + responses: + '200': + content: + application/json: + examples: + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy + value: + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE + schema: + additionalProperties: false + type: object + properties: + host_id: type: string - maxItems: 100 - type: array + name: + type: string + status: + type: string + required: + - status + description: Successful health check response + '400': + content: + application/json: + examples: + badRequestExample: + description: The host ID exists but has no associated host URLs configured + value: + error: Bad Request + message: The requested host id fleet-server-host-id-1 does not have associated host urls. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Check Fleet Server health + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes + parameters: + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false + schema: + type: string + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false + schema: + type: string responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - item: - additionalProperties: true - type: object - properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - additionalProperties: true - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - additionalProperties: true - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - installationInfo: - additionalProperties: true - type: object - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 100 - type: array - type: object - created_at: - type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana: - items: - additionalProperties: true - type: object - properties: - deferred: - type: boolean - id: - type: string - originId: - type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true - type: string - rolled_back: - type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - unverified - - verified - - unknown - type: string - version: - type: string - required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - name - - version - - title - - assets - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + description: Generic Error type: object properties: attributes: @@ -52209,40 +44191,40 @@ paths: - message - attributes description: Bad Request - summary: Update package settings + summary: Get a full K8s agent manifest tags: - - Elastic Package Manager (EPM) + - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + /api/fleet/kubernetes/download: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+
get /s/{space_id}/api/fleet/kubernetes/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download parameters: - - description: Package name - in: path - name: pkgName - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: type: string - - description: File path within the package - in: path - name: filePath - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string responses: @@ -52250,11 +44232,12 @@ paths: content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: @@ -52284,23 +44267,52 @@ paths: - message - attributes description: Bad Request - summary: Get a package file + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest tags: - - Elastic Package Manager (EPM) + - Elastic Agent policies x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: + /api/fleet/logstash_api_keys: + post: description: |- **Spaces method and path for this operation:** -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+
post /s/{space_id}/api/fleet/logstash_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header @@ -52309,43 +44321,23 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: The ID of the package policy - in: query - name: packagePolicyId - required: true - schema: - type: string responses: '200': content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted + postLogstashApiKeyExample: + description: The generated Logstash API key value: - items: - - id: logs-my_package.access-default - type: index_template + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: additionalProperties: false type: object properties: - success: - type: boolean + api_key: + type: string required: - - success + - api_key description: Successful response '400': content: @@ -52376,84 +44368,66 @@ paths: - message - attributes description: Bad Request - summary: Delete assets for an input package + summary: Generate a Logstash API key tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: + /api/fleet/message_signing_service/rotate_key_pair: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - - description: Package name - in: path - name: pkgName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: Package version - in: path - name: pkgVersion - required: true + - description: Set to true to confirm you understand the risks of rotating the key pair + in: query + name: acknowledge + required: false schema: - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - items: [] + message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - title - maxItems: 1000 - type: array + message: + type: string required: - - items - description: 'OK: A successful request.' + - message + description: Key pair rotated successfully '400': content: application/json: examples: - packageNotFoundResponse: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true value: - message: '[my-package-1.0.0] package not found in registry' + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -52472,75 +44446,17 @@ paths: required: - message - attributes - description: A bad request. - summary: Get package dependencies - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - additionalProperties: false - type: object - properties: - success: - type: boolean - required: - - success - description: Successful response - '400': + description: Bad Request + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serviceUnavailableExample: + description: The message signing service is not available value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 schema: additionalProperties: false description: Generic Error @@ -52559,83 +44475,68 @@ paths: required: - message - attributes - description: Bad Request - summary: Delete Kibana assets for a package + description: Internal Server Error + summary: Rotate a Fleet message signing key pair tags: - - Elastic Package Manager (EPM) + - Message Signing Service x-metaTags: - content: Kibana name: product_name - post: + /api/fleet/outputs: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+
get /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - space_ids: - description: When provided install assets in the specified spaces instead of the current space. - items: - type: string - maxItems: 100 - minItems: 1 - type: array + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] responses: '200': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + getOutputsExample: + description: List of Fleet outputs value: items: - - id: dashboard-id-1 - type: dashboard + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - success: - type: boolean + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - success + - items + - total + - page + - perPage description: Successful response '400': content: @@ -52666,23 +44567,22 @@ paths: - message - attributes description: Bad Request - summary: Install Kibana assets for a package + summary: Get outputs tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: post: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+
post /s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header @@ -52691,51 +44591,53 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string requestBody: content: application/json: examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed + postOutputExample: + description: The created Fleet output value: - items: - - id: rule-asset-id-1 - type: security_rule + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: additionalProperties: false type: object properties: - success: - type: boolean + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - success + - item description: Successful response '400': content: @@ -52766,23 +44668,23 @@ paths: - message - attributes description: Bad Request - summary: Install Kibana alert rule for a package + summary: Create output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: + /api/fleet/outputs/{outputId}: + delete: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+
delete /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -52791,79 +44693,29 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the output in: path - name: pkgVersion + name: outputId required: true schema: type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 - schema: - additionalProperties: false - type: object - properties: - transforms: - items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 - type: array - required: - - transforms responses: '200': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + deleteOutputExample: + description: The output was successfully deleted value: - - success: true - transformId: logs-transform-1 + id: output-id-1 schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id description: Successful response '400': content: @@ -52894,84 +44746,97 @@ paths: - message - attributes description: Bad Request - summary: Authorize transforms + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/review_upgrade: - post: + get: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+
get /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for + - description: The ID of the output in: path - name: pkgName + name: outputId required: true schema: type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - additionalProperties: false - type: object - properties: - action: - enum: - - accept - - decline - - pending - type: string - target_version: - type: string - required: - - action - - target_version responses: '200': content: application/json: examples: - successResponse: + getOutputExample: + description: A Fleet output value: - success: true + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: additionalProperties: false type: object properties: - success: - type: boolean + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - success - description: 'OK: A successful request.' + - item + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -52990,25 +44855,34 @@ paths: required: - message - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/rollback: - post: + put: description: |- **Spaces method and path for this operation:** -
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+
put /s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -53017,40 +44891,67 @@ paths: schema: example: 'true' type: string - - description: Package name to roll back + - description: The ID of the output in: path - name: pkgName + name: outputId required: true schema: type: string + requestBody: + content: + application/json: + examples: + putOutputRequestExample: + description: Update a Fleet output + value: + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: - successResponse: + putOutputExample: + description: The updated Fleet output value: - success: true - version: 1.0.0 + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: additionalProperties: false type: object properties: - success: - type: boolean - version: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - version - - success - description: 'OK: A successful request.' + - item + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -53069,29 +44970,39 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback a package to previous version + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview; added in 9.1.0 + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/{pkgName}/stats: + /api/fleet/outputs/{outputId}/health: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+
get /s/{space_id}/api/fleet/outputs/{outputId}/health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health parameters: - - description: Package name + - description: The ID of the output in: path - name: pkgName + name: outputId required: true schema: type: string @@ -53100,28 +45011,29 @@ paths: content: application/json: examples: - getPackageStatsExample: - description: Usage stats for a specific package + getOutputHealthExample: + description: The latest health status of a Fleet output value: - response: - agent_policy_count: 3 + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - response: - additionalProperties: false - type: object - properties: - agent_policy_count: - type: number - package_policy_count: - type: number - required: - - agent_policy_count - - package_policy_count + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string required: - - response + - state + - message + - timestamp description: Successful response '400': content: @@ -53152,171 +45064,123 @@ paths: - message - attributes description: Bad Request - summary: Get package stats + summary: Get the latest output health tags: - - Elastic Package Manager (EPM) + - Fleet outputs x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/installed: + /api/fleet/package_policies: get: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/installed
+
get /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + List all package policies. + operationId: get-fleet-package-policies parameters: - - description: Filter by data stream type + - description: Page number in: query - name: dataStreamType + name: page required: false schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: When true, only return packages with active data streams + type: number + - description: Number of results per page in: query - name: showOnlyActiveDataStreams + name: perPage required: false schema: - type: boolean - - description: Filter packages by name + type: number + - description: Field to sort results by in: query - name: nameQuery + name: sortField required: false schema: type: string - - description: Sort values from the previous page for `search_after` pagination - in: query - name: searchAfter - required: false - schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 15 - type: number - description: Sort order, ascending or descending in: query name: sortOrder required: false schema: - default: asc enum: - - asc - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + getPackagePoliciesExample: + description: List of package policies value: items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: items: items: - additionalProperties: false - type: object - properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: - items: - additionalProperties: false - type: object - properties: - dark_mode: - type: boolean - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - maxItems: 100 - type: array - name: - type: string - status: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - status - - dataStreams + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' maxItems: 10000 type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array + page: + type: number + perPage: + type: number total: type: number required: - items - total + - page + - perPage description: Successful response '400': content: @@ -53347,46 +45211,83 @@ paths: - message - attributes description: Bad Request - summary: Get installed packages + summary: Get package policies tags: - - Elastic Package Manager (EPM) + - Fleet package policies x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/packages/limited: - get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/packages/limited
+
post /s/{space_id}/api/fleet/package_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postPackagePolicyRequestExample: + description: Create a new nginx package policy + value: + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + postPackagePolicyExample: + description: The created package policy value: - items: - - elastic_agent - - fleet_server + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' description: Successful response '400': content: @@ -53417,182 +45318,16 @@ paths: - message - attributes description: Bad Request - summary: Get a limited package list - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: 'Output format for the inputs template: json, yml, or yaml' - in: query - name: format - required: false - schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return inputs even if the package signature cannot be verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getInputsTemplateExample: - description: Inputs template for a package - value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text - schema: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: - additionalProperties: false - type: object - properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - required: - - inputs - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictExample: + description: A package policy with the same name already exists value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -53611,43 +45346,89 @@ paths: required: - message - attributes - description: Bad Request - summary: Get an inputs template + description: Conflict + summary: Create a package policy tags: - - Elastic Package Manager (EPM) + - Fleet package policies x-metaTags: - content: Kibana name: product_name - /api/fleet/epm/verification_key_id: - get: + /api/fleet/package_policies/_bulk_get: + post: description: |- **Spaces method and path for this operation:** -
get /s/{space_id}/api/fleet/epm/verification_key_id
+
post /s/{space_id}/api/fleet/package_policies/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID + value: + ids: + - package-policy-id-1 + - package-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids responses: '200': content: application/json: examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - id: D27D666CD88E42B4 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - id: - nullable: true - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' description: Successful response '400': content: @@ -53667,6753 +45448,312 @@ paths: attributes: nullable: true error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID - tags: - - Elastic Package Manager (EPM) - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/fleet_server_hosts: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/fleet_server_hosts
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host - value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json: - examples: - postFleetServerHostExample: - description: The created Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/fleet_server_hosts/{itemId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid - parameters: - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getFleetServerHostExample: - description: A Fleet Server host - value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host - value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id - responses: - '200': - content: - application/json: - examples: - putFleetServerHostExample: - description: The updated Fleet Server host - value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host - tags: - - Fleet Server hosts - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/health_check: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/health_check
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - responses: - '200': - content: - application/json: - examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: Fleet Server host is not reachable (request timed out or aborted) - value: - host_id: fleet-server-host-id-1 - status: OFFLINE - schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': - content: - application/json: - examples: - badRequestExample: - description: The host ID exists but has no associated host URLs configured - value: - error: Bad Request - message: The requested host id fleet-server-host-id-1 does not have associated host urls. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: The requested host id fleet-server-host-id-1 does not exist. - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health - tags: - - Fleet internals - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/kubernetes: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes - parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: Fleet Server host URL to include in the manifest - in: query - name: fleetServer - required: false - schema: - type: string - - description: Enrollment token to include in the manifest - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - additionalProperties: false - type: object - properties: - item: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/kubernetes/download: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/kubernetes/download
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download - parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: Fleet Server host URL to include in the manifest - in: query - name: fleetServer - required: false - schema: - type: string - - description: Enrollment token to include in the manifest - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' - schema: - type: string - description: Successful response — returns the Kubernetes manifest as a YAML file download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest - tags: - - Elastic Agent policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/logstash_api_keys: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/logstash_api_keys
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - responses: - '200': - content: - application/json: - examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Set to true to confirm you understand the risks of rotating the key pair - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - rotateKeyPairSuccessExample: - description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. - value: - message: Key pair rotated successfully. - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': - content: - application/json: - examples: - acknowledgeRequiredExample: - description: Request was rejected because the acknowledge query parameter was not set to true - value: - error: Bad Request - message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available - value: - error: Internal Server Error - message: Failed to rotate key pair. Message signing service is unavailable! - statusCode: 500 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair - tags: - - Message Signing Service - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] - responses: - '200': - content: - application/json: - examples: - getOutputsExample: - description: List of Fleet outputs - value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/outputs
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postOutputRequestExample: - description: Create a new Elasticsearch output - value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' - responses: - '200': - content: - application/json: - examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs/{outputId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid - parameters: - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputExample: - description: A Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/outputs/{outputId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putOutputRequestExample: - description: Update a Fleet output - value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' - responses: - '200': - content: - application/json: - examples: - putOutputExample: - description: The updated Fleet output - value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/outputs/{outputId}/health: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/outputs/{outputId}/health
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health - parameters: - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health - tags: - - Fleet outputs - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies: - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - List all package policies. - operationId: get-fleet-package-policies - parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with available upgrades - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - - description: When true, include the agent count per package policy - in: query - name: withAgentCount - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - name - - inputs - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - description: You should use inputs as an object and not use the deprecated inputs array. - responses: - '200': - content: - application/json: - examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/_bulk_get: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/fleet/package_policies/_bulk_get
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID - value: - ids: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: |- - **Spaces method and path for this operation:** - -
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - get: - description: |- - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getPackagePolicyExample: - description: A package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No package policy was found with the given ID - value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy - tags: - - Fleet package policies - x-metaTags: - - content: Kibana - name: product_name - put: - description: |- - **Spaces method and path for this operation:** - -
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - type: string - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - description: - description: Policy description. - type: string - force: - description: Force package policy creation even if the package is not verified, or if the agent policy is managed. - type: boolean - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - name: - description: Unique name for the policy. - type: string - namespace: - description: Policy namespace. When not specified, it inherits the agent policy namespace. - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Deprecated. Use policy_ids instead. - nullable: true - type: string - policy_ids: - description: IDs of the agent policies which that package policy will be added to. - items: - type: string - maxItems: 1000 - type: array - supports_agentless: - default: false - deprecated: true - description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - required: - - name - - package - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackagePolicyExample: + description: The package policy was successfully deleted + value: + id: package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid + parameters: + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getPackagePolicyExample: + description: A package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string + name: nginx + title: Nginx + version: 1.20.0 policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No package policy was found with the given ID + value: + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + responses: + '200': + content: + application/json: + examples: + putPackagePolicyExample: + description: The updated package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - item description: Successful response @@ -60511,112 +45851,22 @@ paths: - package-policy-id-1 - package-policy-id-2 schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: '200': content: application/json: examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation - value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - output_id: - nullable: true - type: string - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Use `policy_ids` instead - nullable: true - type: string - policy_ids: - items: - type: string - maxItems: 10000 - type: array - statusCode: - type: number - success: - type: boolean - required: - - id - - success - - policy_ids - - package + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation + value: + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' maxItems: 10000 type: array description: Successful response @@ -60684,16 +45934,7 @@ paths: packagePolicyIds: - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' responses: '200': content: @@ -60707,28 +45948,7 @@ paths: success: true schema: items: - additionalProperties: false - type: object - properties: - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - id: - type: string - name: - type: string - statusCode: - type: number - success: - type: boolean - required: - - id - - success + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' maxItems: 10000 type: array description: Successful response @@ -60796,18 +46016,7 @@ paths: packagePolicyIds: - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: - type: string - required: - - packagePolicyIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: @@ -60944,949 +46153,8 @@ paths: diff: items: anyOf: - - additionalProperties: false - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - description: Enable or disable that stream. Defaults to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Input streams. Refer to the integration documentation to know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - description: Package policy inputs. Refer to the integration documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: Input/stream level variable. Refer to the integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - - additionalProperties: true - type: object - properties: - additional_datastreams_permissions: - description: Additional datastream permissions, that will be added to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - additionalProperties: false - type: object - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - required: - - type - - enabled - - streams - - compiled_input - maxItems: 100 - type: array - is_managed: - type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: The package policy namespace. Leave blank to inherit the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - additionalProperties: false - type: object - properties: - experimental_data_stream_features: - items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version - type: string - required: - - name - - version - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: IDs of the agent policies which that package policy will be added to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - supports_agentless: - default: false - description: Indicates whether the package policy belongs to an agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: Variable group selections. Maps var_group name to the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: Package variable (see integration documentation for more information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - inputs + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' maxItems: 2 type: array hasErrors: @@ -100994,6 +85262,336 @@ components: type: boolean required: - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: additionalProperties: false properties: @@ -102244,6 +86842,314 @@ components: - type title: Auto Color type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object Kibana_HTTP_APIs_byteFormat: additionalProperties: false description: Data size format in bits or bytes, with optional decimal places and suffix. @@ -102308,6 +87214,25 @@ components: - unassigned title: Categorical Color Mapping type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object Kibana_HTTP_APIs_ClassicFieldDefinition: additionalProperties: $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' @@ -102784,6 +87709,18 @@ components: - routing required: - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. @@ -103137,6 +88074,338 @@ components: - operation title: Count Metric Operation type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - deprecated + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - package + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object Kibana_HTTP_APIs_cumulativeSumOperation: additionalProperties: false properties: @@ -105496,6 +90765,104 @@ components: - field title: Date Histogram Operation type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + x-oas-optional: true Kibana_HTTP_APIs_differencesOperation: additionalProperties: false properties: @@ -105512,23 +90879,380 @@ components: enum: - differences type: string - reduced_time_range: - description: Reduced time range - title: Operation Reduced Time Range Setting + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - format + - filter + - time_scale + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - deprecated + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: type: string - time_scale: - $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' - time_shift: - description: Time shift - title: Operation Time Shift Setting + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. type: string required: - - format - - filter - - time_scale - - operation - - of - title: Differences Operation + - name + - enabled + - package + - inputs + title: dry_run_package_policy type: object Kibana_HTTP_APIs_durationFormat: additionalProperties: false @@ -105553,6 +91277,79 @@ components: - to title: Duration Format type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object Kibana_HTTP_APIs_es-query-create-rule-body-alerting: additionalProperties: false properties: @@ -106333,6 +92130,513 @@ components: - filter title: Formula Operation type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object Kibana_HTTP_APIs_gaugeESQL: additionalProperties: false description: Gauge configuration using an ES|QL query. @@ -107266,548 +93570,1318 @@ components: enum: - unique_count type: string - reduced_time_range: - description: Reduced time range - title: Operation Reduced Time Range Setting + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - format + - filter + - time_scale + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - filters + - query + - data_source + - styling + - metric + - time_range + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + - orientation + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + x-oas-optional: true + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + type: object + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - subtitle: - description: Subtitle below the gauge value. + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment type: string - ticks: + schedule: additionalProperties: false - description: Ticks configuration + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - mode: - description: Tick placement mode. - enum: - - auto - - bands + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - visible: - description: When `true`, displays tick marks on the gauge. - type: boolean - time_scale: - $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' - time_shift: - description: Time shift - title: Operation Time Shift Setting + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - title: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_get_agent_policy_outputs_response: + additionalProperties: false + properties: + item: additionalProperties: false - description: Title configuration type: object properties: - text: - description: Title text. + agentPolicyId: type: string - visible: - description: When `true`, displays the title. - type: boolean + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data required: - - format - - filter - - time_scale - - field - - operation - title: Unique Count Metric Operation + - item + title: get_agent_policy_outputs_response type: object - Kibana_HTTP_APIs_gaugeNoESQL: + Kibana_HTTP_APIs_get_agent_policy_response: additionalProperties: false - description: Gauge configuration using a data view. properties: - data_source: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' - description: - type: string - drilldowns: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: items: - anyOf: - - additionalProperties: false - default: - open_in_new_tab: false - use_filters: true - use_time_range: true - properties: - dashboard_id: - type: string - label: - type: string - open_in_new_tab: - default: false - description: When enabled, the dashboard opens in a new browser tab. - type: boolean - trigger: - enum: - - on_apply_filter - type: string - type: - enum: - - dashboard_drilldown - type: string - use_filters: - default: true - description: When enabled, filters are passed to the opening dashboard. - type: boolean - use_time_range: - default: true - description: When enabled, time range is passed to the opening dashboard. - type: boolean - required: - - dashboard_id - - label - - trigger - - type - title: dashboard_drilldown + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false type: object - - additionalProperties: false properties: - label: + description: type: string - open_in_new_tab: - default: true - type: boolean - trigger: - enum: - - on_apply_filter + service: type: string - type: - enum: - - discover_drilldown + title: type: string - required: - - label - - trigger - - type - title: discover_drilldown + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + - metadata + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false type: object - - additionalProperties: false properties: - encode_url: - default: true - description: When true, URL is escaped using percent encoding - type: boolean - label: - type: string - open_in_new_tab: - default: true - type: boolean - trigger: - enum: - - on_click_row - - on_click_value - - on_open_panel_menu - - on_select_range - type: string - type: - enum: - - url_drilldown - type: string - url: - description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable - type: string - required: - - url - - label - - trigger - - type - title: url_drilldown - type: object - maxItems: 100 + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + x-oas-optional: true + type: object + required: + - inputs + title: get_inputs_response + type: object + Kibana_HTTP_APIs_get_installed_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 type: array - filters: - $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' - hide_border: - type: boolean - hide_title: - type: boolean - ignore_global_filters: - default: false - description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. - type: boolean - metric: - anyOf: - - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' - query: - $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' - references: + searchAfter: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 type: array - sampling: - default: 1 - description: Sampling factor between 0 (no sampling) and 1 (full sampling). - maximum: 1 - minimum: 0 + total: type: number - styling: - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' - time_range: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' - title: - type: string - type: - enum: - - gauge - type: string required: - - type - - filters - - query - - data_source - - styling - - metric - - time_range - title: Gauge Chart (DSL) + - items + - total + title: get_installed_packages_response type: object - Kibana_HTTP_APIs_gaugeShapeBullet: + Kibana_HTTP_APIs_get_k8s_manifest_response: additionalProperties: false - description: Bullet gauge shape. properties: - orientation: - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' - type: - enum: - - bullet + item: type: string required: - - type - - orientation - title: Shape (Bullet) + - item + title: get_k8s_manifest_response type: object - Kibana_HTTP_APIs_gaugeShapeCircular: + Kibana_HTTP_APIs_get_limited_packages_response: additionalProperties: false - description: Circular gauge shape. properties: - type: - enum: - - circle - - semi_circle - - arc - type: string + items: + items: + type: string + maxItems: 10000 + type: array required: - - type - title: Shape (Circular) + - items + title: get_limited_packages_response type: object - Kibana_HTTP_APIs_gaugeStyling: + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: additionalProperties: false - description: Visual chart styling options properties: - shape: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' - title: Gauge styling + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request type: object - x-oas-optional: true - Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: additionalProperties: false properties: - actions: - default: [] + items: items: additionalProperties: false - description: An action that runs under defined conditions. type: object properties: - alerts_filter: + agentPolicyId: + type: string + data: additionalProperties: false - description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: - query: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: additionalProperties: false type: object properties: - dsl: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + id: type: string - filters: - description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: A filter can be either specific to an application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: - description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" - nullable: true - type: object - query: - additionalProperties: - description: A query for the filter. - nullable: true - type: object - required: - - meta - type: array - kql: - description: A filter written in Kibana Query Language (KQL). + name: type: string required: - - kql - - filters - timeframe: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: additionalProperties: false - description: Defines a period that limits whether the action runs. type: object properties: - days: - description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. - type: object - properties: - end: - description: The end of the time frame in 24-hour notation (`hh:mm`). - type: string - start: - description: The start of the time frame in 24-hour notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + id: + type: string + name: type: string required: - - days - - hours - - timezone - frequency: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: additionalProperties: false type: object properties: - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - nullable: true + message: type: string required: - - summary - - notify_when - - throttle - group: - description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. + - message + name: type: string - params: - additionalProperties: - nullable: true - default: {} - description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. + success: type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string required: - - id + - name + - success + maxItems: 10000 type: array - alert_delay: + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: additionalProperties: false - description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - active: - description: The number of consecutive runs that must meet the rule conditions. - type: number + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string required: - - active - artifacts: - additionalProperties: false + - deprecated + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true type: object properties: - dashboards: + datasets: items: - additionalProperties: false + additionalProperties: true type: object properties: - id: + name: type: string required: - - id - maxItems: 10 + - name + maxItems: 100 type: array - investigation_guide: - additionalProperties: false - type: object - properties: - blob: - maxLength: 10000 - type: string - required: - - blob - consumer: - description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: type: string - enabled: - default: true - description: Indicates whether you want to run the rule on an interval basis after it is created. - type: boolean - flapping: - additionalProperties: false - description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. - nullable: true + elasticsearch: + additionalProperties: + nullable: true type: object - properties: - enabled: - description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. - type: boolean - look_back_window: - description: The minimum number of runs in which the threshold must be met. - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - description: The minimum number of times an alert must switch states in the look back window. - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string name: - description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - notify_when: - description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true + notice: type: string - params: - additionalProperties: false - description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + owner: + additionalProperties: true + type: object properties: - boundaryGeoField: - minLength: 1 + github: type: string - boundaryIndexId: - minLength: 1 + type: + enum: + - elastic + - partner + - community type: string - boundaryIndexQuery: + path: + type: string + policy_templates: + items: + additionalProperties: nullable: true - boundaryIndexTitle: - minLength: 1 - type: string - boundaryNameField: - minLength: 1 - type: string - boundaryType: - minLength: 1 - type: string - dateField: - minLength: 1 - type: string - entity: - minLength: 1 + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: type: string - geoField: - minLength: 1 + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration type: string - index: - minLength: 1 + - enum: + - input type: string - indexId: - minLength: 1 + - enum: + - content type: string - indexQuery: + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: nullable: true - required: - - index - - indexId - - geoField - - entity - - dateField - - boundaryType - - boundaryIndexTitle - - boundaryIndexId - - boundaryGeoField - - indexQuery - - boundaryIndexQuery - title: Geo Containment Rule Params - type: object - rule_type_id: - enum: - - .geo-containment + type: object + maxItems: 1000 + type: array + version: type: string - schedule: + required: + - installationInfo + - name + - version + - title + - deprecated + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: additionalProperties: false - description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - interval: - description: The interval is specified in seconds, minutes, hours, or days. - type: string + agent_policy_count: + type: number + package_policy_count: + type: number required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: nullable: true type: string required: - - name - - consumer - - schedule - - rule_type_id - - params - title: Geo containment + - id + title: get_verification_key_id_response type: object Kibana_HTTP_APIs_gradientColorMapping: additionalProperties: false @@ -109312,6 +96386,254 @@ components: properties: {} required: - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided install assets in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + x-oas-optional: true + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: additionalProperties: false description: A filter that evaluates a single field condition such as equality, range, or existence. @@ -112103,6 +99425,37 @@ components: - geo_point title: Type type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object Kibana_HTTP_APIs_lastValueOperation: additionalProperties: false properties: @@ -121722,6 +109075,279 @@ components: - keys title: Multi Field Key type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + title: new_agent_policy + type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + title: new_enrollment_api_key + type: object Kibana_HTTP_APIs_new_output_elasticsearch: additionalProperties: false properties: @@ -123348,193 +110974,965 @@ components: - hosts title: output_logstash type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true + properties: + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper + type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + title: package_icon + type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + required: + - deprecated + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + id: + type: string + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - installationInfo + - name + - version + - title + - deprecated + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + x-oas-optional: true + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + title: package_policy_package + type: object + x-oas-optional: true + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false properties: - allow_edit: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. items: type: string maxItems: 1000 - type: array - ca_sha256: nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. nullable: true type: string - kibana_url: + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 nullable: true type: string - name: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + created_at: type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency + created_by: type: string - proxy_id: - nullable: true + description: + description: Package policy description type: string - secrets: + elasticsearch: additionalProperties: true type: object properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + privileges: additionalProperties: true type: object properties: - key: - anyOf: - - additionalProperties: true + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false type: object properties: - hash: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true required: - - id - - type: string - service_token: - nullable: true + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - deprecated + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch type: string - write_to_logs_streams: + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true - type: boolean - required: - - name - - type - - hosts - title: output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true - properties: - compression_level: + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: default: false + description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean - disk_queue_encryption_enabled: + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. nullable: true type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. type: string - loadbalance: - nullable: true - type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true - type: number required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + - name + - enabled + - package + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: type: string - verification_mode: - enum: - - full - - none - - certificate - - strict + name: type: string - title: output_ssl + statusCode: + type: number + success: + type: boolean + required: + - id + - success + title: package_policy_status_response type: object Kibana_HTTP_APIs_percentileOperation: additionalProperties: false @@ -124978,6 +113376,24 @@ components: - ranges title: Ranges Operation type: object + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + title: reauthorize_transform_request + type: object Kibana_HTTP_APIs_RecursiveRecord: additionalProperties: anyOf: @@ -125609,6 +114025,43 @@ components: - fields title: Terms Operation type: object + Kibana_HTTP_APIs_review_upgrade_request: + additionalProperties: false + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version + title: review_upgrade_request + type: object + Kibana_HTTP_APIs_review_upgrade_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: review_upgrade_response + type: object + Kibana_HTTP_APIs_rollback_package_response: + additionalProperties: false + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + title: rollback_package_response + type: object Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: additionalProperties: false description: The response payload for the bulk create-or-update roles API. @@ -126044,6 +114497,210 @@ components: - roles title: security_roles_bulk_create_or_update_payload type: object + Kibana_HTTP_APIs_simplified_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + type: array + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - deprecated + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + title: simplified_create_package_policy_request + type: object Kibana_HTTP_APIs_slo-alerts-embeddable: additionalProperties: false description: SLO Alerts embeddable schema @@ -131092,6 +119749,325 @@ components: type: boolean title: update_output_remote_elasticsearch type: object + Kibana_HTTP_APIs_update_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + - deprecated + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - deprecated + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + required: + - package + title: update_package_policy_request + type: object + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false + properties: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. + items: + type: string + maxItems: 100 + type: array + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_upgrade_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: upgrade_package_policies_request + type: object Kibana_HTTP_APIs_valueDisplay: additionalProperties: false description: Configure the visibility and the format of the values rendered on each chart partition section From ff67914d343a389b71e3e19f96320a3c28f50abd Mon Sep 17 00:00:00 2001 From: Cristina Amico Date: Fri, 22 May 2026 16:46:58 +0200 Subject: [PATCH 4/7] Apply code review suggestions --- .../fleet/common/types/models/package_policy_schema.ts | 8 ++++---- .../shared/fleet/server/types/models/agent_policy.ts | 4 ++-- .../plugins/shared/fleet/server/types/rest_spec/epm.ts | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts b/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts index 3dd3561cf0fe4..d2be09b7aa12d 100644 --- a/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts +++ b/x-pack/platform/plugins/shared/fleet/common/types/models/package_policy_schema.ts @@ -189,7 +189,7 @@ export const PackagePolicyBaseSchema = { schema.arrayOf( schema.string({ meta: { - description: 'IDs of the agent policies which that package policy will be added to.', + description: 'IDs of the agent policies that the package policy will be added to.', }, }), { @@ -280,7 +280,7 @@ export const PackagePolicyBaseSchema = { schema.arrayOf(schema.string(), { validate: validateAdditionalDatastreamsPermissions, meta: { - description: 'Additional datastream permissions, that will be added to the agent policy.', + description: 'Additional data stream permissions that will be added to the agent policy.', }, maxSize: 1000, }), @@ -565,7 +565,7 @@ export const SimplifiedPackagePolicyBaseSchema = schema.object( validate: validateAdditionalDatastreamsPermissions, meta: { description: - 'Additional datastream permissions, that will be added to the agent policy.', + 'Additional data stream permissions that will be added to the agent policy.', }, maxSize: 100, }), @@ -607,7 +607,7 @@ export const SimplifiedCreatePackagePolicyRequestBodySchema = policy_ids: schema.maybe( schema.arrayOf(schema.string(), { meta: { - description: 'IDs of the agent policies which that package policy will be added to.', + description: 'IDs of the agent policies that the package policy will be added to.', }, maxSize: MAX_REUSABLE_AGENT_POLICIES_PER_PACKAGE_POLICY, }) diff --git a/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts b/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts index ba03a7a78f37d..f6537bd5439b5 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/models/agent_policy.ts @@ -417,7 +417,7 @@ export const AgentPolicyResponseSchema = AgentPolicySchema.extends( is_protected: schema.boolean({ meta: { description: - 'Indicates whether the agent policy has tamper protection enabled. Default false.', + 'Indicates whether the agent policy has tamper protection enabled. Defaults to `false`.', }, }), version: schema.maybe(schema.string()), @@ -443,7 +443,7 @@ export const AgentPolicyResponseSchema = AgentPolicySchema.extends( schema.arrayOf(PackagePolicyResponseSchema, { meta: { description: - 'This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter', + 'This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the `?full=true` parameter', }, maxSize: 10000, }), diff --git a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts index b9f4ff3281cc7..ac1bf2e7161cd 100644 --- a/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts +++ b/x-pack/platform/plugins/shared/fleet/server/types/rest_spec/epm.ts @@ -1129,7 +1129,7 @@ export const InstallKibanaAssetsRequestSchema = { maxSize: 100, meta: { description: - 'When provided install assets in the specified spaces instead of the current space.', + 'When provided, assets are installed in the specified spaces instead of the current space.', }, }) ), From 64ee584147163e36dd018dd6e26a05f199e065a7 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 22 May 2026 15:16:35 +0000 Subject: [PATCH 5/7] Changes from node scripts/jest_integration -u src/core/server/integration_tests/ci_checks --- .../saved_objects/check_registered_types.test.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts index 08b689d71196b..a840cafe695c0 100644 --- a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts +++ b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts @@ -110,7 +110,7 @@ describe('checking migration metadata changes on all registered SO types', () => "fleet-cloud-onboarding-deployment": "bad508764b7eaada2556e13153679953736c68e190110e281b9a7d52c7d10bc2", "fleet-fleet-server-host": "edbc06c4a73586e7820549ab481244989af89ba9191b002cce97d0843a01008e", "fleet-message-signing-keys": "67aecd34e081183b2a99cc1451583977e4ad918074dc5b1579cc4b23750d3829", - "fleet-package-policies": "5e3e325e40e9470326338bb9aaffd65bf64620d515fcc93ea12abfb6d64862cc", + "fleet-package-policies": "5c5d0debdefd5322af7015fd582b5141742e36f6b2a00be58155e25c8f8241b6", "fleet-preconfiguration-deletion-record": "1154f80d0ef53014ea52c7642131e31365f86909e93b265e7f38c2c317c645cf", "fleet-proxy": "b38a96aa9da6664ff35cd67c4470e0280dbd4b07e8d063a71d6e97dc077d9be4", "fleet-setup-lock": "df3c142ba8907c8ccf004d2240c79d476a70946db092ab4c485d3eb1a3f5bb82", @@ -126,7 +126,7 @@ describe('checking migration metadata changes on all registered SO types', () => "ingest-agent-policies": "1966acba3d49b5057979b1c8518e359be28e7f21450f75a6ad9246dc334f5f95", "ingest-download-sources": "c87e062ef293585e85fccec0c865d7cef48e0ff9a919d7781d5f7627d275484b", "ingest-outputs": "b377c664edc65976f10f339f4b26271b2d238df90f7c5dd126b0c825926486b9", - "ingest-package-policies": "3ed764ce00afcaf68baa3054484bb73ebf82124bd25edaa88f72b131545b6be2", + "ingest-package-policies": "958b60978741bf0f2755dbacd44b4aa9a31d3e5b483872fa1f500722b79b30d5", "ingest_manager_settings": "d7f88bef81425b890d9d277acd01423556e804269c9e405aeced2629b55695b4", "integration-config": "8fecaf29e55097075e6d8927bf8353ca3cfa8bc9e352389411da05b31ae704e0", "intercept_interaction_record": "d7cb1aad5a2e5f459aa1fea81337ab206987845814dc14f151645d3be13cb293", @@ -768,8 +768,8 @@ describe('checking migration metadata changes on all registered SO types', () => "fleet-package-policies|global: b8c5158782fe91d5a5636274dee693a6fef2e457", "fleet-package-policies|mappings: fb3acda96f9119aa483b39736c9a07da565b8489", "fleet-package-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "fleet-package-policies|10.9.0: 01adf547740d19d4134ead49770dad5f35ce016dd458ebae9c71495a7ef91085", - "fleet-package-policies|10.8.0: 90b33361501dedad67f46df03095e48c18673a7c4fffaf19e88512e700b4709c", + "fleet-package-policies|10.9.0: 00464256f3d400ef3382cc3696c29a16f5df01bdc41c01f0440f6a1ad8f5097b", + "fleet-package-policies|10.8.0: 5f4fbabdb466e88079735c9284de829636999e37e125f808d43eb4807a9cefa1", "fleet-package-policies|10.7.0: 175fe637899f2c70d1c5e2b2dbe459962d4b7048367b9930d393f280222093cf", "fleet-package-policies|10.6.0: ef0c3e9699868aa625f197708fda2114eac175a8d3c0f2984634102adf61cb15", "fleet-package-policies|10.5.0: d60de40b75a31ee199487f5a53329033afbfc78767c42d16d987e95173df9516", @@ -887,8 +887,8 @@ describe('checking migration metadata changes on all registered SO types', () => "ingest-package-policies|global: a89e06415e12609fa3575379d06ab1b542da6f04", "ingest-package-policies|mappings: fb3acda96f9119aa483b39736c9a07da565b8489", "ingest-package-policies|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709", - "ingest-package-policies|10.23.0: a3906cfe2257a6c7175fae55c7b4189c57458a4480647dd8fd5972b9f5ee45c3", - "ingest-package-policies|10.22.0: 90b33361501dedad67f46df03095e48c18673a7c4fffaf19e88512e700b4709c", + "ingest-package-policies|10.23.0: 2566b4db65ac68fd79020b74783d69695448b680de2d22546ae04ad6aba16b94", + "ingest-package-policies|10.22.0: 5f4fbabdb466e88079735c9284de829636999e37e125f808d43eb4807a9cefa1", "ingest-package-policies|10.21.0: 175fe637899f2c70d1c5e2b2dbe459962d4b7048367b9930d393f280222093cf", "ingest-package-policies|10.20.0: 522700650b5a10db91d2337e8b82582841a3884049e40c20525aed0a1e1f475e", "ingest-package-policies|10.19.0: d60de40b75a31ee199487f5a53329033afbfc78767c42d16d987e95173df9516", From 19b095c38a831bb4d63a4c7df3e7ef4258d6f6da Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 22 May 2026 15:43:09 +0000 Subject: [PATCH 6/7] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 149681 +++++++++++++------- oas_docs/output/kibana.yaml | 164726 +++++++++++++++------- 2 files changed, 211344 insertions(+), 103063 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b7881e232734a..a1ab9bac8ff36 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -2,52 +2,32 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > + description: | The Kibana REST APIs for Elastic serverless enable you to manage resources - such as connectors, data views, and saved objects. The API calls are - stateless. Each request that you make happens in isolation from other calls - and must include all of the necessary information for Kibana to fulfill the - request. API requests return JSON output, which is a format that is - machine-readable and works well for automation. - To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` - ## Documentation source and versions - - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana Serverless APIs version: '' x-doc-license: @@ -55,554 +35,1228 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: http://localhost:5622 - url: https://{kibana_url} variables: kibana_url: - default: localhost:5601 - - url: / + default: +security: + - apiKeyAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Dashboards + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + externalDocs: + description: Dashboards documentation + url: https://www.elastic.co/docs/explore-analyze/dashboards + x-displayName: Dashboards + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/serverless-custom-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export or import sets of saved objects. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + [Data views](../group/endpoint-data-views). + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - name: Visualizations + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + externalDocs: + description: Visualizations documentation + url: https://www.elastic.co/docs/explore-analyze/visualize/lens + x-displayName: Visualizations + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + /api/actions/connector_types: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector_types
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': content: application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. + type: boolean + description: + description: Description of the connector type. + type: string + enabled: + description: Indicates whether the connector is enabled. + type: boolean + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. + type: boolean + enabled_in_license: + description: Indicates whether the connector is enabled through the license. + type: boolean + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_experimental: + description: Indicates whether the connector type is in technical preview. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. + type: boolean + minimum_license_required: + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial + type: string + name: + description: The name of the connector type. + type: string + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack + type: string + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity + type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source + type: array examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback + parameters: + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string + responses: + '200': + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: - examples: - saveApmServerSchemaRequest: - description: >- - An example request payload for `POST - /api/apm/fleet/apm_server_schema`. - value: - schema: - foo: bar schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + description: Indicates that this call is forbidden. + summary: Create a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false + - description: An identifier for the connector. + in: path + name: id + required: true schema: - format: date-time type: string - responses: - '200': - content: - application/json: - examples: - getAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_search_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations - tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: - examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: - examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration + description: Indicates that this call is forbidden. + summary: Run a connector tags: - - APM agent configuration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connectors: get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + operationId: get-actions-connectors + parameters: [] responses: '200': content: application/json: - examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get all connectors tags: - - APM agent configuration - put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead. + To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true schema: - type: boolean + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery. To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: The unique identifier of the agent to get A2A metadata for. + in: path + name: agentId required: true schema: type: string @@ -611,415 +1265,569 @@ paths: content: application/json: examples: - getAgentNameForServiceResponse1: - $ref: >- - #/components/examples/APM_UI_service_agent_name_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents: get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] responses: '200': content: application/json: examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true - responses: - '200': - content: - application/json: - examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration - tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: - get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod - in: query - name: environment - schema: - type: string + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent tags: - - APM agent configuration - /api/apm/sourcemaps: - get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege. To learn more about monitoring agent token usage, refer to the [monitor usage documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/monitor-usage).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: Number of records per page - in: query - name: perPage + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id + required: true schema: - type: number + type: string + requestBody: + content: + application/json: + examples: + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin + schema: + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - examples: - uploadSourceMapRequest: - $ref: '#/components/examples/APM_UI_source_maps_upload_request1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ - - -H 'kbn-xsrf: true' \ - - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - - -F 'service_name="foo"' \ + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
get /s/{space_id}/api/agent_builder/agents/{id}
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: The unique identifier of the agent to retrieve. in: path name: id required: true @@ -1030,1130 +1838,7313 @@ paths: content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
put /s/{space_id}/api/agent_builder/agents/{id}
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the agent to update. + in: path + name: id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. + type: string + requestBody: + content: + application/json: + examples: + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + schema: + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + responses: + '200': + content: + application/json: + examples: + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations + parameters: + - description: Optional agent ID to filter conversations by a specific agent. in: query - name: refresh + name: agent_id required: false schema: - enum: - - wait_for type: string responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations tags: - - Security Entity Analytics API - get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + type: string responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record + examples: + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID tags: - - Security Entity Analytics API - post: - description: > - Create or update an asset criticality record for a specific entity. + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id + parameters: + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id + required: true + schema: + type: string responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record + examples: + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments + parameters: + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: Whether to include deleted attachments in the list. + in: query + name: include_deleted + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Bulk upsert up to 1000 asset criticality records. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment + value: + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string required: - - records + - type + - data responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + createAttachmentResponseExample: + description: Example response returning the created attachment + value: + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - Security Entity Analytics API - /api/asset_criticality/list: - get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' + example: 'true' type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - enum: - - asc - - desc type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. + type: string + - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query - name: kuery + name: permanent required: false schema: - type: string + type: boolean responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: - post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryBulkRequestBodyExample: - summary: Acknowledge two Attack discoveries in bulk. + renameAttachmentExample: + description: Example request for renaming an attachment value: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + description: Updated attachment name schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation - type: object - properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids + description: + description: The new description/name for the attachment. + type: string required: - - update - description: Bulk update parameters for Attack discoveries - required: true + - description responses: '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse200Example: - summary: >- - A successful bulk update response containing the modified - Attack discoveries. + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) value: - data: - - alert_ids: - - alert-abc-1 - alert_workflow_status: acknowledged - connector_id: gen-ai-connector - connector_name: OpenAI GPT-4 - details_markdown: >- - - **Host** `workstation-01` showed credential access - patterns consistent with mimikatz. - generation_uuid: 550e8400-e29b-41d4-a716-446655440000 - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - summary_markdown: >- - A user account was compromised using mimikatz to dump - credentials. - timestamp: '2024-01-15T10:00:00.000Z' - title: Credential theft via mimikatz - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 + schema: + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data + responses: + '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse400Example: - summary: >- - Bad Request error returned when the bulk update payload is - invalid. + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: - get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false + type: string + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + type: string + responses: + '200': + content: + application/json: + examples: + restoreAttachmentResponseExample: + description: Example response returning the restored attachment + value: + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true schema: type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean + requestBody: + content: + application/json: + examples: + updateOriginExample: + description: Example request for linking an attachment to a saved visualization + value: + origin: abc123 + schema: + additionalProperties: false + type: object + properties: + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string + required: + - origin responses: '200': content: application/json: examples: - AttackDiscoveryFindResponse200Example: - summary: >- - Paginated list of Attack discoveries matching the search - criteria. + updateOriginResponseExample: + description: Example response returning the attachment with updated origin value: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale + parameters: + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - AttackDiscoveryFindResponse400Example: - summary: >- - Bad Request error returned when find query parameters are - invalid. - value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse: post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more about agent chat, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryGenerateRequestBodyExample: - summary: Generate Attack discoveries from alerts in the last 24 hours. + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation value: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerateResponse200Example: - summary: >- - Generation started; use the returned execution UUID to track - progress. - value: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PostAttackDiscoveryGenerateResponse400Example: - summary: >- - Bad Request error returned when the generate payload is - invalid. + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + text/event-stream: + examples: + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent + value: + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more about the Agent Builder MCP server, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. + in: query + name: namespace + required: false + schema: + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': + content: + application/json: + examples: + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins). To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful + value: + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPluginByIdResponseExample: + description: Example response returning a single installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL + value: + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + schema: + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url + responses: + '200': + content: + application/json: + examples: + installPluginResponseExample: + description: Example response returning the definition of the installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created). To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills + parameters: + - description: Set to true to include skills from plugins. + in: query + name: include_plugins + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + listSkillsResponseExample: + description: Example response returning a list of skills + value: + results: + - description: A built-in skill provided by the platform. + experimental: false + id: built-in-skill-id + name: Built-in Skill + readonly: true + referenced_content_count: 0 + - description: A user-created skill for data analysis. + experimental: false + id: custom-skill-id + name: Custom Skill + readonly: false + referenced_content_count: 1 + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: List skills + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createSkillRequestExample: + description: Example request to create a user-defined skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + id: my-custom-skill + name: Custom Analysis Skill + tool_ids: + - platform.core.search + schema: + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: + '200': + content: + application/json: + examples: + createSkillResponseExample: + description: Example response returning the created skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Create a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/skills + { + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: + '200': + content: + application/json: + examples: + getSkillResponseExample: + description: Example response returning a skill by ID + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Get a skill by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + requestBody: + content: + application/json: + examples: + updateSkillRequestExample: + description: Example request to update a user-defined skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + name: Updated Skill Name + tool_ids: + - platform.core.search + - platform.core.execute_esql + schema: + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array + responses: + '200': + content: + application/json: + examples: + updateSkillResponseExample: + description: Example response returning the updated skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + experimental: false + id: my-custom-skill + name: Updated Skill Name + readonly: false + tool_ids: + - platform.core.search + - platform.core.execute_esql + description: Indicates a successful response + summary: Update a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Updated Skill Name", + "description": "Updated description for the skill." + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/skills/{skillId} + { + "name": "Updated Skill Name", + "description": "Updated description for the skill." + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] + responses: + '200': + content: + application/json: + examples: + listToolsResponseExample: + description: Example response returning a list of existing tools + value: + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration + responses: + '200': + content: + application/json: + examples: + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool + value: + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 + schema: + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + responses: + '200': + content: + application/json: + examples: + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool + value: + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool + value: + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true + schema: + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: toolId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool + value: + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateEsqlToolExample: + description: Example response showing the updated ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule + value: + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: post-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule + params: + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h + schema: + anyOf: + - discriminator: + mapping: + .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule' + responses: + '200': + content: + application/json: + examples: + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' + updated_by: elastic + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule' + responses: + '200': + content: + application/json: + examples: + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: + post: + operationId: post-alerting-rule-id-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts + value: + untrack: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/query_inspector: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}/query_inspector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the Elasticsearch query that a rule executes, and optionally its response. + operationId: get-alerting-rule-id-query-inspector + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + - description: The inspection mode. Use "build" to return only the query, or "execute" to run the query and include the response. + in: query + name: mode + required: false + schema: + default: build + enum: + - build + - execute + type: string + - description: The alert document ID. When provided, the query inspector uses the evaluation time range from the alert instead of the current time. + in: query + name: alert_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleQueryInspectorResponse: + summary: A query inspector response for a custom threshold rule + value: + queries: + - index: metrics-* + request: + aggs: + groupings: + composite: + size: 500 + sources: [] + query: + bool: + filter: + - range: + '@timestamp': + gte: '2026-01-01T00:00:00.000Z' + lte: '2026-01-01T00:05:00.000Z' + size: 0 + schema: + additionalProperties: false + type: object + properties: + queries: + items: + additionalProperties: false + type: object + properties: + index: + type: string + label: + type: string + request: + additionalProperties: + nullable: true + type: object + response: + additionalProperties: + nullable: true + type: object + required: + - index + - request + maxItems: 1000 + type: array + required: + - queries + description: Indicates a successful call. + '400': + description: Indicates the rule type is not supported or the request parameters are invalid. + '404': + description: Indicates a rule with the specified rule ID does not exist. + summary: Get the Elasticsearch query for a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule + value: + schedule: + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + schema: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + required: + - schedule + responses: + '200': + content: + application/json: + examples: + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 + schema: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-mute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find + parameters: + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: + post: + operationId: post-alerting-rules-backfill-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef + schema: + items: + additionalProperties: false + type: object + properties: + ranges: + items: + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end + type: array + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_error_response' + type: array + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rules-backfill-id + parameters: + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBackfillResponse: + summary: Get a backfill for an index threshold rule + value: + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + examples: + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key + tags: + - APM agent keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/fleet/apm_server_schema: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + saveApmServerSchemaRequest: + description: An example request payload for `POST /api/apm/fleet/apm_server_schema`. + value: + schema: + foo: bar + schema: + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true + responses: + '200': + content: + application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema + tags: + - APM server schema + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation + tags: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation/search: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string + responses: + '200': + content: + application/json: + examples: + getAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_search_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + examples: + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + '200': + content: + application/json: + examples: + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + responses: + '200': + content: + application/json: + examples: + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + examples: + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentNameForServiceResponse1: + $ref: '#/components/examples/APM_UI_service_agent_name_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/search: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true + responses: + '200': + content: + application/json: + examples: + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/bulk: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk + requestBody: + content: + application/json: + examples: + PostAttackDiscoveryBulkRequestBodyExample: + summary: Acknowledge two Attack discoveries in bulk. + value: + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true + schema: + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryBulkResponse200Example: + summary: A successful bulk update response containing the modified Attack discoveries. + value: + data: + - alert_ids: + - alert-abc-1 + alert_workflow_status: acknowledged + connector_id: gen-ai-connector + connector_name: OpenAI GPT-4 + details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.' + generation_uuid: 550e8400-e29b-41d4-a716-446655440000 + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + summary_markdown: A user account was compromised using mimikatz to dump credentials. + timestamp: '2024-01-15T10:00:00.000Z' + title: Credential theft via mimikatz + schema: + type: object + properties: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryBulkResponse400Example: + summary: Bad Request error returned when the bulk update payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + AttackDiscoveryFindResponse200Example: + summary: Paginated list of Attack discoveries matching the search criteria. + value: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': + content: + application/json: + examples: + AttackDiscoveryFindResponse400Example: + summary: Bad Request error returned when find query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + examples: + PostAttackDiscoveryGenerateRequestBodyExample: + summary: Generate Attack discoveries from alerts in the last 24 hours. + value: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerateResponse200Example: + summary: Generation started; use the returned execution UUID to track progress. + value: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerateResponse400Example: + summary: Bad Request error returned when the generate payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, { "timestamp": "2025-07-30T13:33:44.029Z", "createdAt": "2025-07-30T13:33:44.029Z", @@ -2893,2180 +9884,12030 @@ paths: "id": "y6iJW5gB4U27o8XO8oLg" }, { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" - } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse200Example: + summary: Latest Attack Discovery generation metadata for the current user. + value: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse400Example: + summary: Bad Request error returned when the size parameter is invalid. + value: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse200Example: + summary: Single Attack Discovery generation with its discoveries and metadata. + value: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse400Example: + summary: Bad Request error returned when the get-generation request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse200Example: + summary: Successfully dismissed an Attack Discovery generation. + value: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse400Example: + summary: Bad Request error returned when the dismiss request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + CreateAttackDiscoverySchedulesRequestBodyExample: + summary: Create a daily Attack Discovery schedule that runs every 24 hours. + value: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse200Example: + summary: A newly created Attack Discovery schedule. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the create schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes multiple Attack Discovery schedules by ID. + operationId: BulkDeleteAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesRequestBodyExample: + summary: Delete two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse200Example: + summary: Bulk delete response for two successfully deleted schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk delete request. + '400': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk delete payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk delete Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables multiple Attack Discovery schedules by ID. + operationId: BulkDisableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesRequestBodyExample: + summary: Disable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse200Example: + summary: Bulk disable response for two successfully disabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk disable request. + '400': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk disable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk disable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables multiple Attack Discovery schedules by ID. + operationId: BulkEnableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesRequestBodyExample: + summary: Enable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse200Example: + summary: Bulk enable response for two successfully enabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk enable request. + '400': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk enable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk enable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse200Example: + summary: Paginated list of Attack Discovery schedules matching the search criteria. + value: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when find-schedules query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after deleting an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the delete schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule retrieved by ID, including last execution metadata. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the get-schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-codeSamples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesRequestBodyExample: + summary: Update an Attack Discovery schedule to run every 12 hours over a 48-hour window. + value: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule after being updated. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the update schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after disabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the disable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after enabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the enable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/dashboards: + get: + tags: + - Dashboards + summary: Get dashboards + operationId: get-dashboards-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + post: + tags: + - Dashboards + summary: Create a dashboard + operationId: create-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/dashboards/{id}: + get: + tags: + - Dashboards + summary: Get a dashboard + operationId: get-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + put: + tags: + - Dashboards + summary: Update a dashboard + operationId: update-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + delete: + tags: + - Dashboards + summary: Delete a dashboard + operationId: delete-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/data_views: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space. + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getAllDataViewsBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + createDataViewResponse: + $ref: '#/components/examples/Data_views_create_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view + {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing data view. Only the fields provided in the request body are updated. + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + updateDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"name":"Updated data view name"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId} + {"data_view":{"name":"Updated data view name"}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + examples: + updateFieldsMetadataResponse: + $ref: '#/components/examples/Data_views_update_field_metadata_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateFieldsMetadataBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update field metadata + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/fields + {"fields":{"field_name":{"customLabel":"My custom label"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition. + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createUpdateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + PUT kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a runtime field from a data view. + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single runtime field by name from a data view. + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing runtime field in a data view. Only the fields provided in the request body are updated. + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/default: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the identifier of the default data view for the current Kibana space. + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/default + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected. + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + examples: + setDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_set_default_data_view_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + setDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' + - lang: Console + source: | + POST kbn://api/data_views/default + {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + swapDataViewResponse: + $ref: '#/components/examples/Data_views_swap_data_view_response' + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references + {"fromId":"abcd-efg","toId":"xyz-123","delete":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + previewSwapDataViewResponse: + $ref: '#/components/examples/Data_views_preview_swap_data_view_response' + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview swap references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123"}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references/_preview + {"fromId":"abcd-efg","toId":"xyz-123"} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: | + Indicates a successful call. The body matches an Elasticsearch update-by-query response + (for example `took`, `updated`, `failures`). + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: expected value of type [object] but got [undefined]' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Either "item_id" or "id" needs to be defined in the request + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: id or item_id required + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: "block-malicious-file" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item item_id: "block-malicious-file" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received string' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items/_find] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "endpoint_list" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of response actions to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A list of response action command names to filter by. + in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - description: A list of Elastic Agent IDs to filter the response actions by. + in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - description: A list of user IDs that submitted the response actions. + in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - description: A start date in ISO 8601 format or Date Math format (for example, `now-24h`). + in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - description: An end date in ISO 8601 format or Date Math format (for example, `now`). + in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - description: The agent type to filter response actions by. Defaults to `endpoint`. + in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - description: A list of response action IDs whose outputs should be included in the response. + in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - description: A list of response action types to filter by (`automated`, `manual`). + in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + examples: + actionsList: + summary: A list of response actions + value: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + examples: + actionStatus: + summary: Pending response actions per agent + value: + data: + - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + pending_actions: + execute: 0 + get-file: 0 + isolate: 0 + kill-process: 1 + running-processes: 0 + scan: 0 + unisolate: 0 + upload: 0 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - description: The ID of the response action to retrieve. + in: path + name: action_id + required: true + schema: + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + actionDetails: + summary: Details of an isolate response action + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + fileInfo: + summary: File information for a response action upload + value: + data: + actionId: 233db9ea-6733-4849-9226-5a7039c7161d + agentId: ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + created: '2025-02-26T13:37:30.452Z' + id: 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 + mimeType: application/zip + name: memory_dump.zip + size: 1048576 + status: READY + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + examples: + fileDownload: + summary: Password-protected ZIP archive containing the response action file + value: binary file content (password-protected .zip) + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + Elastic Defend: + description: Endpoint runscript to collect logs + summary: Run a script against an Elastic Defend agent + value: + agent_type: endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--path= /usr/log/exec.log' + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + examples: + actionsState: + summary: Response actions state with encryption enabled + value: + data: + canEncrypt: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + examples: + uploadFile: + summary: Upload a script file to a specific endpoint + value: + comment: Pushing remediation script to host + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: + overwrite: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of endpoints to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A KQL string to filter the endpoint metadata results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - description: A set of host statuses to filter the results by (for example, `healthy`, `updating`). + in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - description: The field used to sort the results. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - description: The sort order, either `asc` or `desc`. + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + examples: + metadataList: + summary: A list of endpoint host metadata + value: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + examples: + endpointMetadata: + summary: Host metadata for a specific endpoint + value: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + examples: + policyResponse: + summary: The most recent policy response for an endpoint + value: + policy_response: + '@timestamp': '2023-07-04T15:48:57.360Z' + agent: + id: ed518850-681a-4d60-bb98-e22640cae2a8 + version: 7.16.0 + Endpoint: + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: My endpoint policy + status: success + version: '3' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + protectionUpdatesNote: + summary: The protection updates note for a package policy + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + setNote: + summary: Set a new protection updates note + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + examples: + noteSaved: + summary: Protection updates note saved + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of scripts + operationId: EndpointScriptLibraryListScripts + parameters: + - description: Page number of the results to return. Defaults to 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: Number of results to return per page. Defaults to 10. Max value is 1000. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + - description: The field to sort the results by. Defaults to name. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + - description: The direction to sort the results by. Defaults to asc (ascending). + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + - description: | + A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. + in: query + name: kuery + required: false + schema: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - example: platform:windows + responses: + '200': + content: + application/json: + examples: + response: + summary: List of scripts response example + value: + data: [] + page: 1 + pageSize: 10 + sortDirection: asc + sortField: name + total: 100 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' + type: array + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + sortDirection: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + sortField: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + total: + description: The total number of scripts matching the query + type: integer + description: List of scripts response + summary: Get a list of scripts + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new script entry by uploading a script file + operationId: EndpointScriptLibraryCreateScript + requestBody: + content: + multipart/form-data: + examples: + CreateArchiveScriptEntry: + summary: Create an archive script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.zip + fileType: archive + instructions: Collects host data for investigation + name: Collect host data + pathToExecutable: ./bin/collect_host_data.sh + platform: + - linux + - macos + requiresInput: false + CreateScriptEntry: + summary: Create a script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.sh + fileType: script + instructions: Collects host data for investigation + name: Collect host data + platform: + - linux + - macos + requiresInput: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CreateScriptEntrySuccess: + summary: Create a script entry + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully created + summary: Create script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library/{script_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a script + operationId: EndpointScriptLibraryDeleteScript + parameters: + - description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + response: + summary: Delete script response example. + value: {} + schema: + type: object + description: Delete script response. + summary: Delete a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a script + operationId: EndpointScriptLibraryGetOneScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Get one script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Get script response + summary: Get script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update (full or partial) a script entry + operationId: EndpointScriptLibraryPatchUpdateScript + parameters: + - description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + requestBody: + content: + multipart/form-data: + examples: + PatchUpdateScriptEntry: + summary: Update script entry instructions + value: + instructions: ./collect_host_data.sh --help + PatchUpdateScriptEntryFromArchiveToScript: + summary: Update script entry from an archive to a script + value: + fileType: script + PatchUpdateScriptEntryToArchive: + summary: Update script entry to be an archive + value: + fileType: archive + pathToExecutable: ./bin/collect_host_data.sh + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Update script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully updated + summary: Update script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library/{script_id}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a script file + operationId: EndpointScriptLibraryDownloadScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/octet-stream: + examples: + response: + summary: Download script file response example. + value: null + schema: + description: A download stream is returned. + format: binary + type: string + description: Download script file response. + summary: Download a script file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + examples: + InitMonitoringEngineError: + summary: Internal server error during engine initialization + value: + error: + message: Failed to initialize monitoring engine + status: error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + examples: + ScheduleMonitoringEngineConflict: + summary: Engine is already running + value: + message: Monitoring engine is already running + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + examples: + PrivMonPrivilegesResponse: + summary: Privileges check response + value: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + examples: + PrivmonBulkUploadUsersCSVRequest: + summary: CSV file with privileged users + value: + file: | + username,is_privileged + john.doe,true + jane.smith,true + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + examples: + PrivmonBulkUploadUsersCSVResponse: + summary: Bulk upload response with mixed results + value: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 2 + schema: + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - description: The document ID of the monitored user to delete + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - description: The document ID of the monitored user to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. + + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/list: get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size - required: false + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true schema: - type: string + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse200Example: - summary: >- - Latest Attack Discovery generation metadata for the current - user. + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized value: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours - to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host schema: - type: object - properties: - generations: - description: List of Attack Discovery generations - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - type: array - required: - - generations - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse400Example: - summary: >- - Bad Request error returned when the size parameter is - invalid. + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully value: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 + started: true schema: type: object properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: - get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + - description: The entity type of the engine to stop. + example: host in: path - name: execution_uuid + name: entityType required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationResponse200Example: - summary: >- - Single Attack Discovery generation with its discoveries and - metadata. + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully value: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded + stopped: true schema: type: object properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. - required: - - data - description: Indicates a successful call. - '400': + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': content: application/json: examples: - GetAttackDiscoveryGenerationResponse400Example: - summary: >- - Bad Request error returned when the get-generation request - is invalid. + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false schema: type: object properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: + description: HTTP status code. type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + description: Error response + summary: Apply DataView indices to all installed engines tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 + - example: user in: path - name: execution_uuid + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array responses: '200': content: application/json: - examples: - PostAttackDiscoveryGenerationsDismissResponse200Example: - summary: Successfully dismissed an Attack Discovery generation. - value: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed schema: type: object properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 - type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 - type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. - '400': + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': content: application/json: examples: - PostAttackDiscoveryGenerationsDismissResponse400Example: - summary: >- - Bad Request error returned when the dismiss request is - invalid. + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running schema: type: object properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + - status + - engines + description: Successful response + summary: Get the status of the Entity Store tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: - post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - CreateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Create a daily Attack Discovery schedule that runs every 24 - hours. - value: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - CreateAttackDiscoverySchedulesResponse200Example: - summary: A newly created Attack Discovery schedule. + detectionExceptionList: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - examples: - CreateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the create schedule payload - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_bulk_delete: - post: - description: Deletes multiple Attack Discovery schedules by ID. - operationId: BulkDeleteAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesRequestBodyExample: - summary: Delete two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesResponse200Example: - summary: Bulk delete response for two successfully deleted schedules. - value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk delete request. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - BulkDeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk delete payload is - invalid. + badRequest: value: error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk delete Attack Discovery schedules - tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_disable: - post: - description: Disables multiple Attack Discovery schedules by ID. - operationId: BulkDisableAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDisableAttackDiscoverySchedulesRequestBodyExample: - summary: Disable two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Bulk disable response for two successfully disabled - schedules. + unauthorized: value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk disable request. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk disable payload is - invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk disable Attack Discovery schedules - tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_enable: - post: - description: Enables multiple Attack Discovery schedules by ID. - operationId: BulkEnableAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkEnableAttackDiscoverySchedulesRequestBodyExample: - summary: Enable two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - BulkEnableAttackDiscoverySchedulesResponse200Example: - summary: Bulk enable response for two successfully enabled schedules. + notFound: value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 + message: 'exception list list_id: "foo" does not exist' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk enable request. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - BulkEnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk enable payload is - invalid. + serverError: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk enable Attack Discovery schedules + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_find: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 + - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query - name: per_page + name: id required: false schema: - type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query - name: sort_field + name: list_id required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single in: query - name: sort_direction + name: namespace_type required: false schema: - enum: - - asc - - desc - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - FindAttackDiscoverySchedulesResponse200Example: - summary: >- - Paginated list of Attack Discovery schedules matching the - search criteria. + detectionType: value: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - FindAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when find-schedules query - parameters are invalid. + badRequest: value: error: Bad Request - message: Invalid request payload. - status_code: 400 + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria - tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - DeleteAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after deleting an Attack Discovery - schedule. + unauthorized: value: - id: 12345678-1234-1234-1234-123456789012 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule - required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - DeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the delete schedule request - is invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - GetAttackDiscoverySchedulesResponse200Example: - summary: >- - An Attack Discovery schedule retrieved by ID, including last - execution metadata. + notFound: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': content: application/json: examples: - GetAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the get-schedule request is - invalid. + serverError: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details tags: - - Security Attack discovery API - x-codeSamples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList requestBody: content: application/json: examples: - UpdateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Update an Attack Discovery schedule to run every 12 hours over - a 48-hour window. + createDetection: value: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties required: true responses: '200': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse200Example: - summary: An Attack Discovery schedule after being updated. + autogeneratedListId: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the update schedule payload - is invalid. + badRequest: value: error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: - post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - DisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after disabling an Attack Discovery - schedule. + unauthorized: value: - id: 12345678-1234-1234-1234-123456789012 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule - required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - DisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the disable schedule request - is invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list tags: - - Security Attack discovery API - x-codeSamples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: - post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + examples: + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection + schema: + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + description: Exception list's properties + required: true responses: '200': content: application/json: examples: - EnableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after enabling an Attack Discovery - schedule. + simpleList: value: - id: 12345678-1234-1234-1234-123456789012 + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule - required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - EnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the enable schedule request - is invalid. + badRequest: value: error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/data_views: - get: - description: > - Retrieve a list of all data views. Use this endpoint to identify - available data views in the current Kibana space. - operationId: getAllDataViewsDefault - responses: - '200': - content: - application/json: - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getAllDataViewsBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views - /api/data_views/data_view: - post: - description: > - Create a data view. Data views identify the Elasticsearch data you want - to explore and visualize. They can point to one or more data streams, - indices, or index aliases, and use optional runtime fields to compute - values at query time. Note that data views are not required for - ES|QL-based visualizations. To learn more, refer to the [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - createDataViewResponse: - $ref: '#/components/examples/Data_views_create_data_view_response' + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - createDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view - {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} - /api/data_views/data_view/{viewId}: - delete: - description: > - Delete a data view by its identifier. WARNING: When you delete a data - view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - deleteDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/data_views/data_view/{viewId} - get: - description: > - Retrieve a single data view by its identifier. Data views identify the - Elasticsearch data you want to explore and visualize. They can point to - one or more data streams, indices, or index aliases, and use optional - runtime fields to compute values at query time. Note that data views are - not required for ES|QL-based visualizations. To learn more, refer to the - [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: getDataViewDefault + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_duplicate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_duplicate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Duplicate an existing exception list. + operationId: DuplicateExceptionList parameters: - - $ref: '#/components/parameters/Data_views_view_id' + - description: The `list_id` of the existing exception list to copy (source list). + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true + type: string responses: '200': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': content: application/json: examples: - getDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/data_view/{viewId} - post: - description: > - Update an existing data view. Only the fields provided in the request - body are updated. - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - updateDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - updateDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"name":"Updated data view name"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId} - {"data_view":{"name":"Updated data view name"}} - /api/data_views/data_view/{viewId}/fields: - post: - description: > - Update field metadata for a data view. Use this endpoint to set custom - labels, custom descriptions, and format overrides for individual fields. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - updateFieldsMetadataResponse: - $ref: >- - #/components/examples/Data_views_update_field_metadata_response + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': content: application/json: examples: - updateFieldsMetadataBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update field metadata - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId}/fields - {"fields":{"field_name":{"customLabel":"My custom label"}}} - /api/data_views/data_view/{viewId}/runtime_field: - post: - description: > - Create a runtime field for a data view. Runtime fields are computed at - query time using a [Painless - script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) - and do not require reindexing. If no `script` is provided, the runtime - field returns the corresponding value from the document `_source`. - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': content: application/json: examples: - createRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST kbn://api/data_views/data_view/{viewId}/runtime_field + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_export: + post: + description: |- + **Spaces method and path for this operation:** - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - put: - description: > - Create or update a runtime field for a data view. If the runtime field - already exists, it is replaced with the new definition. - operationId: createUpdateRuntimeFieldDefault +
post /s/{space_id}/api/exception_lists/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + in: query + name: id required: true schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': content: - application/json: + application/ndjson: examples: - createUpdateRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response '400': content: application/json: examples: - createUpdateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequest: + value: + error: Bad Request + message: '[request query]: list_id: Required, namespace_type: Required' + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - PUT kbn://api/data_views/data_view/{viewId}/runtime_field - - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - description: | - Delete a runtime field from a data view. - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deleteRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: > - DELETE - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - get: - description: | - Retrieve a single runtime field by name from a data view. - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: - getRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: > - GET - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - post: - description: > - Update an existing runtime field in a data view. Only the fields - provided in the request body are updated. - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - updateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - - {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/default: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_find: get: - description: > - Retrieve the identifier of the default data view for the current Kibana - space. - operationId: getDefaultDataViewDefault + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. + + Uses the `so type.field name:field` value syntax, where `so type` can be: + + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string responses: '200': content: application/json: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: type: object properties: - data_view_id: - type: string - description: Indicates a successful call. + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response '400': content: application/json: examples: - getDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/default - post: - description: > - Set the default data view for the current Kibana space. The default data - view is used as a fallback when no specific data view is selected. - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - setDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_set_default_data_view_response + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - setDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' - - lang: Console - source: | - POST kbn://api/data_views/default - {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} - /api/data_views/swap_references: - post: - description: > - Swap saved object references from one data view to another. Use this - endpoint to update dashboards, visualizations, and other saved objects - that reference a data view. WARNING: Misuse can break large numbers of - saved objects! Use the - [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) - endpoint to see which saved objects would be affected before making - changes. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': content: application/json: examples: - swapDataViewResponse: - $ref: '#/components/examples/Data_views_swap_data_view_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references - {"fromId":"abcd-efg","toId":"xyz-123","delete":true} - /api/data_views/swap_references/_preview: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_import: post: - description: > - Preview the effect of swapping saved object references from one data - view to another. Returns the list of affected saved objects without - making any changes. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - examples: - previewSwapDataViewResponse: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_response - schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview swap references - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123"}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references/_preview - {"fromId":"abcd-efg","toId":"xyz-123"} - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + description: |- + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
post /s/{space_id}/api/exception_lists/_import
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string + required: true responses: '200': content: application/json: examples: - success: + withErrors: value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, schema: type: object properties: - has_encryption_key: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: type: boolean - is_authenticated: + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: type: boolean required: - - is_authenticated - - has_encryption_key + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Multipart part `file` is required and must contain a valid .ndjson exception list export + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -5074,12 +21915,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -5089,3400 +21941,2450 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Returns user privileges for the Kibana space + summary: Import an exception list tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items: delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/exception_lists/items
- * `id` - `DELETE /api/detection_engine/rules?id=` - - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` - + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem parameters: - - description: The rule's `id` value. + - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query - name: rule_id + name: item_id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - deletedRule: - summary: Response shape after a rule is deleted + simpleExceptionItem: value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic - version: 3 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - + description: |- + **Spaces method and path for this operation:** - * `id` - `GET /api/detection_engine/rules?id=` - - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` +
get /s/{space_id}/api/exception_lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem parameters: - - description: The rule's `id` value. + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query - name: rule_id + name: item_id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - example1: - summary: Example response for a retrieved rule + simpleListItem: value: - created_at: '2020-02-03T11:19:04.259Z' + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule - tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule - requestBody: - content: - application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) - - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - example1: - summary: Example response for an updated rule + notFound: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item tags: - - Security Detections API - - Rules API + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Create a new detection rule. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", - - "job_type": "anomaly_detector", - - "job_version": "7.7.0", - - "groups": [ - "auditbeat", - "process", - "siem" - ], - - ... - - ``` - - - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: - - - * Slack - - * Email - - * PagerDuty - - * Webhook - - * Microsoft Teams - - * IBM Resilient + description: | + **Spaces method and path for this operation:** - * Jira +
post /s/{space_id}/api/exception_lists/items
- * ServiceNow ITSM + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Create an exception item and associate it with the specified exception list. > info - - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - - To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. - - - For detailed information on Kibana actions and alerting, and additional - API calls, see: - - - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - - * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) - - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json: examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule + simpleItem: value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 + - malware + type: simple + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' + created_by: elastic + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties required: true responses: '200': content: application/json: examples: - example1: - description: Example response for a query rule - summary: Query rule response + simpleListItem: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response + error: Forbidden + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + error: Forbidden + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/summary: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/exception_lists/summary
- The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > warn + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
post /s/{space_id}/api/exceptions/shared
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList requestBody: content: application/json: examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule + createSharedExceptionList: value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ - - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning + - malware schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info - - > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description required: true responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + sharedList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + message: Unable to create exception-list + status_code: 403 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction - parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. +
get /s/{space_id}/api/fleet/agent_download_sources
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] responses: '200': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure - value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run - value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + getDownloadSourcesExample: + description: List of agent binary download sources + value: + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDownloadSourceRequestExample: + description: Create a new agent binary download source + value: + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + postDownloadSourceExample: + description: The created agent binary download source value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteDownloadSourceExample: + description: The download source was successfully deleted value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + id: download-source-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getDownloadSourceExample: + description: An agent binary download source + value: + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: > - File name for saving the exported rules. - - > info - - > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true schema: - default: export.ndjson type: string requestBody: content: application/json: examples: - exportByRuleIds: - summary: Request body to export a subset of rules + putDownloadSourceRequestExample: + description: Update an agent binary download source value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source schema: - nullable: true + additionalProperties: false type: object properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string required: - - objects - required: false + - name + - host responses: '200': content: - application/ndjson: + application/json: examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} + putDownloadSourceExample: + description: The updated agent binary download source + value: + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies: get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled - - - tags - - - createdBy - - - interval + description: |- + **Spaces method and path for this operation:** - - updatedBy +
get /s/{space_id}/api/fleet/agent_policies
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: - description: Page number in: query name: page required: false schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page + type: number + - description: Number of results per page in: query - name: per_page + name: perPage required: false schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start + type: number + - description: Field to sort results by in: query - name: gaps_range_start + name: sortField required: false schema: type: string - - description: Gaps range end + - description: Sort order, ascending or descending in: query - name: gaps_range_end + name: sortOrder required: false schema: + enum: + - desc + - asc type: string - - description: Gap fill statuses + - description: When true, only show policies with upgradeable agents in: query - name: gap_fill_statuses + name: showUpgradeable required: false schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + type: boolean + - description: A KQL query string to filter results in: query - name: gap_auto_fill_scheduler_id + name: kuery required: false schema: type: string - responses: - '200': - content: - application/json: - examples: - example1: - value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - required: - - page - - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules - tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: - post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - > info - - > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. - - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - - - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules - parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. + - description: use withAgentCount instead in: query - name: overwrite + name: noAgentCount required: false schema: - default: false + deprecated: true type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. + - description: get policies with agent count in: query - name: overwrite_exceptions + name: withAgentCount required: false schema: - default: false type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. + - description: get full policies with package policies populated in: query - name: overwrite_action_connectors + name: full required: false schema: - default: false type: boolean - - description: Generates a new list ID for each imported exception list. + - description: 'Format for the response: simplified or legacy' in: query - name: as_new_list + name: format required: false schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - rulesFile: - summary: Multipart part containing a rule export - value: - file: rules_import.ndjson - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - example1: - summary: Import rules with success + getAgentPoliciesExample: + description: List of agent policies value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: + items: items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer + page: + type: number + perPage: + type: number + total: + type: number required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: - post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' - requestBody: - content: - application/json: - examples: - addItems: - value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception items. - required: true - responses: - '200': - content: - application/json: - examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array + - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request params]: id: Invalid uuid' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies tags: - - Security Exceptions API - /api/detection_engine/rules/preview: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short + description: |- + **Spaces method and path for this operation:** - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample +
post /s/{space_id}/api/fleet/agent_policies
- matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to add the system integration to the new agent policy in: query - name: enable_logged_requests + name: sys_monitoring required: false schema: type: boolean @@ -8490,2994 +24392,4369 @@ paths: content: application/json: examples: - queryRule: + postAgentPolicyRequestExample: + description: Create a new agent policy value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - success: + postAgentPolicyExample: + description: The created agent policy value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString - required: - - logs + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/_bulk_get: post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. - required: true + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids responses: '200': content: application/json: examples: - add: + postBulkGetAgentPoliciesExample: + description: The requested agent policies value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: > - Indicates a successful call. The body matches an Elasticsearch - update-by-query response - - (for example `took`, `updated`, `failures`). + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: One or more agent policies were not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Assign and unassign users from detection alerts + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - success: + getAgentPolicyExample: + description: An agent policy value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - additionalProperties: true - description: Elasticsearch search response - type: object + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No agent policy was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: - post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json: - examples: - byId: - value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: - value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putAgentPolicyRequestExample: + description: Update an agent policy + value: + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: + putAgentPolicyExample: + description: The updated agent policy value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
- > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - success: + postCopyAgentPolicyExample: + description: The copied agent policy value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/endpoint_list: - post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number responses: '200': content: application/json: examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created + getDownloadAgentPolicyExample: + description: The agent policy download response value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response + type: string + description: Successful response — returns the agent policy as a YAML file download '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body]: expected value of type [object] but got - [undefined] + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/endpoint_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No agent policy was found with the given ID value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: Agent policy not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - - description: Either `id` or `item_id` must be specified + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment in: query - name: id + name: kubernetes required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query - name: item_id + name: revision required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + type: number responses: '200': content: application/json: examples: - deleted: - summary: Deleted endpoint exception list item + getFullAgentPolicyExample: + description: The full agent policy configuration value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Either "item_id" or "id" needs to be defined in the - request + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: examples: - notFound: - value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No agent policy was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy tags: - - Security Endpoint Exceptions API + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + type: string responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: id or item_id required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: examples: - notFound: - value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No agent policy was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy tags: - - Security Endpoint Exceptions API + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/delete: post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple + agentPolicyId: agent-policy-id-1 schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + id: agent-policy-id-1 + name: My agent policy schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: name: Required' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: >- - exception list item id: "block-malicious-file" already - exists - status_code: 409 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy tags: - - Security Endpoint Exceptions API - put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/outputs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateName: - summary: Update an endpoint exception list item + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - type: object - properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies + value: + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [PUT /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status + parameters: + - description: Filter by agent policy ID + in: query + name: policyId + required: false + schema: + type: string + - description: Filter by one or more agent policy IDs + in: query + name: policyIds + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + getAgentStatusExample: + description: Agent status summary for an agent policy value: - message: 'list item item_id: "block-malicious-file" not found' - status_code: 404 + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': + additionalProperties: false + type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: + - Elastic Agent status + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status/data: get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data + parameters: + - description: Agent IDs to check data for, as an array or comma-separated string in: query - name: page - required: false + name: agentsIds + required: true schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name in: query - name: per_page + name: pkgName required: false schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results + type: string + - description: Filter by integration package version in: query - name: sort_field + name: pkgVersion required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` + type: string + - description: When true, return a preview of the ingested data in: query - name: sort_order + name: previewData required: false schema: - enum: - - desc - - asc - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - foundItems: - summary: Found endpoint exception list items + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host total: 1 + totalMonitoring: 0 schema: + additionalProperties: false type: object properties: - data: - description: The list of endpoint exception list items. + dataPreview: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer required: - - data - - page - - per_page - - total + - items + - dataPreview description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request query]: page: Expected number, received string' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + examples: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies + value: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + responses: + '200': content: application/json: examples: - unauthorized: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration value: - error: Forbidden - message: >- - API [GET /api/endpoint_list/items/_find] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Indicates a successful response + '400': content: application/json: examples: - notFound: + genericErrorResponseExample: + description: Example of a generic error response value: - message: 'list id: "endpoint_list" does not exist' - status_code: 404 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - serverError: + conflictErrorResponseExample: + description: Example of a conflict error response value: - message: Internal Server Error - status_code: 500 + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy tags: - - Security Endpoint Exceptions API - /api/endpoint/action: - get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + - Fleet agentless policies + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of response actions to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A list of response action command names to filter by. - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - description: A list of Elastic Agent IDs to filter the response actions by. - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - description: A list of user IDs that submitted the response actions. - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - description: >- - A start date in ISO 8601 format or Date Math format (for example, - `now-24h`). - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - description: >- - An end date in ISO 8601 format or Date Math format (for example, - `now`). - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - description: >- - The agent type to filter response actions by. Defaults to - `endpoint`. - in: query - name: agentTypes - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - description: >- - A list of response action IDs whose outputs should be included in - the response. - in: query - name: withOutputs - required: false + example: 'true' + type: string + - description: The ID of the policy to delete. + in: path + name: policyId + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - description: >- - A list of response action types to filter by (`automated`, - `manual`). + type: string + - description: Force delete the policy even if the policy is managed. in: query - name: types + name: force required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - responses: - '200': - content: - application/json: - examples: - actionsList: - summary: A list of response actions - value: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse - description: Indicates a successful call. - summary: Get response actions - tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + type: boolean responses: '200': content: application/json: examples: - actionStatus: - summary: Pending response actions per agent + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - data: - - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - pending_actions: - execute: 0 - get-file: 0 - isolate: 0 - kill-process: 1 - running-processes: 0 - scan: 0 - unisolate: 0 - upload: 0 + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - description: The ID of the response action to retrieve. - in: path - name: action_id - required: true - schema: - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + description: Response for deleting an agentless package policy. + type: object + properties: + id: + description: The ID of the deleted agentless package policy. + type: string + required: + - id + description: Indicates a successful response + '400': content: application/json: examples: - actionDetails: - summary: Details of an isolate response action + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: - get: - description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - fileInfo: - summary: File information for a response action upload + conflictErrorResponseExample: + description: Example of a conflict error response value: - data: - actionId: 233db9ea-6733-4849-9226-5a7039c7161d - agentId: ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - created: '2025-02-26T13:37:30.452Z' - id: >- - 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 - mimeType: application/zip - name: memory_dump.zip - size: 1048576 - status: READY + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: + additionalProperties: false + description: Generic Error + type: object properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string - description: Indicates a successful call. - summary: Get file information + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Delete an agentless policy tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: + - Fleet agentless policies + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents: get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/agents
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true + - description: Page number + in: query + name: page + required: false schema: - type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. - in: path - name: file_id - required: true + type: number + - description: Number of results per page + in: query + name: perPage + required: false schema: - type: string - responses: - '200': - content: - application/octet-stream: - examples: - fileDownload: - summary: >- - Password-protected ZIP archive containing the response - action file - value: binary file content (password-protected .zip) - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - CancelSuccess: - summary: Cancel action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination + in: query + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive + required: false + schema: + type: string responses: '200': content: application/json: examples: - ExecuteSuccess: - summary: Execute action successfully created + getAgentsExample: + description: List of agents value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get a file + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e + actionIds: + - action-id-1 + - action-id-2 schema: + additionalProperties: false type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 + actionIds: items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 + maxItems: 1000 type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters required: - - endpoint_ids - required: true - responses: - '200': - content: - application/json: - examples: - IsolateSuccess: - summary: Isolate action successfully created - value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse - description: Indicates a successful call. - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - KillProcessSuccess: - summary: Kill process action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Terminate a process - tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: - post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump - requestBody: - content: - application/json: - examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine - value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody - required: true + - actionIds responses: '200': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + items: + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents by action ids tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: - post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction - requestBody: - content: - application/json: - examples: - Elastic Defend: - description: Endpoint runscript to collect logs - summary: Run a script against an Elastic Defend agent - value: - agent_type: endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--path= /usr/log/exec.log' - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody - required: true + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + deleteAgentExample: + description: Agent successfully deleted value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + id: agent-id-1 + success: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script - tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json: - examples: - scanFile: - summary: Scan a file on an endpoint - value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': content: application/json: examples: - ScanSuccess: - summary: Scan action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent tags: - - Security Endpoint Management API - /api/endpoint/action/state: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - actionsState: - summary: Response actions state with encryption enabled + getAgentExample: + description: Agent details value: - data: - canEncrypt: true + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: - post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Suspend a process + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: - post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. + putAgentRequestExample: + description: Update agent tags value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e + tags: + - production + - linux schema: + additionalProperties: false type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 + tags: items: - minLength: 1 type: string - maxItems: 50 - minItems: 1 + maxItems: 10 type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true + user_provided_metadata: + additionalProperties: + nullable: true + type: object responses: '200': content: application/json: examples: - UnisolateSuccess: - summary: Unisolate action successfully created + putAgentExample: + description: Updated agent details value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse - description: Indicates a successful call. - summary: Release an isolated endpoint + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Security Endpoint Management API - /api/endpoint/action/upload: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/actions: post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: - multipart/form-data: + application/json: examples: - uploadFile: - summary: Upload a script file to a specific endpoint + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent value: - comment: Pushing remediation script to host - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - file: RWxhc3RpYw== - parameters: - overwrite: false + action: + type: UNENROLL schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action responses: '200': content: application/json: examples: - UploadSuccess: - summary: Upload action successfully created + postAgentActionExample: + description: Created agent action value: - data: + item: agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file - tags: - - Security Endpoint Management API - /api/endpoint/metadata: - get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of endpoints to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A KQL string to filter the endpoint metadata results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - description: >- - A set of host statuses to filter the results by (for example, - `healthy`, `updating`). - in: query - name: hostStatuses - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - description: The field used to sort the results. - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - description: The sort order, either `asc` or `desc`. - in: query - name: sortDirection - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': content: application/json: examples: - metadataList: - summary: A list of endpoint host metadata + genericErrorResponseExample: + description: Example of a generic error response value: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 1 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/effective_config: get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config parameters: - - description: The agent ID of the endpoint. + - description: The agent ID to get effective config of in: path - name: id + name: agentId required: true schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: examples: - endpointMetadata: - summary: Host metadata for a specific endpoint + successResponse: value: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 + effective_config: {} schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get an agent's effective config tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate parameters: - - description: The agent ID to retrieve the policy response for. - in: query + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path name: agentId required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token responses: '200': content: application/json: examples: - policyResponse: - summary: The most recent policy response for an endpoint + postMigrateAgentExample: + description: Agent migration initiated value: - policy_response: - '@timestamp': '2023-07-04T15:48:57.360Z' - agent: - id: ed518850-681a-4d60-bb98-e22640cae2a8 - version: 7.16.0 - Endpoint: - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: My endpoint policy - status: success - version: '3' + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - responses: - '200': - content: - application/json: - examples: - protectionUpdatesNote: - summary: The protection updates note for a package policy - value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. + - description: The agent ID to change privilege level for in: path - name: package_policy_id + name: agentId required: true schema: type: string @@ -11485,5255 +28762,5575 @@ paths: content: application/json: examples: - setNote: - summary: Set a new protection updates note + changeAgentPrivilegeLevelRequest: value: - note: >- - Pinned protection updates to 2025-01-01 while validating new - signatures. + user_info: + groupname: groupname + password: password + username: username schema: + additionalProperties: false + nullable: true type: object properties: - note: - description: The note content. - type: string - required: true + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string responses: '200': content: application/json: examples: - noteSaved: - summary: Protection updates note saved + successResponse: value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library: - get: - description: Retrieve a list of scripts - operationId: EndpointScriptLibraryListScripts - parameters: - - description: Page number of the results to return. Defaults to 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: >- - Number of results to return per page. Defaults to 10. Max value is - 1000. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - - description: The field to sort the results by. Defaults to name. - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - - description: The direction to sort the results by. Defaults to asc (ascending). - in: query - name: sortDirection - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - - description: > - A KQL query string to filter the list of scripts. Nearly all fields - in the script object are searchable. - in: query - name: kuery - required: false - schema: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - example: platform:windows - responses: - '200': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - response: - summary: List of scripts response example + badRequestResponse: value: - data: [] - page: 1 - pageSize: 10 - sortDirection: asc - sortField: name - total: 100 + message: Bad Request schema: + additionalProperties: false + description: Generic Error type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScript - type: array - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiPageSize - sortDirection: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - sortField: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiSortField - total: - description: The total number of scripts matching the query - type: integer - description: List of scripts response - summary: Get a list of scripts + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level tags: - - Security Endpoint Management API + - Elastic Agents + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/reassign: post: - description: Create a new script entry by uploading a script file - operationId: EndpointScriptLibraryCreateScript + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: - multipart/form-data: + application/json: examples: - CreateArchiveScriptEntry: - summary: Create an archive script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.zip - fileType: archive - instructions: Collects host data for investigation - name: Collect host data - pathToExecutable: ./bin/collect_host_data.sh - platform: - - linux - - macos - requiresInput: false - CreateScriptEntry: - summary: Create a script entry + postReassignAgentRequestExample: + description: Reassign an agent to a different policy value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.sh - fileType: script - instructions: Collects host data for investigation - name: Collect host data - platform: - - linux - - macos - requiresInput: false + policy_id: agent-policy-id-2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id responses: '200': content: application/json: examples: - CreateScriptEntrySuccess: - summary: Create a script entry - value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos + postReassignAgentExample: + description: Agent successfully reassigned + value: {} schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully created - summary: Create script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}: - delete: - description: Delete a script - operationId: EndpointScriptLibraryDeleteScript - parameters: - - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': content: application/json: examples: - response: - summary: Delete script response example. - value: {} + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object - description: Delete script response. - summary: Delete a script + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent tags: - - Security Endpoint Management API - get: - description: Get a script - operationId: EndpointScriptLibraryGetOneScript + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/remove_collector: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The collector agent ID in: path - name: script_id + name: agentId required: true schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: examples: - UpdateScriptEntrySuccess: - summary: Get one script entry success + postRemoveCollectorExample: + description: Collector successfully removed + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Get script response - summary: Get script + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Remove an OpAMP collector tags: - - Security Endpoint Management API - patch: - description: Update (full or partial) a script entry - operationId: EndpointScriptLibraryPatchUpdateScript + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics parameters: - - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: script_id + name: agentId required: true schema: - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string requestBody: content: - multipart/form-data: + application/json: examples: - PatchUpdateScriptEntry: - summary: Update script entry instructions - value: - instructions: ./collect_host_data.sh --help - PatchUpdateScriptEntryFromArchiveToScript: - summary: Update script entry from an archive to a script - value: - fileType: script - PatchUpdateScriptEntryToArchive: - summary: Update script entry to be an archive + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent value: - fileType: archive - pathToExecutable: ./bin/collect_host_data.sh + additional_metrics: + - CPU schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody - required: true + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array responses: '200': content: application/json: examples: - UpdateScriptEntrySuccess: - summary: Update script entry success + postRequestDiagnosticsExample: + description: Diagnostics action result value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully updated - summary: Update script + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Agent agent-id-1 does not support request diagnostics action. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Request agent diagnostics tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}/download: - get: - description: Download a script file - operationId: EndpointScriptLibraryDownloadScript + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to rollback in: path - name: script_id + name: agentId required: true schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: - application/octet-stream: + application/json: examples: - response: - summary: Download script file response example. - value: null + successResponse: + value: + actionId: actionId schema: - description: A download stream is returned. - format: binary - type: string - description: Download script file response. - summary: Download a script file - tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent + tags: + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean responses: '200': content: application/json: examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true - schema: - type: object - properties: - deleted: - type: boolean - required: - - deleted + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': + '400': content: application/json: examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully + genericErrorResponseExample: + description: Example of a generic error response value: - status: disabled - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/upgrade: post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version responses: '200': content: application/json: examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor + additionalProperties: false + type: object + properties: {} description: Successful response - '500': + '400': content: application/json: examples: - InitMonitoringEngineError: - summary: Internal server error during engine initialization + genericErrorResponseExample: + description: Example of a generic error response value: - error: - message: Failed to initialize monitoring engine - status: error + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully + getAgentUploadsExample: + description: List of files uploaded by the agent value: - success: true + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: + additionalProperties: false type: object properties: - success: - description: Indicates the scheduling was successful - type: boolean + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items description: Successful response - '409': + '400': content: application/json: examples: - ScheduleMonitoringEngineConflict: - summary: Engine is already running + genericErrorResponseExample: + description: Example of a generic error response value: - message: Monitoring engine is already running + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: Error message indicating the engine is already running type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/action_status: get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status + parameters: + - description: Page number + in: query + name: page + required: false + schema: + default: 0 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: Return actions created before this date + in: query + name: date + required: false + schema: + type: string + - description: Return only the latest N actions + in: query + name: latest + required: false + schema: + type: number + - description: Number of error details to include per action + in: query + name: errorSize + required: false + schema: + default: 5 + type: number responses: '200': content: application/json: examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine + getActionStatusExample: + description: Status of recent agent actions value: - status: started - users: - current_count: 42 - max_allowed: 1000 + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: + additionalProperties: false type: object properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array required: - - status + - items description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges - responses: - '200': + '400': content: application/json: examples: - PrivMonPrivilegesResponse: - summary: Privileges check response + genericErrorResponseExample: + description: Example of a generic error response value: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId + required: true + schema: + type: string requestBody: content: application/json: examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true + postCancelActionRequestExample: + description: Cancel an agent action + value: {} responses: '200': content: application/json: examples: - CreatePrivMonUserResponse: - summary: Created monitored user + postCancelActionExample: + description: Cancellation action created value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: - post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - examples: - PrivmonBulkUploadUsersCSVRequest: - summary: CSV file with privileged users - value: - file: | - username,is_privileged - john.doe,true - jane.smith,true - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] responses: '200': content: application/json: examples: - PrivmonBulkUploadUsersCSVResponse: - summary: Bulk upload response with mixed results + getAvailableVersionsExample: + description: List of available agent versions for upgrade value: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 2 + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: + additionalProperties: false type: object properties: - errors: + items: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem + type: string + maxItems: 10000 type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: - delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - description: The document ID of the monitored user to delete - in: path - name: id - required: true - schema: - type: string - responses: - '200': + - items + description: Successful response + '400': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + genericErrorResponseExample: + description: Example of a generic error response value: - acknowledged: true - message: User deleted successfully + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: >- - A message providing additional information about the - deletion status type: string + statusCode: + type: number required: - - success - description: User deleted successfully - summary: Delete a monitored user + - message + - attributes + description: Bad Request + summary: Get available agent versions tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate parameters: - - description: The document ID of the monitored user to update - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: - get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token responses: '200': content: application/json: examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: - message: Privileged access detection package installed successfully + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - message: + actionId: type: string required: - - message + - actionId description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': + '400': content: application/json: examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running + genericErrorResponseExample: + description: Example of a generic error response value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete + attributes: + nullable: true + error: type: string - package_installation_status: - enum: - - complete - - incomplete + errorType: + type: string + message: type: string + statusCode: + type: number required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience + - message + - attributes + description: Bad Request + summary: Migrate multiple agents tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_privilege_level_change: post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 + agents: agent + user_info: + groupname: groupname + password: password + username: username schema: + additionalProperties: false type: object properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns + agents: + anyOf: + - items: type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 + maxItems: 10000 + type: array + - type: string + batchSize: type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string required: - - name - - riskModifier - required: true + - agents responses: '200': content: application/json: examples: - CreateWatchlistResponse: - summary: Created watchlist + successResponse: value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' + actionId: actionId schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': content: application/json: examples: - GetWatchlistResponse: - summary: Watchlist details + badRequestResponse: value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist + - Elastic Agents + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign parameters: - - description: The ID of the watchlist to update - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - UpdateWatchlistRequest: - summary: Update watchlist request + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 schema: + additionalProperties: false type: object properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false type: boolean - name: - description: Unique name of the watchlist + policy_id: type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number required: - - name - - riskModifier - required: true + - policy_id + - agents responses: '200': content: application/json: examples: - UpdateWatchlistResponse: - summary: Updated watchlist + postBulkReassignAgentsExample: + description: Bulk reassign action result value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_remove_collectors: post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity - - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - + description: |- + **Spaces method and path for this operation:** - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` - - field is updated in the entity store. +
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - csvUpload: - summary: CSV file with user entities + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors value: - file: | - type,user.name - user,john.doe - user,jane.smith + agents: + - collector-id-1 + - collector-id-2 schema: + additionalProperties: false type: object properties: - file: - description: The CSV file to upload. - format: binary - type: string + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean required: - - file - required: true + - agents responses: '200': content: application/json: examples: - CsvUploadResponse: - summary: CSV upload response with mixed results + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer + actionId: + type: string required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk remove OpAMP collectors tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_request_diagnostics: post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. - - The entities must already exist in the entity store. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
- If an entity is already on the watchlist, no new document is created — - the "manual" label + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - is added to its existing source labels instead. - operationId: AssignWatchlistEntities + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - assignEntities: - summary: Assign two entities to a watchlist + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents value: - euids: - - user:john.doe - - host:web-01 + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 schema: + additionalProperties: false type: object properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 + additional_metrics: items: + enum: + - CPU type: string + maxItems: 1 type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number required: - - euids - required: true + - agents responses: '200': content: application/json: examples: - assignEntitiesResponse: - summary: Successful assignment of two entities + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_rollback: post: - description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors - in: path - name: watchlist_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - unassignEntities: - summary: Unassign two entities from a watchlist + bulkRollbackAgentsRequest: value: - euids: - - user:john.doe - - host:web-01 + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false schema: + additionalProperties: false type: object properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean required: - - euids - required: true + - agents responses: '200': content: application/json: examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities + successResponse: value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + actionIds: + - actionId1 + - actionId2 schema: + additionalProperties: false type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: + actionIds: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem + type: string + maxItems: 10000 type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': + - actionIds + description: 'OK: A successful request.' + '400': content: application/json: examples: - ListWatchlistsResponse: - summary: List of watchlists + badRequestResponse: value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' + message: Bad Request schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback agents tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_unenroll: post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: + examples: + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + revoke: false schema: + additionalProperties: false type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents responses: '200': content: application/json: examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean + actionId: + type: string + required: + - actionId description: Successful response '400': - description: Invalid request - summary: Initialize the Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service - in: query - name: entityTypes - required: false - schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine - value: - deleted: - - host - still_running: - - generic - - user - - service - schema: - type: object - properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': content: application/json: examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed + genericErrorResponseExample: + description: Example of a generic error response value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array + required: + - agents responses: '200': content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + postBulkUpdateAgentTagsExample: + description: Bulk action result value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine + genericErrorResponseExample: + description: Example of a generic error response value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_upgrade: post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade parameters: - - description: The entity type of the engine. - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + example: 'true' + type: string requestBody: content: application/json: + examples: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version + value: + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 schema: + additionalProperties: false type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' + start_time: type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. + version: type: string - description: Schema for the engine initialization - required: true + required: + - agents + - version responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + genericErrorResponseExample: + description: Example of a generic error response value: - started: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: - post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid parameters: - - description: The entity type of the engine to stop. - example: host + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the uploaded file in: path - name: entityType + name: fileId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string responses: '200': content: application/json: examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - stopped: true + deleted: true + id: file-id-1 schema: + additionalProperties: false type: object properties: - stopped: - description: Whether the engine was successfully stopped. + deleted: type: boolean + id: + type: string + required: + - id + - deleted description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': + '400': content: application/json: examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated + genericErrorResponseExample: + description: Example of a generic error response value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - description: The ID of the uploaded file + in: path + name: fileId + required: true + schema: + type: string + - description: The name of the uploaded file + in: path + name: fileName + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed - value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: schema: type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': + description: Successful response — returns the uploaded file content + '400': content: application/json: examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error + genericErrorResponseExample: + description: Example of a generic error response value: - body: An internal error occurred while updating engine indices - statusCode: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - body: - description: Error message. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string statusCode: - description: HTTP status code. type: number - description: Error response - summary: Apply DataView indices to all installed engines + required: + - message + - attributes + description: Bad Request + summary: Get an uploaded file tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json: - schema: - type: object - properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe - type: string - required: - - id - description: Schema for the deleting entity - required: true +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] responses: '200': content: application/json: examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - deleted: true + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: - deleted: - description: Whether the entity was successfully deleted. + is_action_secrets_storage_enabled: type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. - - > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. - - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. +
post /s/{space_id}/api/fleet/agents/setup
- The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array + example: 'true' + type: string responses: '200': content: application/json: + examples: + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors + value: + isInitialized: true + nonFatalErrors: [] schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. + isInitialized: + type: boolean + nonFatalErrors: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/entity_store/status: - get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': + - isInitialized + - nonFatalErrors + description: Fleet setup completed + '400': content: application/json: examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines + genericErrorResponseExample: + description: Example of a generic error response value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object - properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus - type: array - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list + - description: A KQL query string to filter results in: query - name: list_id + name: kuery required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the - - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single + type: string + - description: When true, include tags from inactive agents in: query - name: namespace_type + name: showInactive required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + default: false + type: boolean responses: '200': content: application/json: examples: - detectionExceptionList: + getAgentTagsExample: + description: List of tags used across agents value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: + items: + - production - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + - datacenter-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions + parameters: + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges + in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - forbidden: + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 + success: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions tags: - - Security Exceptions API + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors: get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. + - description: The page number for pagination. in: query - name: id + name: page required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. + type: string + - description: The number of items per page. in: query - name: list_id + name: perPage required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single + type: string + - description: KQL query to filter cloud connectors. in: query - name: namespace_type + name: kuery required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - detectionType: + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors tags: - - Security Exceptions API + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/cloud_connectors
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createDetection: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + additionalProperties: false type: object properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object required: - name - - description - - type - description: Exception list's properties - required: true + - cloudProvider + - vars responses: '200': content: application/json: examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: + postCloudConnectorExample: + description: The created Fleet cloud connector value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector + tags: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + id: cloud-connector-id-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) + tags: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - alreadyExists: + getCloudConnectorExample: + description: A Fleet cloud connector value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connector tags: - - Security Exceptions API + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: examples: - fullReplace: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection + name: Updated AWS connector + vars: {} schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - required: - - name - - description - - type - description: Exception list's properties - required: true + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: examples: - simpleList: + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector + tags: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number + responses: + '200': content: application/json: examples: - unauthorized: + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: Cloud connector not found + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) + tags: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] + responses: + '200': content: application/json: examples: - notFound: + getDataStreamsExample: + description: List of Fleet-managed data streams value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array + required: + - data_streams + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: The `list_id` of the existing exception list to copy (source list). + - description: Page number in: query - name: list_id - required: true + name: page + required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single + default: 1 + type: number + - description: Number of results per page in: query - name: namespace_type - required: true + name: perPage + required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. + default: 20 + type: number + - description: A KQL query string to filter results in: query - name: include_expired_exceptions - required: true + name: kuery + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true type: string responses: '200': content: application/json: examples: - detectionExceptionList: + getEnrollmentApiKeysExample: + description: List of enrollment API keys value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': - content: - application/json: - examples: - notAllowed: - value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get enrollment API keys tags: - - Security Exceptions API - /api/exception_lists/_export: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - default: 'true' - enum: - - 'true' - - 'false' + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: - application/ndjson: + application/json: examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + postEnrollmentApiKeyExample: + description: The created enrollment API key + value: + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs + value: + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' + responses: + '200': content: application/json: examples: - notFound: + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + action: deleted + count: 2 + errorCount: 0 + successCount: 2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Either tokenIds or kuery must be provided + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk revoke or delete enrollment API keys tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - + - Fleet enrollment API keys + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** - - `exception-list`: Specify a space-aware exception list. +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false + example: 'true' + type: string + - description: The ID of the enrollment API key + in: path + name: keyId + required: true schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. + type: string + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. in: query - name: sort_field + name: forceDelete required: false schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. in: query - name: sort_order + name: includeHidden required: false schema: - enum: - - desc - - asc - example: desc - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - simpleLists: - value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + action: deleted schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No enrollment API key was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key tags: - - Security Exceptions API - /api/exception_lists/_import: - post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
- Additional `item_id`'s are generated for each exception item. Both - the exception + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - list and its items are overwritten. - in: query - name: as_new_list - required: false + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - description: The ID of the enrollment API key + in: path + name: keyId + required: true schema: - default: false - example: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - ndjsonUpload: - value: - file: exception_lists.ndjson - schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string - required: true + type: string responses: '200': content: application/json: examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: + getEnrollmentApiKeyExample: + description: An enrollment API key value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - unauthorized: + notFoundExample: + description: No enrollment API key was found with the given ID value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' + responses: + '200': content: application/json: examples: - forbidden: + postBulkGetAssetsExample: + description: Requested assets value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk get assets tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified + - description: When true, include prerelease packages in the results in: query - name: item_id + name: prerelease required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single + type: boolean + - description: When true, include categories that only contain policy templates in: query - name: namespace_type + name: include_policy_templates required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: boolean responses: '200': content: application/json: examples: - simpleExceptionItem: + getCategoriesExample: + description: List of integration categories value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + items: + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package categories + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' + responses: + '200': content: application/json: examples: - unauthorized: + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update a custom integration tags: - - Security Exceptions API + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/data_streams: get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. + - description: Filter by data stream type in: query - name: id + name: type required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: Filter data streams by dataset name in: query - name: item_id + name: datasetQuery required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must - - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single + type: string + - description: Sort order, ascending or descending in: query - name: namespace_type + name: sortOrder required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + default: asc + enum: + - asc + - desc + type: string + - description: When true, only return data streams that are not associated with a package + in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - simpleListItem: + getDataStreamsExample: + description: List of data streams from installed packages value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages + parameters: + - description: Filter packages by category + in: query + name: category + required: false + schema: + type: string + - description: When true, include prerelease packages in the results + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, exclude the install status from the response + in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - description: When true, include the number of package policies per package + in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - notFound: + getPackagesExample: + description: List of available integration packages value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get packages tags: - - Security Exceptions API + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - Create an exception item and associate it with the specified exception - list. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/epm/packages
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean requestBody: content: - application/json: + application/gzip: examples: - simpleItem: - value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + format: binary + type: string responses: '200': content: - application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: + application/gzip; application/zip: examples: - unauthorized: + postInstallByUploadExample: + description: Package successfully installed from upload value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' application/json: examples: - forbidden: + postInstallByUploadExample: + description: Package successfully installed from upload value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template + description: Successful response + '400': content: - application/json: + application/gzip; application/zip: examples: - alreadyExists: + genericErrorResponseExample: + description: Example of a generic error response value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': - content: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Install a package by upload tags: - - Security Exceptions API - put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean requestBody: content: application/json: examples: - updateItem: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple + packages: + - system + - aws schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - simpleListItem: + postBulkInstallPackagesExample: + description: Bulk install results value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic + items: + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: item_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk install packages tags: - - Security Exceptions API - /api/exception_lists/items/_find: - get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_namespace_customization: + post: + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space +
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
- or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). - in: query - name: search - required: false - schema: - example: host.name - type: string - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - desc - - asc - example: desc + example: 'true' type: string + requestBody: + content: + application/json: + examples: + bulkNamespaceCustomizationRequest: + value: + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - simpleListItems: + successResponse: value: - data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - data: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - badRequest: + badRequestResponse: value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackRequest: + value: + packages: + - name: system + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' + responses: + '200': content: application/json: examples: - unauthorized: + successResponse: value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + taskId: taskId schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + successResponse: value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 + status: success schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items - tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must - - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause - in: query - name: filter - required: false + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get Bulk rollback packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages + value: + packages: + - name: aws + - name: gcp + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - summary: + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - linux: 0 - macos: 0 - total: 0 - windows: 0 + taskId: task-id-1 schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk uninstall packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk uninstall packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions + value: + packages: + - name: system + - name: elastic_agent + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' + responses: + '200': content: application/json: examples: - notFound: + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + taskId: task-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade packages tags: - - Security Exceptions API - /api/exceptions/shared: - post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList - requestBody: - content: - application/json: - examples: - createSharedExceptionList: - value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string responses: '200': content: application/json: examples: - sharedList: + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk upgrade packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + deletePackageExample: + description: Package successfully deleted value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Unable to create exception-list - status_code: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - alreadyExists: + getPackageInfoExample: + description: Package details and installation status value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package tags: - - Security Exceptions API - /api/fleet/agent_download_sources: - get: - description: >- - List all agent binary download sources.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources - parameters: [] + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - getDownloadSourcesExample: - description: List of agent binary download sources + postInstallPackageExample: + description: Package successfully installed value: + _meta: + install_source: registry items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - page: 1 - perPage: 20 - total: 1 + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -16764,14 +34361,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent binary download sources + summary: Install a package from the registry tags: - - Elastic Agent binary download sources - post: - description: >- - Create a new agent binary download source.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -16780,242 +34385,42 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string requestBody: content: application/json: examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - postDownloadSourceExample: - description: The created agent binary download source + putUpdatePackageExample: + description: Updated package settings value: item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: @@ -17046,46 +34451,168 @@ paths: - message - attributes description: Bad Request - summary: Create an agent binary download source + summary: Update package settings tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: - description: >- - Delete an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: - example: 'true' - type: string - - description: The ID of the download source - in: path - name: sourceId - required: true + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false schema: - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted + getPackageInfoExample: + description: Package details and installation status value: - id: download-source-id-1 + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -17116,156 +34643,96 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source + summary: Get a package tags: - - Elastic Agent binary download sources - get: - description: >- - Get an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - - description: The ID of the download source + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: sourceId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - getDownloadSourceExample: - description: An agent binary download source + postInstallPackageExample: + description: Package successfully installed value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -17296,25 +34763,22 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source + summary: Install a package from the registry tags: - - Elastic Agent binary download sources + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Update an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -17323,9 +34787,15 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source + - description: Package name in: path - name: sourceId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string @@ -17333,239 +34803,108 @@ paths: content: application/json: examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - putDownloadSourceExample: - description: The updated agent binary download source + putUpdatePackageExample: + description: Updated package settings value: item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item - description: Successful response + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content '400': content: application/json: @@ -17595,138 +34934,219 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Download source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent binary download source + summary: Get a package file tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: - get: - description: >- - List all agent policies.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - enum: - - desc - - asc type: string - - description: When true, only show policies with upgradeable agents - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: type: string - - description: use withAgentCount instead - in: query - name: noAgentCount - required: false - schema: - deprecated: true - type: boolean - - description: get policies with agent count + - description: The ID of the package policy in: query - name: withAgentCount - required: false + name: packagePolicyId + required: true schema: - type: boolean - - description: get full policies with package policies populated - in: query - name: full - required: false + type: string + responses: + '200': + content: + application/json: + examples: + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted + value: + items: + - id: logs-my_package.access-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete assets for an input package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + parameters: + - description: Package name + in: path + name: pkgName + required: true schema: - type: boolean - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + type: string + - description: Package version + in: path + name: pkgVersion + required: true schema: - enum: - - simplified - - legacy type: string responses: '200': content: application/json: examples: - getAgentPoliciesExample: - description: List of agent policies + dependenciesResponse: value: items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 - total: 1 + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false + description: Generic Error type: object properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_agent_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: type: number required: - - items - - total - - page - - perPage + - message + - attributes + description: A bad request. + summary: Get package dependencies + tags: + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17757,14 +35177,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent policies + summary: Delete Kibana assets for a package tags: - - Elastic Agent policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Create a new agent policy.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -17773,49 +35201,42 @@ paths: schema: example: 'true' type: string - - description: Whether to add the system integration to the new agent policy - in: query - name: sys_monitoring - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - type: boolean + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - postAgentPolicyRequestExample: - description: Create a new agent policy - value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true responses: '200': content: application/json: examples: - postAgentPolicyExample: - description: The created agent policy + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + items: + - id: dashboard-id-1 + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17846,16 +35267,23 @@ paths: - message - attributes description: Bad Request - summary: Create an agent policy + summary: Install Kibana assets for a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: post: - description: >- - Get multiple agent policies by ID.

[Required authorization] - Route required privileges: fleet-agent-policies-read OR - fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -17864,63 +35292,42 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true schema: - enum: - - simplified - - legacy type: string requestBody: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies + postInstallRuleAssetsExample: + description: Rule assets successfully installed value: items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + - id: rule-asset-id-1 + type: security_rule schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17951,65 +35358,89 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + summary: Install Kibana alert rule for a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: >- - Get an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - - description: The ID of the agent policy + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow prerelease versions in: query - name: format + name: prerelease required: false schema: - enum: - - simplified - - legacy - type: string + type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + - success: true + transformId: logs-transform-1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -18040,25 +35471,23 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy + summary: Authorize transforms tags: - - Elastic Agent policies - put: - description: >- - Update an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -18067,68 +35496,40 @@ paths: schema: example: 'true' type: string - - description: The ID of the agent policy + - description: Package name to review upgrade for in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string requestBody: content: application/json: examples: - putAgentPolicyRequestExample: - description: Update an agent policy + acceptUpgrade: value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default + action: accept + target_version: 2.0.0 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' responses: '200': content: application/json: examples: - putAgentPolicyExample: - description: The updated agent policy + successResponse: value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + success: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -18147,21 +35548,36 @@ paths: required: - message - attributes - description: Bad Request - summary: Update an agent policy + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: - description: >- - Get the auto-upgrade status for agents assigned to an agent - policy.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback parameters: - - description: The ID of the agent policy + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back in: path - name: agentPolicyId + name: pkgName required: true schema: type: string @@ -18170,72 +35586,20 @@ paths: content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + successResponse: value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 + success: true + version: 1.0.0 schema: - additionalProperties: false - type: object - properties: - currentVersions: - items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: >- - Number of agents that failed to upgrade to this - version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -18254,72 +35618,44 @@ paths: required: - message - attributes - description: Bad Request - summary: Get auto upgrade agent status + description: A bad request. + summary: Rollback a package to previous version tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: - description: >- - Copy an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + - Elastic Package Manager (EPM) + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the agent policy + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + getPackageStatsExample: + description: Usage stats for a specific package value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + response: + agent_policy_count: 3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -18350,65 +35686,98 @@ paths: - message - attributes description: Bad Request - summary: Copy an agent policy + summary: Get package stats tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/installed: get: - description: >- - Download an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: Filter by data stream type + in: query + name: dataStreamType + required: false schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: If true, returns the policy as a downloadable file + - description: When true, only return packages with active data streams in: query - name: download + name: showOnlyActiveDataStreams required: false schema: type: boolean - - description: If true, returns the policy formatted for standalone agents + - description: Filter packages by name in: query - name: standalone + name: nameQuery required: false schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment + type: string + - description: Sort values from the previous page for `search_after` pagination in: query - name: kubernetes + name: searchAfter required: false schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page in: query - name: revision + name: perPage required: false schema: + default: 15 type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + getInstalledPackagesExample: + description: List of installed integration packages value: - item: >- - id: agent-policy-id-1\nrevision: 1\noutputs:\n - default:\n type: elasticsearch\n hosts:\n - - https://elasticsearch.example.com:9200\n + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 schema: - type: string - description: >- - Successful response — returns the agent policy as a YAML file - download + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' + description: Successful response '400': content: application/json: @@ -18438,16 +35807,48 @@ paths: - message - attributes description: Bad Request - '404': + summary: Get installed packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': content: application/json: examples: - notFoundExample: - description: No agent policy was found with the given ID + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled value: - error: Not Found - message: Agent policy not found - statusCode: 404 + items: + - elastic_agent + - fleet_server + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -18466,73 +35867,81 @@ paths: required: - message - attributes - description: Not Found - summary: Download an agent policy + description: Bad Request + summary: Get a limited package list tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/full: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: >- - Get a full agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - - description: The ID of the agent policy + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents + type: string + - description: 'Output format for the inputs template: json, yml, or yaml' in: query - name: standalone + name: format required: false schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions in: query - name: kubernetes + name: prerelease required: false schema: type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. + - description: When true, return inputs even if the package signature cannot be verified in: query - name: revision + name: ignoreUnverified required: false schema: - type: number + type: boolean responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + getInputsTemplateExample: + description: Inputs template for a package value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' description: Successful response '400': content: @@ -18563,54 +35972,35 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy + summary: Get an inputs template tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/outputs: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/verification_key_id: get: - description: >- - Get a list of outputs associated with agent policy by policy - id.

[Required authorization] Route required privileges: - fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs - parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] responses: '200': content: application/json: examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + id: D27D666CD88E42B4 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' description: Successful response '400': content: @@ -18636,63 +36026,170 @@ paths: message: type: string statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy - tags: - - Elastic Agent policies - /api/fleet/agent_policies/delete: - post: - description: >- - Delete an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + getFleetServerHostsExample: + description: List of Fleet Server hosts value: - id: agent-policy-id-1 - name: My agent policy + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage description: Successful response '400': content: @@ -18723,16 +36220,22 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy + summary: Get Fleet Server hosts tags: - - Elastic Agent policies - /api/fleet/agent_policies/outputs: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Get a list of outputs associated with agent policies.

[Required - authorization] Route required privileges: fleet-agent-policies-read AND - fleet-settings-read. - operationId: post-fleet-agent-policies-outputs + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header @@ -18745,36 +36248,243 @@ paths: content: application/json: examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies + postFleetServerHostRequestExample: + description: Create a new Fleet Server host value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls responses: '200': content: application/json: examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies + postFleetServerHostExample: + description: The created Fleet Server host value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item description: Successful response '400': content: @@ -18805,33 +36515,35 @@ paths: - message - attributes description: Bad Request - summary: Get outputs for agent policies + summary: Create a Fleet Server host tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - description: Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid parameters: - - description: Filter by agent policy ID - in: query - name: policyId - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Filter by one or more agent policy IDs - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true schema: type: string responses: @@ -18839,61 +36551,18 @@ paths: content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active + id: + type: string required: - - results + - id description: Successful response '400': content: @@ -18924,85 +36593,166 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Elastic Agent status - /api/fleet/agent_status/data: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the data streams that an agent is actively sending data - to.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-status-data + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: The ID of the Fleet Server host + in: path + name: itemId required: true - schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query - name: pkgName - required: false - schema: - type: string - - description: Filter by integration package version - in: query - name: pkgVersion - required: false schema: type: string - - description: When true, return a preview of the ingested data - in: query - name: previewData - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + getFleetServerHostExample: + description: A Fleet Server host value: - items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: additionalProperties: false type: object properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: additionalProperties: false type: object properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - items - - dataPreview + - item description: Successful response '400': content: @@ -19033,13 +36783,33 @@ paths: - message - attributes description: Bad Request - summary: Get incoming agent data + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host tags: - - Elastic Agents - /api/fleet/agentless_policies: - post: - description: Create an agentless policy - operationId: post-fleet-agentless-policies + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -19048,854 +36818,247 @@ paths: schema: example: 'true' type: string - - description: The format of the response package policy. - in: query - name: format - required: false + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true schema: - default: simplified - enum: - - legacy - - simplified type: string requestBody: content: application/json: examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: >- - Example request to create agentless policy reusing an existing - AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: >- - Example request to create agentless policy with AWS cloud - connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: >- - Example request to create agentless policy with Azure cloud - connector + putFleetServerHostRequestExample: + description: Update a Fleet Server host value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id + responses: + '200': + content: + application/json: + examples: + putFleetServerHostExample: + description: The updated Fleet Server host value: item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false - description: The created agentless package policy. type: object properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added - to the agent policy. + host_urls: items: type: string - maxItems: 1000 - nullable: true + maxItems: 10 + minItems: 1 type: array - agents: - type: number - cloud_connector_id: - description: >- - ID of the cloud connector associated with this package - policy. - nullable: true - type: string - cloud_connector_name: - description: >- - Transient field for cloud connector name during - creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this integration to its - inputs. - type: string - created_at: + id: type: string - created_by: + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: type: string - description: - description: Package policy description + proxy_id: + nullable: true type: string - elasticsearch: - additionalProperties: true + secrets: + additionalProperties: false type: object properties: - privileges: - additionalProperties: true + ssl: + additionalProperties: false type: object properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: >- - The name of the custom field. Cannot contain - spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false + agent_key: + anyOf: + - additionalProperties: false type: object properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean id: type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group - name to the selected option name within that - group. - type: object - vars: - additionalProperties: - additionalProperties: false + - id + - type: string + es_key: + anyOf: + - additionalProperties: false type: object properties: - frozen: - type: boolean - type: + id: type: string - value: - nullable: true required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that input. Defaults to - `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false + - id + - type: string + key: + anyOf: + - additionalProperties: false type: object properties: - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. + id: type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults - to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to - the integration documentation for more - information. - type: object required: - - deprecated - description: >- - Input streams. Refer to the integration - documentation to know which streams are - available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration - documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit - the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: + - id + - type: string + ssl: additionalProperties: false - description: >- - Override settings that are defined in the package - policy. The override option should be used only in - unusual circumstances and not as a routine procedure. nullable: true type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_package - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: >- - ID of the agent policy which the package policy will - be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy - will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an - agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: >- - Indicates whether the package policy supports cloud - connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation - for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - name - - enabled - - package - - inputs + - host_urls - id - - revision - - updated_at - - updated_by - - created_at - - created_by required: - item - description: Indicates a successful response + description: Successful response '400': content: application/json: @@ -19925,43 +37088,34 @@ paths: - message - attributes description: Bad Request - '409': + '404': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + notFoundExample: + description: No Fleet Server host was found with the given ID value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create an agentless policy + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Fleet agentless policies - x-state: Technical Preview - /api/fleet/agentless_policies/{policyId}: - delete: - description: Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/health_check: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header @@ -19970,50 +37124,59 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. - in: path - name: policyId - required: true - schema: - type: string - - description: Force delete the policy even if the policy is managed. - in: query - name: force - required: false - schema: - type: boolean + requestBody: + content: + application/json: + examples: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy value: - item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE schema: additionalProperties: false - description: Response for deleting an agentless package policy. type: object properties: - id: - description: The ID of the deleted agentless package policy. + host_id: + type: string + name: + type: string + status: type: string required: - - id - description: Indicates a successful response + - status + description: Successful health check response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestExample: + description: The host ID exists but has no associated host URLs configured value: error: Bad Request - message: An error message describing what went wrong + message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false @@ -20034,16 +37197,16 @@ paths: - message - attributes description: Bad Request - '409': + '404': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + notFoundExample: + description: No Fleet Server host was found with the given ID value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -20062,128 +37225,403 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: Not Found + summary: Check Fleet Server health tags: - - Fleet agentless policies - x-state: Technical Preview - /api/fleet/agents: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes: get: - description: >- - List agents, with optional filtering and pagination.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results + - description: If true, returns the manifest as a downloadable file in: query - name: showInactive + name: download required: false schema: - default: false type: boolean - - description: When true, include CPU and memory metrics in the response + - description: Fleet Server host URL to include in the manifest in: query - name: withMetrics + name: fleetServer required: false schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable + type: string + - description: Enrollment token to include in the manifest in: query - name: showUpgradeable + name: enrolToken required: false schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response + type: string + responses: + '200': + content: + application/json: + examples: + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent + value: + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a full K8s agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download + parameters: + - description: If true, returns the manifest as a downloadable file in: query - name: getStatusSummary + name: download required: false schema: - default: false type: boolean - - description: Field to sort results by + - description: Fleet Server host URL to include in the manifest in: query - name: sortField + name: fleetServer required: false schema: type: string - - description: Sort order, ascending or descending + - description: Enrollment token to include in the manifest in: query - name: sortOrder + name: enrolToken required: false schema: - enum: - - asc - - desc type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + responses: + '200': + content: + application/json: + examples: + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false - schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + responses: + '200': + content: + application/json: + examples: + postLogstashApiKeyExample: + description: The generated Logstash API key + value: + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + schema: + additionalProperties: false + type: object + properties: + api_key: + type: string + required: + - api_key + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Generate a Logstash API key + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Duration to keep the point-in-time alive, for example, `1m` + - description: Set to true to confirm you understand the risks of rotating the key pair in: query - name: pitKeepAlive + name: acknowledge required: false schema: - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - getAgentsExample: - description: List of agents + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + message: Key pair rotated successfully. + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Key pair rotated successfully + '400': + content: + application/json: + examples: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true + value: + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair + tags: + - Message Signing Service + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] + responses: + '200': + content: + application/json: + examples: + getOutputsExample: + description: List of Fleet outputs + value: + items: + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch page: 1 perPage: 20 total: 1 @@ -20193,377 +37631,17 @@ paths: properties: items: items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' maxItems: 10000 type: array - nextSearchAfter: - type: string page: type: number perPage: type: number - pit: - type: string - statusSummary: - additionalProperties: - type: number - type: object total: type: number required: @@ -20601,14 +37679,22 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Get outputs tags: - - Elastic Agents + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Retrieve agents associated with specific action IDs.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header @@ -20621,48 +37707,127 @@ paths: content: application/json: examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs + postOutputRequestExample: + description: Create a new Elasticsearch output value: - actionIds: - - action-id-1 - - action-id-2 + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: - additionalProperties: false - type: object - properties: - actionIds: - items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + responses: + '200': + content: + application/json: + examples: + postOutputExample: + description: The created Fleet output + value: + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 1000 - type: array - required: - - actionIds + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + deleteOutputExample: + description: The output was successfully deleted value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + id: output-id-1 schema: additionalProperties: false type: object properties: - items: - items: - type: string - maxItems: 10000 - type: array + id: + type: string required: - - items + - id description: Successful response '400': content: @@ -20693,26 +37858,55 @@ paths: - message - attributes description: Bad Request - summary: Get agents by action ids + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - description: >- - Delete an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID + - description: The ID of the output in: path - name: agentId + name: outputId required: true schema: type: string @@ -20721,21 +37915,29 @@ paths: content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted + getOutputExample: + description: A Fleet output value: - id: agent-id-1 - success: true + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: additionalProperties: false type: object properties: - action: - enum: - - deleted - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - action + - item description: Successful response '400': content: @@ -20771,422 +37973,84 @@ paths: application/json: examples: notFoundExample: - description: No agent was found with the given ID + description: No output was found with the given ID value: error: Not Found - message: Agent agent-id-1 not found + message: Output output-id-1 not found statusCode: 404 description: Not Found - summary: Delete an agent + summary: Get output tags: - - Elastic Agents - get: - description: >- - Get an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false + - description: The ID of the output + in: path + name: outputId + required: true schema: - default: false - type: boolean + type: string + requestBody: + content: + application/json: + examples: + putOutputRequestExample: + description: Update a Fleet output + value: + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details + putOutputExample: + description: The updated Fleet output value: item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: additionalProperties: false type: object properties: item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - item description: Successful response @@ -21224,441 +38088,211 @@ paths: application/json: examples: notFoundExample: - description: No agent was found with the given ID + description: No output was found with the given ID value: error: Not Found - message: Agent agent-id-1 not found + message: Output output-id-1 not found statusCode: 404 description: Not Found - summary: Get an agent + summary: Update output tags: - - Elastic Agents - put: - description: >- - Update an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID + - description: The ID of the output in: path - name: agentId + name: outputId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + getOutputHealthExample: + description: The latest health status of a Fleet output value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + required: + - state + - message + - timestamp + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get the latest output health + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all package policies. + operationId: get-fleet-package-policies + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackagePoliciesExample: + description: List of package policies + value: + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage description: Successful response '400': content: @@ -21689,26 +38323,22 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Get package policies tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Create a new action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header @@ -21717,134 +38347,59 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string requestBody: content: application/json: examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent + postPackagePolicyRequestExample: + description: Create a new nginx package policy value: - action: - type: UNENROLL + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + postPackagePolicyExample: + description: The created package policy value: item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' description: Successful response '400': content: @@ -21875,46 +38430,16 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/effective_config: - get: - description: >- - Get an agent's effective config by ID.

[Required authorization] - Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - effective_config: {} - schema: - additionalProperties: false - type: object - properties: - effective_config: - nullable: true - required: - - effective_config - description: 'OK: A successful request.' - '400': + '409': content: application/json: examples: - badRequestResponse: + conflictExample: + description: A package policy with the same name already exists value: - message: Bad Request + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -21933,16 +38458,24 @@ paths: required: - message - attributes - description: A bad request. - summary: Get an agent's effective config + description: Conflict + summary: Create a package policy tags: - - Elastic Agents - /api/fleet/agents/{agentId}/migrate: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/_bulk_get: post: - description: >- - Migrate a single agent to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -21951,89 +38484,63 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string requestBody: content: application/json: examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 + ids: + - package-policy-id-1 + - package-policy-id-2 schema: additionalProperties: false type: object properties: - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - replace_token: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean required: - - uri - - enrollment_token + - ids responses: '200': content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - actionId: action-id-1 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' description: Successful response '400': content: @@ -22064,16 +38571,42 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies tags: - - Elastic Agents - /api/fleet/agents/{agentId}/privilege_level_change: - post: - description: >- - Change the privilege level of a single agent to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -22082,58 +38615,40 @@ paths: schema: example: 'true' type: string - - description: The agent ID to change privilege level for + - description: The ID of the package policy in: path - name: agentId + name: packagePolicyId required: true schema: type: string - requestBody: - content: - application/json: - examples: - changeAgentPrivilegeLevelRequest: - value: - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - nullable: true - type: object - properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - successResponse: + deletePackagePolicyExample: + description: The package policy was successfully deleted value: - actionId: actionId + id: package-policy-id-1 schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22152,59 +38667,69 @@ paths: required: - message - attributes - description: A bad request. - summary: Change agent privilege level + description: Bad Request + summary: Delete a package policy tags: - - Elastic Agents - x-state: Technical Preview - /api/fleet/agents/{agentId}/reassign: - post: - description: >- - Reassign an agent to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID + - description: The ID of the package policy in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy - value: - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - policy_id: - type: string - required: - - policy_id + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} + getPackagePolicyExample: + description: A package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object - properties: {} + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item description: Successful response '400': content: @@ -22235,61 +38760,41 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/remove_collector: - post: - description: >- - Remove a specific OpAMP collector from the Fleet agents list. Marks the - collector as unenrolled. This action does not invalidate API keys, so - the collector can reconnect on its own.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No package policy was found with the given ID value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Remove an OpAMP collector + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/{agentId}/request_diagnostics: - post: - description: >- - Request a diagnostics bundle from a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -22298,50 +38803,71 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: The ID of the package policy in: path - name: agentId + name: packagePolicyId required: true schema: type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent + putPackagePolicyRequestExample: + description: Update a package policy value: - additional_metrics: - - CPU + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - additionalProperties: false - nullable: true - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - postRequestDiagnosticsExample: - description: Diagnostics action result + putPackagePolicyExample: + description: The updated package policy value: - actionId: action-id-1 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - - actionId + - item description: Successful response '400': content: @@ -22351,9 +38877,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: >- - Agent agent-id-1 does not support request diagnostics - action. + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -22374,50 +38898,16 @@ paths: - message - attributes description: Bad Request - summary: Request agent diagnostics - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/rollback: - post: - description: >- - Rollback an agent to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' - '400': + '403': content: application/json: examples: - badRequestResponse: + forbiddenExample: + description: The update is not authorized for this package value: - message: Bad Request + error: Forbidden + message: An error message describing what went wrong + statusCode: 403 schema: additionalProperties: false description: Generic Error @@ -22436,18 +38926,24 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback an agent + description: Forbidden + summary: Update a package policy tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/{agentId}/unenroll: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/delete: post: - description: >- - Unenroll a specific agent, optionally revoking its enrollment API - key.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -22456,37 +38952,35 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID value: - revoke: false + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: '200': content: application/json: examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation + value: + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array description: Successful response '400': content: @@ -22498,16 +38992,42 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Unenroll an agent + summary: Bulk delete package policies tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/upgrade: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade: post: - description: >- - Upgrade a specific agent to a newer version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -22516,46 +39036,33 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version value: - version: 8.17.0 + packagePolicyIds: + - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - skipRateLimitCheck: - type: boolean - source_uri: - type: string - version: - type: string - required: - - version + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation + value: + - id: package-policy-id-1 + name: nginx-1 + success: true schema: - additionalProperties: false - type: object - properties: {} + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array description: Successful response '400': content: @@ -22586,78 +39093,192 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent + summary: Upgrade a package policy tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/uploads: - get: - description: >- - Get a list of files uploaded by a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade/dryrun: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: application/json: examples: - getAgentUploadsExample: - description: List of files uploaded by the agent + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - additionalProperties: false - type: object - properties: - items: - items: + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + maxItems: 1 + type: array + body: additionalProperties: false type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED + properties: + message: type: string required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array - required: - - items + - message + diff: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array description: Successful response '400': content: @@ -22688,66 +39309,40 @@ paths: - message - attributes description: Bad Request - summary: Get agent uploads + summary: Dry run a package policy upgrade tags: - - Elastic Agents - /api/fleet/agents/action_status: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies: get: - description: >- - Get the current status of recent agent actions.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status - parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 0 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: Return actions created before this date - in: query - name: date - required: false - schema: - type: string - - description: Return only the latest N actions - in: query - name: latest - required: false - schema: - type: number - - description: Number of error details to include per action - in: query - name: errorSize - required: false - schema: - default: 5 - type: number + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + getFleetProxiesExample: + description: List of Fleet proxies value: items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object @@ -22757,108 +39352,49 @@ paths: additionalProperties: false type: object properties: - actionId: - type: string - cancellationTime: + certificate: + nullable: true type: string - completionTime: + certificate_authorities: + nullable: true type: string - creationTime: - description: creation time of action + certificate_key: + nullable: true type: string - expiration: + id: type: string - hasRolloutPeriod: - type: boolean - is_automatic: + is_preconfigured: + default: false type: boolean - latestErrors: - items: - additionalProperties: false - description: >- - latest errors that happened when the agents - executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK + name: type: string - version: - description: agent version number (UPGRADE action) + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: type: string required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime + - id + - url + - name maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: @@ -22889,15 +39425,22 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Get proxies tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Cancel a pending action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header @@ -22906,33 +39449,61 @@ paths: schema: example: 'true' type: string - - description: The ID of the action to cancel - in: path - name: actionId - required: true - schema: - type: string requestBody: content: application/json: examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} + postFleetProxyRequestExample: + description: Create a new Fleet proxy + value: + name: My proxy + url: http://proxy.example.com:3128 + schema: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - url + - name responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created + postFleetProxyExample: + description: The created Fleet proxy value: item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object @@ -22941,46 +39512,36 @@ paths: additionalProperties: false type: object properties: - ack_data: + certificate: nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: type: string - data: + certificate_authorities: nullable: true - expiration: type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: + certificate_key: + nullable: true type: string - source_uri: + id: type: string - start_time: + is_preconfigured: + default: false + type: boolean + name: type: string - total: - type: number - type: + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: type: string required: - id - - type - - data - - created_at - - ack_data + - url + - name required: - item description: Successful response @@ -23013,40 +39574,54 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + summary: Create a proxy tags: - - Elastic Agent actions - /api/fleet/agents/available_versions: - get: - description: >- - Get a list of Elastic Agent versions available for - upgrade.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agents-available-versions - parameters: [] + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the proxy + in: path + name: itemId + required: true + schema: + type: string responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + id: proxy-id-1 schema: additionalProperties: false type: object properties: - items: - items: - type: string - maxItems: 10000 - type: array + id: + type: string required: - - items + - id description: Successful response '400': content: @@ -23077,111 +39652,93 @@ paths: - message - attributes description: Bad Request - summary: Get available agent versions + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Elastic Agents - /api/fleet/agents/bulk_migrate: - post: - description: >- - Bulk migrate agents to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the proxy + in: path + name: itemId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token responses: '200': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + getFleetProxyExample: + description: A Fleet proxy value: - actionId: action-id-1 + item: + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name required: - - actionId + - item description: Successful response '400': content: @@ -23212,16 +39769,33 @@ paths: - message - attributes description: Bad Request - summary: Migrate multiple agents + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Elastic Agents - /api/fleet/agents/bulk_privilege_level_change: - post: - description: >- - Change multiple agents' privilege level to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -23230,66 +39804,114 @@ paths: schema: example: 'true' type: string + - description: The ID of the proxy + in: path + name: itemId + required: true + schema: + type: string requestBody: content: application/json: examples: - bulkChangeAgentPrivilegeLevelRequest: + putFleetProxyRequestExample: + description: Update a Fleet proxy value: - agents: agent - user_info: - groupname: groupname - password: password - username: username + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string + url: + type: string required: - - agents + - certificate_authorities + - certificate + - certificate_key responses: '200': content: application/json: examples: - successResponse: + putFleetProxyExample: + description: The updated Fleet proxy value: - actionId: actionId + item: + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name required: - - actionId - description: 'OK: A successful request.' + - item + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -23308,17 +39930,35 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk change agent privilege level + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy tags: - - Elastic Agents - x-state: Technical Preview - /api/fleet/agents/bulk_reassign: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/service_tokens: post: - description: >- - Reassign multiple agents to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks in: header @@ -23331,51 +39971,39 @@ paths: content: application/json: examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 + remote: true schema: additionalProperties: false + nullable: true type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: + remote: default: false type: boolean - policy_id: - type: string - required: - - policy_id - - agents responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - actionId: action-id-1 + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: additionalProperties: false type: object properties: - actionId: + name: + type: string + value: type: string required: - - actionId + - name + - value description: Successful response '400': content: @@ -23406,72 +40034,118 @@ paths: - message - attributes description: Bad Request - summary: Bulk reassign agents + summary: Create a service token tags: - - Elastic Agent actions - /api/fleet/agents/bulk_remove_collectors: - post: - description: >- - Remove multiple OpAMP collectors from the Fleet agents list. Marks the - collectors as unenrolled. This action does not invalidate API keys, so - collectors can reconnect on their own.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors - value: - agents: - - collector-id-1 - - collector-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: >- - When passing collectors by KQL query, also removes inactive - collectors - type: boolean - required: - - agents + - Fleet service tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + getSettingsExample: + description: The current Fleet settings value: - actionId: action-id-1 + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string required: - - actionId + - item description: Successful response '400': content: @@ -23502,16 +40176,41 @@ paths: - message - attributes description: Bad Request - summary: Bulk remove OpAMP collectors + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/bulk_request_diagnostics: - post: - description: >- - Request diagnostics bundles from multiple agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -23524,53 +40223,139 @@ paths: content: application/json: examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 + prerelease_integrations_enabled: true schema: additionalProperties: false type: object properties: - additional_metrics: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true + type: boolean + integration_knowledge_enabled: + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true items: - enum: - - CPU + format: uri type: string - maxItems: 1 + maxItems: 10 type: array - agents: - anyOf: - - items: + prerelease_integrations_enabled: + type: boolean + responses: + '200': + content: + application/json: + examples: + putSettingsExample: + description: The updated Fleet settings + value: + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string required: - - actionId + - item description: Successful response '400': content: @@ -23601,15 +40386,42 @@ paths: - message - attributes description: Bad Request - summary: Bulk request diagnostics from agents + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Update settings tags: - - Elastic Agent actions - /api/fleet/agents/bulk_rollback: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/setup: post: - description: >- - Rollback multiple agents to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header @@ -23618,64 +40430,58 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents responses: '200': content: application/json: examples: - successResponse: + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - actionIds: - - actionId1 - - actionId2 + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup + value: + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError schema: additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - actionIds: + isInitialized: + type: boolean + nonFatalErrors: items: - type: string + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message maxItems: 10000 type: array required: - - actionIds - description: 'OK: A successful request.' + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -23694,121 +40500,93 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback agents - tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/bulk_unenroll: - post: - description: >- - Unenroll multiple agents, optionally revoking their enrollment API - keys.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': + description: Bad Request + '500': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + internalErrorResponseExample: + description: Example of an internal server error response value: - actionId: action-id-1 + error: Internal Server Error + message: An error message describing what went wrong + statusCode: 500 schema: additionalProperties: false + description: Internal Server Error type: object properties: - actionId: + message: type: string required: - - actionId - description: Successful response - '400': + - message + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + item: + allowed_namespace_prefixes: + - team-a + - team-b schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes required: - - message - - attributes - description: Bad Request - summary: Bulk unenroll agents - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_update_agent_tags: - post: - description: >- - Add or remove tags across multiple agents.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -23821,180 +40599,173 @@ paths: content: application/json: examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging + allowed_namespace_prefixes: + - team-a + - team-b schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: + allowed_namespace_prefixes: items: type: string maxItems: 10 type: array - required: - - agents responses: '200': content: application/json: examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space value: - actionId: action-id-1 + item: + allowed_namespace_prefixes: + - team-a + - team-b schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes required: - - actionId + - item description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk update agent tags - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_upgrade: - post: - description: >- - Upgrade multiple agents to a newer version, with optional rollout - controls.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade + summary: Create space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false schema: - example: 'true' + maxLength: 50 type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version + - description: Partial match filtering for uninstall token values + in: query + name: search + required: false + schema: + maxLength: 50 + type: string + - description: The number of items to return + in: query + name: perPage + required: false + schema: + minimum: 5 + type: number + - description: Page number + in: query + name: page + required: false + schema: + minimum: 1 + type: number responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies value: - actionId: action-id-1 + items: + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 schema: additionalProperties: false type: object properties: - actionId: - type: string + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - actionId + - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided value: error: Bad Request - message: An error message describing what went wrong + message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false @@ -24015,26 +40786,27 @@ paths: - message - attributes description: Bad Request - summary: Bulk upgrade agents + summary: Get metadata for latest uninstall tokens tags: - - Elastic Agent actions - /api/fleet/agents/files/{fileId}: - delete: - description: >- - Delete a file uploaded by an agent.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the uploaded file + - description: The ID of the uninstall token in: path - name: fileId + name: uninstallTokenId required: true schema: type: string @@ -24043,22 +40815,48 @@ paths: content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy value: - deleted: true - id: file-id-1 + item: + created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE schema: additionalProperties: false type: object properties: - deleted: - type: boolean - id: - type: string + item: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + token: + type: string + required: + - id + - policy_id + - created_at + - token required: - - id - - deleted + - item description: Successful response '400': content: @@ -24089,2436 +40887,3012 @@ paths: - message - attributes description: Bad Request - summary: Delete an uploaded file + '404': + content: + application/json: + examples: + notFoundExample: + description: No uninstall token was found with the given ID + value: + error: Not Found + message: Uninstall Token not found with ID token-id-1 + statusCode: 404 + description: Not Found + summary: Get a decrypted uninstall token tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}/{fileName}: - get: - description: >- - Get a file uploaded by an agent.

[Required authorization] Route - required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList parameters: - - description: The ID of the uploaded file - in: path - name: fileId + - description: Value list identifier to delete, including all of its list items. + in: query + name: id required: true schema: - type: string - - description: The name of the uploaded file - in: path - name: fileName - required: true + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false schema: - type: string + default: false + example: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean responses: '200': content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + ipList: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - type: object - description: Successful response — returns the uploaded file content + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an uploaded file + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list tags: - - Elastic Agents - /api/fleet/agents/setup: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the current Fleet setup status, including whether Fleet is ready to - enroll agents and which requirements or optional features are - missing.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - description: Value list identifier (`id`) returned when the list was created. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: - agentsSetupNotReadyExample: - description: >- - Fleet is not ready — a Fleet Server and API keys are - required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met + ip: value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - description: >- - A summary of the agent setup status. `isReady` indicates - whether the setup is ready. If the setup is not ready, - `missing_requirements` lists which requirements are missing. - type: object - properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent setup info + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details tags: - - Elastic Agents - post: - description: >- - Initialize Fleet. This endpoint is used by Elastic Agents to trigger - Fleet setup. Safe to call multiple times; subsequent calls are - idempotent.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-agents-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED + schema: + example: + id: ip_list + name: Bad ips list - UPDATED + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + description: Value list's properties + required: true responses: '200': content: application/json: examples: - agentsSetupSuccessExample: - description: >- - Fleet setup initialized successfully with no non-fatal - errors + ip: value: - isInitialized: true - nonFatalErrors: [] + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 2 schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: + value: + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Initiate Fleet setup + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - description: >- - Get a list of all tags used across enrolled agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags - parameters: - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: When true, include tags from inactive agents - in: query - name: showInactive - required: false - schema: - default: false - type: boolean + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList + requestBody: + content: + application/json: + examples: + ip: + value: + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties + required: true responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + ip: value: - items: - - production - - linux - - datacenter-1 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFound: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent tags - tags: - - Elastic Agents - /api/fleet/check-permissions: - get: - description: >- - Check whether the current user has the required permissions to use - Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions - parameters: - - description: >- - When true, check Fleet Server setup privileges in addition to - standard Fleet privileges - in: query - name: fleetServerSetup - required: false - schema: - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + unauthorized: value: - success: true + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Check permissions - tags: - - Fleet internals - /api/fleet/cloud_connectors: - get: - description: >- - List all Fleet cloud connectors.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors - parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - type: string - - description: KQL query to filter cloud connectors. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + alreadyExists: value: - items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connectors + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list tags: - - Fleet cloud connectors - x-state: Technical Preview - post: - description: >- - Create a new Fleet cloud connector.

[Required authorization] - Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList requestBody: content: application/json: examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector + replaceList: value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: - additionalProperties: false + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: + - id - name - - cloudProvider - - vars + - description + description: Value list's properties + required: true responses: '200': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + ip: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create cloud connector + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: - description: >- - Delete a cloud connector by ID. Use the `force` query parameter to - delete even if package policies are still using it.

[Required - authorization] Route required privileges: fleet-agent-policies-all OR - integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - example: 'true' + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 type: string - - description: The unique identifier of the cloud connector to delete. - in: path - name: cloudConnectorId - required: true + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false schema: + enum: + - desc + - asc + example: asc type: string - - description: If true, forces deletion even if the cloud connector is in use. + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. in: query - name: force + name: cursor required: false schema: - type: boolean + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted + ipList: value: - id: cloud-connector-id-1 + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false type: object properties: - id: - type: string + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - id + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete cloud connector (supports force deletion) + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists tags: - - Fleet cloud connectors - x-state: Technical Preview - get: - description: >- - Get a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex responses: '200': content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + acknowledged: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + acknowledged: true schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at + acknowledged: + type: boolean required: - - item + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connector - tags: - - Fleet cloud connectors - x-state: Technical Preview - put: - description: >- - Update a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector - value: - name: Updated AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: application/json: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + bothExist: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + list_index: true + list_item_index: true schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at + list_index: + type: boolean + list_item_index: + type: boolean required: - - item + - list_index + - list_item_index description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Unable to read value list data stream status for this space + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. + operationId: CreateListIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + acknowledged: + type: boolean required: - - message - - attributes - description: Bad Request - summary: Update cloud connector + - acknowledged + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: - description: >- - Get a list of package policies that are using a given cloud - connector.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. + in: query + name: id + required: false schema: - type: string - - description: The page number for pagination. + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. in: query - name: page + name: list_id required: false schema: - minimum: 1 - type: number - - description: The number of items per page. + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: perPage + name: value required: false schema: - minimum: 1 - type: number + example: 255.255.255.255 + type: string + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string responses: '200': content: application/json: examples: - getCloudConnectorUsageResponseExample: - description: >- - Example response showing package policies using the cloud - connector + ip: value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: Cloud connector not found - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) - tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/data_streams: - get: - description: >- - List all Fleet-managed data streams with metadata including package, - namespace, size, and last activity.

[Required authorization] - Route required privileges: fleet-agents-all AND fleet-agent-policies-all - AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getDataStreamsExample: - description: List of Fleet-managed data streams + unauthorized: value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item tags: - - Data streams - /api/fleet/enrollment_api_keys: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - List all enrollment API keys.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem parameters: - - description: Page number + - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query - name: page + name: id required: false schema: - default: 1 - type: number - - description: Number of results per page + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query - name: perPage + name: list_id required: false schema: - default: 20 - type: number - - description: A KQL query string to filter results + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: kuery + name: value required: false schema: + example: 127.0.0.2 type: string responses: '200': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + ip: value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get enrollment API keys + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item tags: - - Fleet enrollment API keys - post: - description: >- - Create an enrollment API key for a given agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-enrollment-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem requestBody: content: application/json: examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy + changeValue: value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key + ipItem: value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an enrollment API key + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/_bulk_delete: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Revoke or delete multiple enrollment API keys.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a value list item and associate it with the specified value list. + + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem requestBody: content: application/json: examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs + ip: value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json: + examples: + fullReplace: value: - forceDelete: false - kuery: policy_id:"policy-id-1" + id: ip_item + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed + ip: value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: Either tokenIds or kuery must be provided + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk revoke or delete enrollment API keys - tags: - - Fleet enrollment API keys - x-state: Generally available - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: >- - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to - remove the document.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the enrollment API key - in: path - name: keyId - required: true - schema: - type: string - - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. - in: query - name: forceDelete - required: false - schema: - default: false - type: boolean - - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - in: query - name: includeHidden - required: false - schema: - default: false - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked + unauthorized: value: - action: deleted + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: - notFoundExample: - description: No enrollment API key was found with the given ID + notFound: value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item tags: - - Fleet enrollment API keys - get: - description: >- - Get an enrollment API key by ID.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems parameters: - - description: The ID of the enrollment API key - in: path - name: keyId + - description: Value list's `id` to export. + in: query + name: list_id required: true schema: - type: string + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: - application/json: + application/ndjson: examples: - getEnrollmentApiKeyExample: - description: An enrollment API key - value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong + error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - notFoundExample: - description: No enrollment API key was found with the given ID + unauthorized: value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key - tags: - - Fleet enrollment API keys - /api/fleet/epm/bulk_assets: - post: - description: >- - Retrieve multiple Kibana saved object assets by their IDs and - types.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' - responses: - '200': + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + forbidden: value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFound: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: 'list id: "unknown_list" not found' + status_code: 404 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk get assets + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_find: get: - description: >- - Get a list of integration categories.

[Required authorization] - Route required privileges: integrations-read OR fleet-setup OR - fleet-all. - operationId: get-fleet-epm-categories + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: When true, include prerelease packages in the results + - description: Parent value list's `id` to page through items for. in: query - name: prerelease + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page required: false schema: - type: boolean - - description: When true, include categories that only contain policy templates + example: 1 + type: integer + - description: The number of list items to return per page. in: query - name: include_policy_templates + name: per_page required: false schema: - type: boolean + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - getCategoriesExample: - description: List of integration categories + ip: value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package categories - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations: - post: - description: >- - Create a new custom integration package with user-defined data - streams.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created + unauthorized: value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a custom integration + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations/{pkgName}: - put: - description: >- - Update the datasets of an existing custom integration - package.

[Required authorization] Route required privileges: - fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false schema: + enum: + - 'true' + - 'false' + - wait_for + example: true type: string requestBody: content: - application/json: + multipart/form-data: examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration + ipLinesFile: value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs + file: list_values.txt schema: - additionalProperties: false type: object properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary type: string - required: - - readMeData + required: true responses: '200': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} + ip: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either type or list_id need to be defined in the query + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update a custom integration + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + conflict: + value: + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/data_streams: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/privileges: get: - description: >- - Get a list of data streams created by installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams - parameters: - - description: Filter by data stream type - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: Filter data streams by dataset name - in: query - name: datasetQuery - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - When true, only return data streams that are not associated with a - package - in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of data streams from installed packages + privileges: value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_data_streams_response + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: 'Unable to resolve list privileges: invalid or missing space context for this request' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges tags: - - Data streams - /api/fleet/epm/packages: - get: - description: >- - Get a list of integration packages available in the - registry.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window parameters: - - description: Filter packages by category - in: query - name: category - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, exclude the install status from the response - in: query - name: excludeInstallStatus - required: false - schema: - type: boolean - - description: When true, include the number of package policies per package - in: query - name: withPackagePoliciesCount - required: false - schema: - type: boolean + requestBody: + content: + application/json: + examples: + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window + value: + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window + schema: + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + required: + - title + - schedule responses: '200': content: application/json: examples: - getPackagesExample: - description: List of available integration packages - value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - summary: Get packages + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Create a maintenance window. tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a package by uploading a .zip or .tar.gz archive (max 100MB). - Only available to superusers.

[Required authorization] Route - required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The title of the maintenance window. + in: query + name: title + required: false schema: - example: 'true' type: string - - description: When true, ignore mapping update errors during installation + - description: The user who created the maintenance window. in: query - name: ignoreMappingUpdateErrors + name: created_by required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + type: string + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". in: query - name: skipDataStreamRollover + name: status required: false schema: - default: false - type: boolean - requestBody: - content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - schema: - format: binary + items: + enum: + - running + - finished + - upcoming + - archived + - disabled type: string + type: array + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + maximum: 100 + minimum: 1 + type: number responses: '200': content: - application/gzip; application/zip: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': - content: - application/gzip; application/zip: - examples: - genericErrorResponseExample: - description: Example of a generic error response + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: + maintenanceWindows: + description: The list of maintenance windows. + items: + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number + total: + description: The total number of maintenance windows that match the query. type: number required: - - message - - attributes - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload + - page + - per_page + - total + - maintenanceWindows + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - description: >- - Install multiple packages from the Elastic Package Registry in a single - request.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -26527,171 +43901,219 @@ paths: schema: example: 'true' type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false + - description: The identifier for the maintenance window to be deleted. + in: path + name: id + required: true schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request + type: string responses: - '200': - content: - application/json: - examples: - postBulkInstallPackagesExample: - description: Bulk install results - value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response - description: Successful response + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_namespace_customization: - post: - description: >- - Enable or disable namespace-level index template customization for a - list of packages in one call. Use this for IaC-style declarative - flows.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The identifier for the maintenance window. + in: path + name: id required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkNamespaceCustomizationRequest: - value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request responses: '200': content: application/json: examples: - successResponse: - value: - items: - - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - error: Bad Request - message: >- - Namespaces must not appear in both enable and disable: - production - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback: - post: - description: >- - Rollback multiple packages to their previous - versions.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -26700,69 +44122,313 @@ paths: schema: example: 'true' type: string + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - bulkRollbackRequest: + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window value: - packages: - - name: system + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string responses: '200': content: application/json: examples: - successResponse: - value: - taskId: taskId - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - message: Bad Request + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: >- - Get the status and results of a bulk package rollback - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive parameters: - - description: Task ID of the bulk operation + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. in: path - name: taskId + name: id required: true schema: type: string @@ -26771,49 +44437,176 @@ paths: content: application/json: examples: - successResponse: - value: - status: success - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - message: Bad Request + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_unarchive: post: - description: >- - Uninstall multiple packages in a single operation.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header @@ -26822,3989 +44615,4974 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request + - description: The identifier for the maintenance window to be unarchived. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated - value: - taskId: task-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/sync: get: - description: >- - Get the status and results of a bulk package uninstall - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_jobs_spaces: post: - description: >- - Upgrade multiple packages to their latest versions.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces requestBody: content: application/json: examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions + updateADJobSpacesRequest: value: - packages: - - name: system - - name: elastic_agent - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request - responses: - '200': - content: - application/json: - examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated - value: - taskId: task-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: - description: >- - Get the status and results of a bulk package upgrade - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + successADResponse: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + successTMResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/note: delete: - description: >- - Uninstall a package and remove all its assets.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds schema: - example: 'true' + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true type: string - - description: Package name - in: path - name: pkgName - required: true + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage schema: + nullable: true type: string - - description: When true, delete the package even if it has active package policies + - description: Search string for saved-objects find (list mode only). in: query - name: force - required: false + name: search schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - get: - description: >- - Get information about a package by name, returning the latest installed - or available version. - operationId: get-fleet-epm-packages-pkgname - parameters: - - description: Package name - in: path - name: pkgName - required: true + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField schema: + nullable: true type: string - - description: >- - When true, returns the package even if the signature cannot be - verified + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc in: query - name: ignoreUnverified - required: false + name: sortOrder schema: - type: boolean - - description: When true, include prerelease versions + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). in: query - name: prerelease - required: false + name: filter schema: - type: boolean - - description: When true, return the full package info including assets + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 in: query - name: full - required: false + name: createdByFilter schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies + nullable: true + type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. in: query - name: withMetadata - required: false + name: associatedFilter schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + notesPage: + summary: Paged notes for a timeline value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute + requestBody: + content: + application/json: + examples: + addNote: + summary: Add a note on an event + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true + type: string + version: + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true + type: string + required: + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. + required: true + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + persisted: + summary: Persisted note wrapper value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note tags: - - Elastic Package Manager (EPM) + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/observability_ai_assistant/chat/complete: post: - description: >- - Install the latest version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + examples: + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' + schema: + type: object + properties: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. + type: string + required: + - messages + - connectorId + - persist + responses: + '200': + content: + application/json: + examples: + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' + schema: + type: object + description: Successful response + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + in: query + name: nextPage + required: false schema: - example: 'true' + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. type: string - - description: Package name - in: path - name: pkgName - required: true + - description: A search string to filter history entries by pack name, query text, or query ID. + in: query + name: kuery + required: false schema: + description: A search string to filter history entries by pack name, query text, or query ID. type: string - - description: When true, allow installing prerelease versions + - description: Comma-separated list of user IDs to filter live query history. in: query - name: prerelease + name: userIds required: false schema: - type: boolean - - description: When true, ignore mapping update errors during installation + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. in: query - name: ignoreMappingUpdateErrors + name: sourceFilters required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). in: query - name: skipDataStreamRollover + name: startDate required: false schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). in: query - name: skipDependencyCheck + name: endDate required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + unifiedHistoryExample: + summary: Example unified history response value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueriesList: + summary: A list of recent live queries value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + user_id: elastic + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a package, such as whether policies are kept up to - date automatically.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces + singleQueryAllAgents: + summary: Run a single query on all agents value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; + targetedQuery: + summary: Run a query against specific agents value: - keepPoliciesUpToDate: true + agent_ids: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + query: select * from processes; schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryCreated: + summary: Live query created value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: >- - Uninstall a specific version of a package and remove all its - assets.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The ID of the live query. in: path - name: pkgVersion + name: id required: true schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryDetails: + summary: Live query details with execution status value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 1 + failed: 0 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + status: completed + successful: 1 + status: completed + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details tags: - - Elastic Package Manager (EPM) + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: get: - description: Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults parameters: - - description: Package name + - description: The ID of the live query. in: path - name: pkgName + name: id required: true schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - - description: Package version + - description: The ID of the query action. in: path - name: pkgVersion + name: actionId required: true schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - - description: >- - When true, returns the package even if the signature cannot be - verified + - description: A KQL search string to filter results. in: query - name: ignoreUnverified + name: kuery required: false schema: - type: boolean - - description: When true, include prerelease versions + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. in: query - name: prerelease + name: page required: false schema: - type: boolean - - description: When true, return the full package info including assets + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: full + name: pageSize required: false schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: withMetadata + name: sort required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryResults: + summary: Result rows from a live query execution value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + edges: + - _id: doc1 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '12345' + - _id: doc2 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '67890' + total: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a specific version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow installing prerelease versions + - description: The page number to return. in: query - name: prerelease + name: page required: false schema: - type: boolean - - description: When true, ignore mapping update errors during installation + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: ignoreMappingUpdateErrors + name: pageSize required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: skipDataStreamRollover + name: sort required: false schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: skipDependencyCheck + name: sortOrder required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + packsList: + summary: A list of query packs value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + queries: + - id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a specific version of a package.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + createPack: + summary: Create a pack with a single query value: - keepPoliciesUpToDate: true + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + packCreated: + summary: Pack created value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + packDeleted: + summary: Pack deleted (empty response body) + value: {} schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings + properties: {} + description: Indicates a successful call. + summary: Delete a pack tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the contents of a specific file from a package.

[Required - authorization] Route required privileges: integrations-read OR - fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: File path within the package + - description: The pack ID. in: path - name: filePath + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + packDetails: + summary: Pack details value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: >- - Delete datastream assets for a specific input package, by data stream - name.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The pack ID. in: path - name: pkgVersion - required: true - schema: - type: string - - description: The ID of the package policy - in: query - name: packagePolicyId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + examples: + renamePack: + summary: Rename a pack and update its description + value: + description: Updated pack description + enabled: true + name: my_pack_renamed + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true responses: '200': content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted + packUpdated: + summary: Pack updated value: - items: - - id: logs-my_package.access-default - type: index_template + data: + description: Updated pack description + enabled: true + name: my_pack_renamed + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + version: 2 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + copyPackExample: + summary: Example response for copying a pack value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries: get: - description: >- - Get the list of packages that a specific package depends - on.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies - parameters: - - description: Package name - in: path - name: pkgName - required: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - description: The page number to return. + in: query + name: page + required: false schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + savedQueriesList: + summary: A list of saved queries value: - items: [] + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_dependencies_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json: + examples: + createSavedQuery: + summary: Create a saved query + value: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true + responses: + '200': content: application/json: examples: - packageNotFoundResponse: + savedQueryCreated: + summary: Saved query created value: - message: '[my-package-1.0.0] package not found in registry' + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query tags: - - Elastic Package Manager (EPM) - x-state: Generally available - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}: delete: - description: >- - Delete Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The saved query ID. in: path - name: pkgVersion + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted - value: - items: - - id: dashboard-id-1 - type: dashboard + savedQueryDeleted: + summary: Saved query deleted (empty response body) + value: {} schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: Indicates a successful call. + summary: Delete a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueryDetails: + summary: Saved query details value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: Indicates a successful call. + summary: Get saved query details tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The saved query ID. in: path - name: pkgVersion + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} + updateSavedQuery: + summary: Update a saved query + value: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + timeout: 60 schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request - nullable: true + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + savedQueryUpdated: + summary: Saved query updated value: - items: - - id: dashboard-id-1 - type: dashboard + data: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 60 + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + copySavedQueryExample: + summary: Example response for copying a saved query value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: Indicates a successful call. + summary: Copy a saved query tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: >- - Install Kibana alert rule assets for a specific package - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name + - description: The schedule ID of the scheduled query. in: path - name: pkgName + name: scheduleId required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Package version + - description: The execution count for this scheduled query run. in: path - name: pkgVersion + name: executionCount required: true schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request - nullable: true + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed - value: - items: - - id: rule-asset-id-1 - type: security_rule - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + scheduledActionResultsExample: + summary: Example scheduled action results response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: Indicates a successful call. + summary: Get scheduled action results tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: >- - Reauthorize Elasticsearch transforms installed by a package with - secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name + - description: The schedule ID of the scheduled query. in: path - name: pkgName + name: scheduleId required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Package version + - description: The execution count for this scheduled query run. in: path - name: pkgVersion + name: executionCount required: true schema: - type: string - - description: When true, allow prerelease versions + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: prerelease + name: kuery required: false schema: - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + examples: + scheduledQueryResultsExample: + summary: Example scheduled query results response + value: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute requestBody: content: application/json: examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package + pinEvent: + summary: Pin an event value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request + type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true responses: '200': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + pinnedSaved: + summary: Pinned event saved object value: - - success: true - transformId: logs-transform-1 + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + CleanUpRiskEngineResponse: + summary: Successful cleanup response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cleanup_successful: true schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + examples: + taskManagerUnavailable: + summary: Task manager is unavailable + value: + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + cleanupFailed: + summary: Cleanup failed + value: + cleanup_successful: false + errors: + - error: Risk engine is disabled or deleted already. + seq: 1 + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/review_upgrade: - post: - description: >- - Review and accept or reject a pending policy upgrade for a package that - contains deprecations.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true - schema: - type: string + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: examples: - acceptUpgrade: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object value: - action: accept - target_version: 2.0.0 + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + page_size: + description: | + Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). + maximum: 10000 + minimum: 100 + type: integer + range: + type: object + properties: + end: + type: string + start: + type: string + required: true responses: '200': content: application/json: examples: - successResponse: + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - success: true + risk_engine_saved_object_configured: true schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' - description: 'OK: A successful request.' + type: object + properties: + risk_engine_saved_object_configured: + type: boolean + description: Successful response '400': content: application/json: examples: - badRequestResponse: + taskManagerUnavailable: + summary: Task manager is unavailable value: - message: Bad Request + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + configureError: + summary: Configure saved object failed + value: + errors: + - error: Internal server error + seq: 1 + risk_engine_saved_object_configured: false + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object tags: - - Elastic Package Manager (EPM) - x-state: Generally available - /api/fleet/epm/packages/{pkgName}/rollback: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/schedule_now: post: - description: >- - Rollback a package to its previously installed - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: + examples: + emptyRequest: + summary: No request body + value: {} + schema: + type: object responses: '200': content: application/json: examples: - successResponse: + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: success: true - version: 1.0.0 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_rollback_package_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + taskManagerUnavailable: + summary: Task manager is unavailable value: - message: Bad Request + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + scheduleNowError: + summary: Schedule now failed + value: + full_error: '{}' + message: Internal server error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: >- - Get usage statistics for a specific package, such as the number of agent - policies using it.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export parameters: - - description: Package name - in: path - name: pkgName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + exportSavedObjectsRequest: + summary: Export a specific saved object + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: example-dashboard-1 + type: dashboard + schema: + additionalProperties: false + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. responses: '200': content: - application/json: + application/x-ndjson: examples: - getPackageStatsExample: - description: Usage stats for a specific package - value: - response: - agent_policy_count: 3 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' - description: Successful response + exportSavedObjectsResponse: + summary: The export response contains an NDJSON record for each exported object + value: | + {"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false} + {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} + schema: {} + description: Indicates a successfull call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Either `type` or `objects` are required.: Bad Request' statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - summary: Get package stats + - statusCode + description: Bad request. + summary: Export saved objects tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/installed: - get: - description: >- - Get a list of all currently installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}' + - lang: Console + source: | + POST kbn://api/saved_objects/_export + {"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import parameters: - - description: Filter by data stream type - in: query - name: dataStreamType - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling + example: 'true' type: string - - description: When true, only return packages with active data streams + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' in: query - name: showOnlyActiveDataStreams + name: overwrite required: false schema: + default: false type: boolean - - description: Filter packages by name - in: query - name: nameQuery - required: false - schema: - type: string - - description: Sort values from the previous page for `search_after` pagination - in: query - name: searchAfter - required: false - schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' in: query - name: perPage + name: createNewCopies required: false schema: - default: 15 - type: number - - description: Sort order, ascending or descending + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' in: query - name: sortOrder + name: compatibilityMode required: false schema: - default: asc - enum: - - asc - - desc - type: string + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + importObjectsRequest: + summary: Import saved objects from an NDJSON file + value: + file: file.ndjson + schema: + additionalProperties: false + type: object + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + importObjectsResponse: + summary: A successful import response value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 + errors: [] + success: true + successCount: 1 + successResults: + - destinationId: example-dashboard-1-copy + id: example-dashboard-1 + managed: false + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response - description: Successful response + additionalProperties: false + type: object + properties: + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array + required: + - success + - successCount + - errors + - successResults + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - summary: Get installed packages + - statusCode + description: Bad request. + summary: Import saved objects tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/limited: - get: - description: >- - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, - fleet_server).

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson + - lang: Console + source: | + POST kbn://api/saved_objects/_import?createNewCopies=true + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects + operationId: post-saved-objects-resolve-import-errors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Creates copies of saved objects, regenerates each object ID, and resets the origin. + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: Applies adjustments to maintain compatibility between different Kibana versions. + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + summary: Resolve import errors by retrying objects + value: + file: file.ndjson + retries: + - id: example-dashboard-1 + overwrite: true + replaceReferences: [] + type: dashboard + schema: + additionalProperties: false + type: object + properties: + file: + type: object + retries: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + type: boolean + destinationId: + type: string + id: + type: string + ignoreMissingReferences: + type: boolean + overwrite: + default: false + type: boolean + replaceReferences: + default: [] + items: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + required: + - type + - from + - to + maxItems: 100 + type: array + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + required: + - file + - retries responses: '200': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + resolveImportErrorsResponse: + summary: A successful resolve import errors response value: - items: - - elastic_agent - - fleet_server + errors: [] + success: true + successCount: 1 + successResults: + - id: example-dashboard-1 + managed: false + type: dashboard + description: A successful resolve import errors response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: Invalid file extension .txt + statusCode: 400 + description: A bad request. + summary: Resolve import errors + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson \ + --form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_resolve_import_errors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + examples: + PerformAnonymizationFieldsBulkActionRequest: + value: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 + schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 + type: object + properties: + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + type: array + responses: + '200': + content: + application/json: + examples: + PerformAnonymizationFieldsBulkActionResponse200Example: + value: + anonymization_fields_count: 4 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 0 + skipped: 1 + succeeded: 3 + total: 4 + message: Bulk action completed successfully + status_code: 200 + success: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + PerformAnonymizationFieldsBulkActionResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request body statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type or name. type: string message: + description: Detailed error message. type: string statusCode: + description: Status code of the response. type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list + description: Bad Request response. + summary: Apply a bulk action to anonymization fields tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: get: - description: >- - Get an inputs template for a package, used to pre-populate package - policy forms.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields parameters: - - description: Package name - in: path - name: pkgName - required: true + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false schema: type: string - - description: 'Output format for the inputs template: json, yml, or yaml' + - description: Field to sort by + example: created_at in: query - name: format + name: sort_field required: false schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc in: query - name: prerelease + name: sort_order required: false schema: - type: boolean - - description: >- - When true, return inputs even if the package signature cannot be - verified + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 in: query - name: ignoreUnverified + name: page required: false schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getInputsTemplateExample: - description: Inputs template for a package - value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text - schema: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' - description: Successful response - '400': + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindAnonymizationFieldsResponse200Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + aggregations: + field_status: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + aggregations: + type: object + properties: + field_status: + type: object + properties: + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer required: - - message - - attributes - description: Bad Request - summary: Get an inputs template - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/verification_key_id: - get: - description: >- - Get the GPG key ID used to verify the signatures of packages from the - Elastic Package Registry.

[Required authorization] Route - required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] - responses: - '200': - content: - application/json: - examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures - value: - id: D27D666CD88E42B4 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response - description: Successful response + - page + - perPage + - total + - data + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindAnonymizationFieldsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request parameters statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID + description: Bad Request response. + summary: Get anonymization fields tags: - - Elastic Package Manager (EPM) - /api/fleet/fleet_server_hosts: - get: - description: >- - List all Fleet Server hosts.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + ChatCompleteRequest: + value: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: + application/octet-stream: examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 + ChatCompleteResponse200Example: + value: (streaming binary response) schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + format: binary + type: string + description: Indicates a successful model response call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ChatCompleteResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request payload. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type. + example: Bad Request type: string message: + description: Human-readable error message. + example: Invalid request payload. type: string statusCode: + description: HTTP status code. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts + description: Bad Request response. + summary: Create a model response tags: - - Fleet Server hosts - post: - description: >- - Create a new Fleet Server host.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations requestBody: content: application/json: examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host + DeleteAllConversationsRequest: value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server + excludedIds: + - abc123 + - def456 schema: - additionalProperties: false type: object properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false responses: '200': content: application/json: examples: - postFleetServerHostExample: - description: The created Fleet Server host + DeleteAllConversationsResponse200Example: value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server + failures: [] + success: true + totalDeleted: 10 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + failures: + items: + type: string + type: array + success: + example: true + type: boolean + totalDeleted: + example: 10 + type: number + description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteAllConversationsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host + description: Bad Request response. + summary: Delete conversations tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: - delete: - description: >- - Delete a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"excludedIds":["abc123"]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + examples: + CreateConversationRequest: + value: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true responses: '200': content: application/json: examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted + CreateConversationResponse200Example: value: - id: fleet-server-host-id-1 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + CreateConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: 'Missing required parameter: title' statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: 'Missing required parameter: title' type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host + description: Bad Request response. + summary: Create a conversation tags: - - Fleet Server hosts + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: get: - description: >- - Get a Fleet Server host by ID.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations parameters: - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true + - description: A list of fields to include in the response. If omitted, all fields are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + in: query + name: filter + required: false schema: + example: Security Issue type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: examples: - getFleetServerHostExample: - description: A Fleet Server host + FindConversationsResponse200Example: value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server + data: + - category: assistant + createdAt: '2023-10-31T12:00:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: conv-abc123 + messages: [] + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:05:00Z' + users: + - id: user1 + name: John Doe + page: 1 + perPage: 20 + total: 5 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. + '400': + content: + application/json: + examples: + FindConversationsResponse400Example: + value: + error: Bad Request + message: Invalid filter parameter. + statusCode: 400 + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid filter query parameter + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get conversations + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DeleteConversationResponse200Example: + value: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + namespace: default + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': + description: Bad Request response. + summary: Delete a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID + ReadConversationResponse200Example: value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. + '400': + content: + application/json: + examples: + ReadConversationResponse400Example: + value: + error: Bad Request + message: Invalid conversation ID + statusCode: 400 + schema: + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get a conversation tags: - - Fleet Server hosts + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Update a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host + - description: The conversation's `id` value. + example: abc123 in: path - name: itemId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host + UpdateConversationRequest: value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + required: true responses: '200': content: application/json: examples: - putFleetServerHostExample: - description: The updated Fleet Server host + UpdateConversationResponse200Example: value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + namespace: default + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. + '400': + content: + application/json: + examples: + UpdateConversationResponse400Example: + value: + error: Bad Request + message: 'Missing required field: title' + statusCode: 400 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Update a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + GetKnowledgeBaseResponse400Example: + value: + error: Bad Request + message: Invalid resource ID provided. + statusCode: 400 + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base. Use this endpoint when no specific resource identifier is needed. + operationId: PostKnowledgeBase + parameters: + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + success: true schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - description: >- - Check the health status of a Fleet Server instance by its host ID. - Returns the server status and name if available.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id responses: '200': content: application/json: examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: >- - Fleet Server host is not reachable (request timed out or - aborted) + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - host_id: fleet-server-host-id-1 - status: OFFLINE + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. '400': content: application/json: examples: - badRequestExample: - description: >- - The host ID exists but has no associated host URLs - configured + ReadKnowledgeBaseResponse400Example: value: error: Bad Request - message: >- - The requested host id fleet-server-host-id-1 does not have - associated host urls. + message: Invalid resource ID provided. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: >- - The requested host id fleet-server-host-id-1 does not - exist. - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase for a resource tags: - - Fleet internals - /api/fleet/kubernetes: - get: - description: >- - Get the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 in: query - name: fleetServer + name: modelId required: false schema: type: string - - description: Enrollment token to include in the manifest + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true in: query - name: enrolToken + name: ignoreSecurityLabs required: false schema: - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - item: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n + success: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase for a resource + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + examples: + CreateKnowledgeBaseEntryRequest: + value: + kbResource: user + name: How to reset a password + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + CreateKnowledgeBaseEntryResponse200Example: + value: + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries + '400': + content: + application/json: + examples: + CreateKnowledgeBaseEntryResponse400Example: + value: + error: Invalid input + message: The 'name' field is required. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionRequest: + value: + create: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + delete: + ids: + - '789' + update: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + schema: + type: object + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array + responses: + '200': + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionResponse200Example: + value: + attributes: + results: + created: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '456' + kbResource: user + name: New Entry + namespace: default + source: manual + text: This is the content of the new entry. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + deleted: + - '789' + skipped: [] + updated: + - createdAt: '2024-01-14T09:00:00.000Z' + createdBy: user@example.com + global: false + id: '123' + kbResource: user + name: Updated Entry + namespace: default + source: manual + text: Updated content. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + summary: + failed: 0 + skipped: 0 + succeeded: 3 + total: 3 + knowledgeBaseEntriesCount: 3 + message: Bulk action completed successfully. + statusCode: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request + '400': + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request body. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Applies a bulk action to multiple Knowledge Base Entries tags: - - Elastic Agent policies - /api/fleet/kubernetes/download: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: get: - description: >- - Download the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries parameters: - - description: If true, returns the manifest as a downloadable file + - description: A list of fields to include in the response. If not provided, all fields will be included. in: query - name: download + name: fields required: false schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + example: + - name + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. in: query - name: fleetServer + name: page required: false schema: - type: string - - description: Enrollment token to include in the manifest + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query - name: enrolToken + name: per_page required: false schema: - type: string - responses: - '200': - content: - application/json: - examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - type: string - description: >- - Successful response — returns the Kubernetes manifest as a YAML file - download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest - tags: - - Elastic Agent policies - /api/fleet/logstash_api_keys: - post: - description: >- - Generate an API key for Logstash to use with a Fleet - output.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + default: 20 + example: 10 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - postLogstashApiKeyExample: - description: The generated Logstash API key + FindKnowledgeBaseEntriesResponse200Example: value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + data: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + page: 1 + perPage: 20 + total: 100 schema: - additionalProperties: false type: object properties: - api_key: - type: string + data: + description: The list of Knowledge Base Entries for the current page. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + page: + description: The current page number. + example: 1 + type: integer + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 + type: integer + total: + description: The total number of Knowledge Base Entries available. + example: 100 + type: integer required: - - api_key - description: Successful response + - page + - perPage + - total + - data + description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindKnowledgeBaseEntriesResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: 'Invalid query parameter: sort_order' statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: A short description of the error. + example: Bad Request type: string message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' type: string statusCode: + description: The HTTP status code of the error. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key + description: Bad Request response. + summary: Finds Knowledge Base Entries that match the given query. tags: - - Fleet outputs - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: >- - Rotate the key pair used by Fleet to sign messages sent to Elastic - Agents. This operation is irreversible and requires all agents in the - Fleet to be re-enrolled after rotation. You must explicitly acknowledge - the risk by passing `acknowledge=true` as a query - parameter.

[Required authorization] Route required privileges: - fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id required: true schema: - example: 'true' - type: string - - description: >- - Set to true to confirm you understand the risks of rotating the key - pair - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - rotateKeyPairSuccessExample: - description: >- - The key pair was rotated. All agents must be re-enrolled to - receive the new signing key. + DeleteKnowledgeBaseEntryResponse200Example: value: - message: Key pair rotated successfully. + id: '12345' + message: Knowledge Base Entry successfully deleted. schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: examples: - acknowledgeRequiredExample: - description: >- - Request was rejected because the acknowledge query parameter - was not set to true - value: - error: Bad Request - message: >- - Warning: this API will cause a key pair to rotate and - should not be necessary in normal operation. If you - proceed, you may need to reinstall Agents in your network. - You must acknowledge the risks of rotating the key pair - with acknowledge=true in the request parameters. For more - information, reach out to your administrator. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available + DeleteKnowledgeBaseEntryResponse400Example: value: - error: Internal Server Error - message: >- - Failed to rotate key pair. Message signing service is - unavailable! - statusCode: 500 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Deletes a single Knowledge Base Entry using the `id` field tags: - - Message Signing Service - /api/fleet/outputs: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - List all Fleet outputs.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - getOutputsExample: - description: List of Fleet outputs + ReadKnowledgeBaseEntryResponse200Example: value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - page: 1 - perPage: 20 - total: 1 + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_logstash - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ReadKnowledgeBaseEntryResponse400Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Read a Knowledge Base Entry tags: - - Fleet outputs - post: - description: >- - Create a new Fleet output.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id required: true schema: - example: 'true' - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: - postOutputRequestExample: - description: Create a new Elasticsearch output + UpdateKnowledgeBaseEntryRequest: value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch + kbResource: user + name: How to reset a password (updated) + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + required: true responses: '200': content: application/json: examples: - postOutputExample: - description: The created Fleet output + UpdateKnowledgeBaseEntryResponse200Example: value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password (updated) + namespace: default + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + updatedAt: '2024-01-15T10:05:00.000Z' + updatedBy: user@example.com schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + UpdateKnowledgeBaseEntryResponse400Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Invalid input + message: The 'text' field cannot be empty. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Update a Knowledge Base Entry tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: - delete: - description: >- - Delete output by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + examples: + PerformPromptsBulkActionRequest: + value: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array responses: '200': content: application/json: examples: - deleteOutputExample: - description: The output was successfully deleted + success: value: - id: output-id-1 + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + PerformPromptsBulkActionResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid prompt ID or missing required fields. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: A short error message. + example: Bad Request type: string message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. type: string statusCode: + description: The HTTP status code for the error. + example: 400 type: number - required: - - message - - attributes - description: Not Found - summary: Delete output + description: Bad Request response. + summary: Apply a bulk action to prompts tags: - - Fleet outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"delete":{"query":"name: test","ids":[]}}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_find: get: - description: >- - Get output by ID.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: The ID of the output - in: path - name: outputId - required: true + - description: List of specific fields to include in each returned prompt. + in: query + name: fields + required: false + schema: + example: + - id + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false schema: + example: error handling type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - getOutputExample: - description: A Fleet output + FindPromptsResponse200Example: value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 schema: - additionalProperties: false + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 type: object properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindPromptsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid sort order value provided. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Short error message. + example: Bad Request type: string message: + description: Detailed description of the error. + example: Invalid sort order value provided. type: string statusCode: + description: HTTP status code for the error. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts tags: - - Fleet outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store: put: - description: >- - Update output by ID.

[Required authorization] Route required - privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store parameters: - description: A required header to protect against CSRF attacks in: header @@ -30813,319 +49591,424 @@ paths: schema: example: 'true' type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string requestBody: content: application/json: examples: - putOutputRequestExample: - description: Update a Fleet output + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + items: + type: string + type: array + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + enum: + - defer + - drop + type: string + maxTimeWindowSize: + pattern: '[smdh]$' + type: string + required: + - logExtraction responses: '200': content: application/json: examples: - putOutputExample: - description: The updated Fleet output + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response + ok: true + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + description: Bad request. '404': content: application/json: examples: notFoundExample: - description: No output was found with the given ID + description: The Entity Store has not been installed yet. + summary: Entity Store not installed value: error: Not Found - message: Output output-id-1 not found + message: Entity store is not installed statusCode: 404 - description: Not Found - summary: Update output - tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: - get: - description: >- - Get the latest health status of an output by ID.

[Required - authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health - parameters: - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health + description: Entity Store not found. + summary: Update the Entity Store tags: - - Fleet outputs - /api/fleet/package_policies: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities: get: - description: List all package policies. - operationId: get-fleet-package-policies + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: Page number + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false + schema: + type: string + - description: Number of entities to return in search-after mode. in: query - name: page + name: size required: false schema: - type: number - - description: Number of results per page + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. in: query - name: perPage + name: searchAfter required: false schema: - type: number - - description: Field to sort results by + type: string + - description: Fields to include in the response source. in: query - name: sortField + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field required: false schema: type: string - - description: Sort order, ascending or descending + - description: Sort order in page mode. in: query - name: sortOrder + name: sort_order required: false schema: enum: - - desc - asc + - desc type: string - - description: When true, only show policies with available upgrades + - description: Page number to return (1-indexed) in page mode. in: query - name: showUpgradeable + name: page required: false schema: - type: boolean - - description: A KQL query string to filter results + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. in: query - name: kuery + name: per_page required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. in: query - name: format + name: filterQuery required: false schema: - enum: - - simplified - - legacy type: string - - description: When true, include the agent count per package policy + - description: Entity types to include in the results. in: query - name: withAgentCount + name: entity_types required: false schema: - type: boolean + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - getPackagePoliciesExample: - description: List of package policies + emptyResultExample: + description: No entities matched the query. + summary: Empty result value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' page: 1 - perPage: 20 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter value: error: Bad Request - message: An error message describing what went wrong + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes + value: + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities tags: - - Fleet package policies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier + value: + entityId: host:web-server-prod-01 + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId + responses: + '200': + content: + application/json: + examples: + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + description: Indicates the entity was successfully deleted. + '404': + content: + application/json: + examples: + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found + value: + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/{entityType}: post: - description: Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header @@ -31134,254 +50017,2380 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: The entity type to create. + in: path + name: entityType + required: true schema: enum: - - simplified - - legacy + - user + - host + - service + - generic type: string requestBody: content: application/json: examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 schema: anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - description: >- - You should use inputs as an object and not use the deprecated - inputs array. + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - postPackagePolicyExample: - description: The created package policy + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_response - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: error: Bad Request - message: An error message describing what went wrong + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + description: Bad request. '409': content: application/json: examples: conflictExample: - description: A package policy with the same name already exists + description: An entity with the specified identifier already exists. + summary: Entity already exists value: error: Conflict - message: An error message describing what went wrong + message: Entity ID 'host:web-server-prod-01' already exists statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - description: Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID - value: - ids: - - package-policy-id-1 - - package-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies + description: Conflict. + summary: Create an entity tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: >- - Delete a package policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header @@ -31390,168 +52399,2386 @@ paths: schema: example: 'true' type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - get: - description: Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy + - description: The entity type to update. in: path - name: packagePolicyId + name: entityType required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false schema: enum: - - simplified - - legacy + - user + - host + - service + - generic type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes + value: + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - getPackagePolicyExample: - description: A package policy + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item - description: Successful response + ok: true + description: Indicates the entity was successfully updated. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: error: Bad Request - message: An error message describing what went wrong + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + description: Bad request. '404': content: application/json: examples: notFoundExample: - description: No package policy was found with the given ID + description: No entity with the specified identifier exists. + summary: Entity not found value: error: Not Found - message: Package policy package-policy-id-1 not found + message: Entity ID 'user:jane.doe@example.com' not found statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy + description: Entity not found. + summary: Update an entity tags: - - Fleet package policies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/bulk: put: - description: Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk parameters: - description: A required header to protect against CSRF attacks in: header @@ -31560,617 +54787,2408 @@ paths: schema: example: 'true' type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' + - description: When true, allows updating protected fields. in: query - name: format + name: force required: false schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': - content: - application/json: - examples: - forbiddenExample: - description: The update is not authorized for this package - value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Forbidden - summary: Update a package policy - tags: - - Fleet package policies - /api/fleet/package_policies/delete: - post: - description: >- - Delete multiple package policies by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID - value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request - responses: - '200': - content: - application/json: - examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation - value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: - post: - description: >- - Upgrade a package policy to a newer package version.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version - value: - packagePolicyIds: - - package-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request - responses: - '200': - content: - application/json: - examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation - value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: - post: - description: >- - Preview the changes that would be applied by upgrading a package policy - to a newer package version.

[Required authorization] Route - required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities value: - packagePolicyIds: - - package-policy-id-1 + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request - responses: - '200': - content: - application/json: - examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff - value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: + additionalProperties: false + type: object + properties: + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: type: string - version: + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false type: object properties: - add_fields: - additionalProperties: true + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false type: object properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: + name: type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false type: object properties: - data_stream: - additionalProperties: true + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false type: object properties: - dataset: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: type: type: string - required: - - dataset + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string id: type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - description: >- - List all Fleet proxies.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetProxiesExample: - description: List of Fleet proxies - value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + type: array + required: + - entities + responses: + '200': + content: + application/json: + examples: + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors + value: + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated + value: + errors: [] + ok: true + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: error: Bad Request - message: An error message describing what went wrong + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies + description: Bad request. + summary: Bulk update entities tags: - - Fleet proxies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/install: post: - description: >- - Create a new Fleet proxy.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-proxies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install parameters: - description: A required header to protect against CSRF attacks in: header @@ -32183,220 +57201,177 @@ paths: content: application/json: examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types value: - name: My proxy - url: http://proxy.example.com:3128 + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + frequency: 5m + lookbackPeriod: 12h schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false type: object - url: - type: string - required: - - url - - name - responses: - '200': - content: - application/json: - examples: - postFleetProxyExample: - description: The created Fleet proxy - value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + default: [] + items: type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a proxy - tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: - delete: - description: >- - Delete a proxy by ID

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the proxy - in: path - name: itemId - required: true - schema: - type: string + type: array + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + default: 1m + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + default: 500000 + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + default: drop + enum: + - defer + - drop + type: string + maxTimeWindowSize: + default: 15m + pattern: '[smdh]$' + type: string responses: '200': content: application/json: examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed value: - id: proxy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': + ok: true + description: Indicates all requested entity types are already installed. + '201': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + ok: true + description: Indicates the Entity Store was successfully installed. + '403': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy + error: Forbidden + message: User 'analyst' has insufficient privileges + statusCode: 403 + description: Insufficient privileges. + summary: Install the Entity Store tags: - - Fleet proxies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/group: get: - description: >- - Get a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/resolution/group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group parameters: - - description: The ID of the proxy - in: path - name: itemId + - description: The entity identifier to look up the resolution group for. + in: query + name: entity_id required: true schema: type: string @@ -32405,103 +57380,82 @@ paths: content: application/json: examples: - getFleetProxyExample: - description: A Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities + value: + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated value: error: Bad Request - message: An error message describing what went wrong + message: Resolution search truncated statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + description: Bad request. '404': content: application/json: examples: notFoundExample: - description: No proxy was found with the given ID + description: The specified entity does not exist or has no resolution group. + summary: Entity not found value: error: Not Found - message: Fleet proxy proxy-id-1 not found + message: 'Entities not found: [user:nonexistent@example.com]' statusCode: 404 - description: Not Found - summary: Get a proxy + description: Entity not found. + summary: Get resolution group tags: - - Fleet proxies - put: - description: >- - Update a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/link: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/link
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Link one or more entities to a target entity, creating a resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link parameters: - description: A required header to protect against CSRF attacks in: header @@ -32510,154 +57464,112 @@ paths: schema: example: 'true' type: string - - description: The ID of the proxy - in: path - name: itemId - required: true - schema: - type: string requestBody: content: application/json: examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. type: string required: - - certificate_authorities - - certificate - - certificate_key + - target_id + - entity_ids responses: '200': content: application/json: examples: - putFleetProxyExample: - description: The updated Fleet proxy + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types value: error: Bad Request - message: An error message describing what went wrong + message: Cannot link entities of different types statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error + value: + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. '404': content: application/json: examples: notFoundExample: - description: No proxy was found with the given ID + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: error: Not Found - message: Proxy proxy-id-1 not found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' statusCode: 404 - description: Not Found - summary: Update a proxy + description: Entities not found. + summary: Link entities tags: - - Fleet proxies - /api/fleet/service_tokens: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/unlink: post: - description: >- - Create a Fleet Server service token. The token is used to enroll Fleet - Server instances with Kibana.

[Required authorization] Route - required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove one or more entities from their resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink parameters: - description: A required header to protect against CSRF attacks in: header @@ -32670,231 +57582,261 @@ paths: content: application/json: examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group value: - remote: true + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com schema: additionalProperties: false - nullable: true type: object properties: - remote: - default: false - type: boolean + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids responses: '200': content: application/json: examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token - value: - name: elastic/fleet-server/token-1234567890 - value: >- - AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked value: - type: string - required: - - name - - value - description: Successful response - '400': + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities tags: - - Fleet service tokens - /api/fleet/settings: - get: - description: >- - Get the global Fleet settings.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink + { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines + value: + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - getSettingsExample: - description: The current Fleet settings + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status tags: - - Fleet internals + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/stop: put: - description: >- - Update the global Fleet settings.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-settings + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop parameters: - description: A required header to protect against CSRF attacks in: header @@ -32907,201 +57849,205 @@ paths: content: application/json: examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines value: - prerelease_integrations_enabled: true + entityTypes: + - user + - host + - service + - generic schema: additionalProperties: false type: object properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true - type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true - type: string - kibana_urls: - deprecated: true + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. items: - format: uri + enum: + - user + - host + - service + - generic type: string - maxItems: 10 type: array - prerelease_integrations_enabled: - type: boolean responses: '200': content: application/json: examples: - putSettingsExample: - description: The updated Fleet settings + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role: + get: + description: Retrieve all Kibana roles. + operationId: get-security-role + parameters: + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - notFoundExample: - description: Fleet settings have not been initialized + getAllRolesResponse: value: - error: Not Found - message: Settings not found - statusCode: 404 + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Update settings + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + description: Indicates a successful call. + summary: Get all roles tags: - - Fleet internals - /api/fleet/setup: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/_query: post: - description: >- - Initialize Fleet and create the necessary Elasticsearch resources for - Fleet to operate. Safe to call multiple times (idempotent). Returns the - initialization status and any non-fatal errors encountered during - setup.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-setup + description: Query Kibana roles with optional filters, paging, and sorting. + operationId: post-security-role-query parameters: - description: A required header to protect against CSRF attacks in: header @@ -33110,152 +58056,144 @@ paths: schema: example: 'true' type: string + requestBody: + content: + application/json: + examples: + queryRolesRequest: + value: + from: 0 + query: kibana + size: 25 + sort: + direction: asc + field: name + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body' responses: '200': content: application/json: examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: >- - Fleet initialized but encountered non-fatal errors during - setup - value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError - schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - internalErrorResponseExample: - description: Example of an internal server error response + queryRolesResponse: value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 + count: 1 + roles: + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + total: 1 schema: - additionalProperties: false - description: Internal Server Error - type: object - properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/{name}: + delete: + description: Delete a Kibana role by its name. + operationId: delete-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The role name. + in: path + name: name + required: true + schema: + minLength: 1 + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a role tags: - - Fleet internals - /api/fleet/space_settings: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings - parameters: [] + description: Retrieve a Kibana role by its name. + operationId: get-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true + schema: + minLength: 1 + type: string + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space + getRoleResponse: value: - item: - allowed_namespace_prefixes: - - team-a - - team-b + _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + description: Indicates a successful call. + summary: Get a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Create or update Fleet settings for the current Kibana - space.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: put-fleet-space-settings + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header @@ -33264,205 +58202,291 @@ paths: schema: example: 'true' type: string + - description: The role name. + in: path + name: name + required: true + schema: + maxLength: 1024 + minLength: 1 + type: string + - description: When true, a role is not overwritten if it already exists. + in: query + name: createOnly + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space + createOrUpdateRoleRequest: value: - allowed_namespace_prefixes: - - team-a - - team-b + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default schema: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + responses: + '204': + description: Indicates a successful call. + summary: Create or update a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/roles: + post: + description: Create or update multiple Kibana roles in a single request. + operationId: post-security-roles + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkCreateOrUpdateRoles: + value: + roles: + my_kibana_role: + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload' responses: '200': content: application/json: examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space + bulkCreateOrUpdateRolesResponse: value: - item: - allowed_namespace_prefixes: - - team-a - - team-b + created: + - my_kibana_role + noop: [] + updated: [] schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available - /api/fleet/uninstall_tokens: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' + description: Indicates a successful call. + summary: Create or update roles + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space: get: - description: >- - List the metadata for the latest uninstall tokens per agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: get-fleet-uninstall-tokens + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space parameters: - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - maxLength: 50 - type: string - - description: Partial match filtering for uninstall token values + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query - name: search + name: purpose required: false schema: - maxLength: 50 + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace type: string - - description: The number of items to return - in: query - name: perPage - required: false - schema: - minimum: 5 - type: number - - description: Page number + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query - name: page + name: include_authorized_purposes required: false schema: - minimum: 1 - type: number + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies - value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: Create a new Kibana space. + operationId: post-spaces-space + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - required: - - id - - policy_id - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' + responses: + '200': content: application/json: - examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided - value: - error: Bad Request - message: >- - Query parameters `policyId` and `search` cannot be used at - the same time. - statusCode: 400 schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string - errorType: + description: + description: A description for the space. type: string - message: + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens + - id + - name + examples: + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' + description: Indicates a successful call. + summary: Create a space tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space/{id}: + delete: + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '404': + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get one decrypted uninstall token by its ID.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id parameters: - - description: The ID of the uninstall token + - description: The space identifier. in: path - name: uninstallTokenId + name: id required: true schema: type: string @@ -33471,18839 +58495,47275 @@ paths: content: application/json: examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy + getSpaceResponse: + description: A response that contains the full configuration for a single Kibana space. + summary: Get details about a marketing space value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE + color: '#aabbcc' + description: This is the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string required: - - item - description: Successful response - '400': + - id + - name + description: Indicates a successful call. + summary: Get a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: Update an existing Kibana space. + operationId: put-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. You are unable to change the ID with the update operation. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + updateSpaceResponse: + description: A response that contains the updated configuration of the Kibana space. + summary: Update the marketing space value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + color: '#aabbcc' + description: An updated description for the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string - errorType: + description: + description: A description for the space. type: string - message: + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token + - id + - name + description: Indicates a successful call. + summary: Update a space tags: - - Fleet uninstall tokens - /api/lists: - delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/status: + get: + description: Returns Kibana's overall operational status and a per-service breakdown for Elasticsearch, Saved Objects, and registered plugins. The endpoint is intended for liveness and readiness checks (for example, by Kubernetes probes) and for operators monitoring a Kibana deployment. Unauthenticated callers receive a redacted response that exposes only the overall status level. + operationId: get-status parameters: - - description: Value list identifier to delete, including all of its list items. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. + - description: Set to "true" to get the response in v7 format. in: query - name: deleteReferences + name: v7format required: false schema: - default: false - example: false type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. + - description: Set to "true" to get the response in v8 format. in: query - name: ignoreReferences + name: v8format required: false schema: - default: false - example: false type: boolean responses: '200': content: application/json: examples: - ipList: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: + statusAvailableResponse: + description: A successful response when Kibana and its core services are operating normally. + summary: Kibana is available value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 4 + totalIdleSockets: 2 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: available + summary: Elasticsearch is available + savedObjects: + level: available + summary: SavedObjects service has completed migrations and is available + overall: + level: available + summary: All services are available + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + statusRedactedResponse: + description: A redacted response returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + summary: Kibana is available (redacted) + value: + status: + overall: + level: available schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': content: application/json: examples: - unauthorized: + statusUnavailableResponse: + description: A response when one or more core services are unavailable. + summary: Kibana is unavailable value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 0 + totalIdleSockets: 0 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: unavailable + summary: Unable to connect to Elasticsearch + savedObjects: + level: unavailable + summary: SavedObjects service depends on Elasticsearch + overall: + level: unavailable + summary: Some services are unavailable + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of its essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + listStreams: + value: + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + description: A list of all streams. + summary: Get stream list + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were disabled successfully. + summary: Disable streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were enabled successfully. + summary: Enable streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were resynced successfully. + summary: Resync streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: The stream was deleted successfully. + summary: Delete a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - notFound: + getWiredStream: value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + description: Stream definition and associated metadata. + summary: Get a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createQueryStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' + responses: + '200': + description: The stream was created or updated successfully. + summary: Create or update a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_fork: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the parent stream to fork from. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - stream + - where + responses: + '200': + description: The stream was forked successfully. + summary: Fork a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_ingest: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + getWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + description: Ingest settings for the stream. + summary: Get ingest stream settings + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + upsertWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + ingest: + anyOf: + - additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest + responses: + '200': + description: The ingest settings were updated successfully. + summary: Update ingest stream settings tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_query: get: - description: Get the details of a value list using the list ID. - operationId: ReadList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query parameters: - - description: Value list identifier (`id`) returned when the list was created. - in: query - name: id + - description: The name of the query stream. + in: path + name: name required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details + description: Query settings for the stream. + summary: Get query stream settings tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the query stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - patchName: + upsertQueryStream: value: - id: ip_list - name: Bad ips list - UPDATED + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level schema: - example: - id: ip_list - name: Bad ips list - UPDATED + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql required: - - id - description: Value list's properties - required: true + - query responses: '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + description: The query stream settings were updated successfully. + summary: Upsert query stream settings tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/export: post: - description: Create a new value list. - operationId: CreateList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to export content from. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: + exportContent: value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword + description: Nginx stream content pack + include: + objects: + all: {} + name: nginx-pack + version: 1.0.0 schema: + additionalProperties: false type: object properties: description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + type: string + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' + type: string version: - default: 1 - minimum: 1 - type: integer + type: string required: - name - description - - type - description: Value list's properties - required: true + - version + - include + responses: + '200': + description: Content pack archive for the stream. + summary: Export stream content + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to import content into. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + importContent: + value: + content: + include: '{"objects":{"all":{}}}' + schema: + additionalProperties: false + type: object + properties: + content: {} + include: + type: string + required: + - include + - content + responses: + '200': + description: Content was imported into the stream successfully. + summary: Import content into a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: + listQueries: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + queries: + - description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + severity_score: 75 + title: Error count by host + type: match + - description: Requests with response time above 2 seconds + esql: + query: FROM logs.nginx | WHERE http.response_time > 2000 + id: high-latency-requests + severity_score: 50 + title: High latency requests + type: match + description: List of queries linked to the stream. + summary: Get stream queries + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + bulkQueries: + value: + operations: + - index: + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + title: Error count by host + - delete: + id: old-query-id + schema: + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete + type: array + required: + - operations + responses: + '200': + description: Bulk operation completed successfully. + summary: Bulk update queries tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query to remove. + in: path + name: queryId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: The query was removed successfully. + summary: Remove a query from a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: examples: - replaceList: + upsertQuery: value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + title: Error count by host schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + default: '' + type: string + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string required: - - id - - name - - description - description: Value list's properties - required: true + - title + - esql + responses: + '200': + description: The query was added or updated successfully. + summary: Upsert a query to a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. + in: query + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + type: string + - description: Query string to filter significant events on metadata fields + in: query + name: query + required: false + schema: + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' + in: query + name: searchMode + required: false + schema: + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + significantEvents: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + aggregated_occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + significant_events: + - change_points: + type: + spike: + change_point: 1 + p_value: 0.002 + description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + rule_backed: false + severity_score: 75 + stream_name: logs.nginx + title: Error count by host + type: match + description: Significant events for the stream. + summary: Read the significant events tags: - - Security Lists API - /api/lists/_find: - get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate parameters: - - description: The page number to return. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: page + name: connectorId required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: per_page - required: false + name: from + required: true schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + type: string + - description: End of the time range as an ISO 8601 date string. in: query - name: sort_field + name: to + required: true + schema: + type: string + - description: Number of sample documents to use for generation from the current data of stream + in: query + name: sampleDocsSize required: false schema: - example: name - format: nonempty - minLength: 1 + type: number + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Generated significant event query definitions. + summary: Generate significant events + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' type: string - - description: Determines the sort order, which can be `desc` or `asc` + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: sort_order + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + previewSignificantEvents: + value: + query: + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + schema: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: + '200': + description: Significant event preview results. + summary: Preview significant events + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: Search query to filter attachments by title + in: query + name: query required: false schema: - enum: - - desc - - asc - example: asc type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + - description: Filter by attachment types (single value or array) in: query - name: cursor + name: attachmentTypes required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) in: query - name: filter + name: tags required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ipList: - value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + listAttachmentsResponse: value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + bulkAttachmentsExample: + value: + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule + schema: + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete + type: array + required: + - operations + responses: + '200': content: application/json: examples: - serverError: + bulkAttachmentsResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments tags: - - Security Lists API - /api/lists/index: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unlinkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - acknowledged: + unlinkAttachmentResponse: value: acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + linkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - serverError: + linkAttachmentResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/task_manager/_health: get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health responses: '200': content: application/json: examples: - bothExist: - value: - list_index: true - list_item_index: true - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless' schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless' + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + schema: + type: object + properties: + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + maxItems: 100 + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + success: + summary: Success + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + additionalProperties: true + type: object + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': content: application/json: examples: - forbidden: + timelineDetail: + summary: Timeline detail value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': content: application/json: examples: - notFound: + patched: + summary: Updated timeline value: - message: Value list backing indices were not found for this space - status_code: 404 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - serverError: + error: + summary: Error body value: - message: Internal Server Error - status_code: 500 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + type: object + properties: + body: + description: The error message. + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space - - are now created as part of supported workflows; calling this explicitly - is rarely required. - - **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming + description: |- + **Spaces method and path for this operation:** - indices exist with `GET /api/lists/index`. +
post /s/{space_id}/api/timeline
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true responses: '200': content: application/json: examples: - acknowledged: - value: - acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + created: + summary: Created timeline value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - alreadyExists: + error: + summary: Error body value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': + type: object + properties: + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_copy: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + examples: + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. + required: true + responses: + '200': content: application/json: examples: - serverError: + copied: + summary: Newly saved timeline value: - message: Internal Server Error - status_code: 500 + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Copies timeline or timeline template tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_draft: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. - in: query - name: value - required: false - schema: - example: 255.255.255.255 - type: string - - description: >- - Determines when changes made by the request are made visible to - search. + - description: Which draft to load (`default` investigation timeline or `template` timeline template). in: query - name: refresh - required: false + name: timelineType + required: true schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: examples: - ip: + draftPayload: + summary: Draft timeline payload value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - badRequest: + forbidden: + summary: Permission denied value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + message: Forbidden + status_code: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - unauthorized: + conflict: + summary: Draft conflict value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + properties: + message: + type: string + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. + required: true + responses: + '200': content: application/json: examples: - forbidden: + draftResponse: + summary: Draft after reset or creation value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - notFound: + forbidden: + summary: Permission denied value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 + message: Forbidden + status_code: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - serverError: + conflict: + summary: Draft conflict value: - message: Internal Server Error - status_code: 500 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - Security Lists API - get: - description: Get the details of a value list item. - operationId: ReadListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + - description: The name of the file to export in: query - name: value - required: false + name: file_name + required: true schema: - example: 127.0.0.2 type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true responses: '200': content: - application/json: + application/ndjson: examples: - ip: - value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. '400': content: - application/json: + application/ndjson: examples: badRequest: + summary: Export error value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + body: Export limit exceeded + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': content: application/json: examples: - unauthorized: + favoriteResponse: + summary: Favorite metadata updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. '403': content: application/json: examples: forbidden: + summary: Forbidden value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] + body: Forbidden statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - changeValue: + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. + file: {} + isImmutable: + description: Whether the Timeline should be immutable enum: - 'true' - 'false' - - wait_for type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - id - description: Value list item's properties + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - ipItem: + importSummary: + summary: Import summary value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. '400': content: application/json: examples: badRequest: + summary: Invalid import value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + body: Invalid file extension + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + type: object + properties: + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. '404': content: application/json: examples: notFound: + summary: Saved objects client missing value: - message: 'list item id: \"foo\" not found' - status_code: 404 + body: Unable to find saved object client + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + body: + description: The error message + example: Unable to find saved object client + type: string + statusCode: + example: 404 + type: number + description: Not found response. + '409': content: application/json: examples: - serverError: + conflict: + summary: Import conflict value: - message: Internal Server Error - status_code: 500 + body: Could not import timelines + statusCode: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + type: object + properties: + body: + description: The error message + example: Could not import timelines + type: string + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_prepackaged: post: - description: > - Create a value list item and associate it with the specified value list. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/timeline/_prepackaged
- All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > info - - > Before creating a list item, you must create a list. - operationId: CreateListItem + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: + emptyArrays: + summary: Installer payload shape value: - list_id: keyword_list - value: zeek + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: type: object properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + prepackagedTimelines: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array required: - - list_id - - value - description: Value list item's properties + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: + installResult: + summary: Install result counts value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '500': content: application/json: examples: - badRequest: + serverError: + summary: Server error value: - error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration - statusCode: 400 + body: Internal error + statusCode: 500 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + badRequest: + summary: Bad request + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + additionalProperties: true + type: object + description: Bad Request response. '404': content: application/json: examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 + notFound: + summary: Not found + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timelines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: If `true`, only Timelines that the current user has marked as favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': content: application/json: examples: - alreadyExists: + timelineList: + summary: Example list response value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': + type: object + properties: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + type: array + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: + badRequest: + summary: Error response body value: - message: Internal Server Error - status_code: 500 + body: get timeline error + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/visualizations: + get: + tags: + - Visualizations + summary: Get visualizations + operationId: get-visualizations-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + post: + tags: + - Visualizations + summary: Create a visualization + operationId: create-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/visualizations/{id}: + get: + tags: + - Visualizations + summary: Get a visualization + operationId: get-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + tags: + - Visualizations + summary: Update a visualization + operationId: update-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + delete: + tags: + - Visualizations + summary: Delete a visualization + operationId: delete-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/workflows: + delete: + description: |- + **Spaces method and path for this operation:** - > info +
delete /s/{space_id}/api/workflows
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - fullReplace: + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows value: - id: ip_item - value: 255.255.255.255 + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: - example: - id: ip_item - value: 255.255.255.255 + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + ids: + description: Array of workflow IDs to delete. + items: + description: Workflow ID to delete. + type: string + maxItems: 1000 + type: array required: - - id - - value - description: Value list item's properties - required: true + - ids responses: '200': content: application/json: examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by managed status. Defaults to "unmanaged". + in: query + name: managed + required: false + schema: + enum: + - all + - managed + - unmanaged + type: string + responses: + '200': content: application/json: examples: - serverError: + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows tags: - - Security Lists API - /api/lists/items/_export: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: Export list item values from the specified value list. - operationId: ExportListItems + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows parameters: - - description: Value list's `id` to export. - in: query - name: list_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once + value: + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" + schema: + additionalProperties: false + type: object + properties: + workflows: + items: + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 + type: array + required: + - workflows responses: '200': - content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': content: application/json: examples: - badRequest: + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/aggs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/aggs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs + parameters: + - description: Field or fields to aggregate on. + in: query + name: fields + required: true + schema: + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + minItems: 1 + type: array + responses: + '200': content: application/json: examples: - unauthorized: + getAggsResponseExample: + description: Example response with tag and createdBy aggregations value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] + responses: + '200': content: application/json: examples: - forbidden: + getConnectorsResponseExample: + description: Example response with available connector types and their instances value: - error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + getExecutionResponseExample: + description: Example response returning a workflow execution with step details + value: + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/children: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions tags: - - Security Lists API - /api/lists/items/_find: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/logs: get: - description: Get all value list items in the specified list. - operationId: FindListItems + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs parameters: - - description: Parent value list's `id` to page through items for. - in: query - name: list_id + - description: Workflow execution ID + in: path + name: executionId required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. + type: string + - description: Filter logs by a specific step execution ID. in: query - name: page + name: stepExecutionId required: false schema: - example: 1 - type: integer - - description: The number of list items to return per page. + type: string + - description: Number of log entries per page. in: query - name: per_page + name: size required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. in: query - name: sort_field + name: page required: false schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + default: 1 + minimum: 1 + type: number + - description: Field to sort by. in: query - name: sort_order + name: sortField required: false schema: - enum: - - desc - - asc - example: asc type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + - description: Sort order. in: query - name: filter + name: sortOrder required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - ip: + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/resume: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution + value: + input: + approved: true + comment: Approved by analyst + schema: + additionalProperties: false + type: object + properties: + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object + required: + - input + responses: + '200': content: application/json: examples: - unauthorized: + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid + parameters: + - description: Workflow execution ID. + in: path + name: executionId + required: true + schema: + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + getStepExecutionResponseExample: + description: Example response returning a single step execution + value: + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + exportWorkflowsRequestExample: + description: Example request to export workflows + value: + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + schema: + additionalProperties: false + type: object + properties: + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + required: + - ids + responses: + '200': content: application/json: examples: - serverError: + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows tags: - - Security Lists API - /api/lists/items/_import: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/mget: post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/workflows/mget
- You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. - - Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - 'true' - - 'false' - - wait_for - example: true + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - ipLinesFile: + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - file: list_values.txt + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: + additionalProperties: false type: object properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array + required: + - ids responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - conflict: - value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs tags: - - Security Lists API - /api/lists/privileges: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/schema: get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` + description: |- + **Spaces method and path for this operation:** - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list +
get /s/{space_id}/api/workflows/schema
- APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema + parameters: + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. + in: query + name: loose + required: true + schema: + type: boolean responses: '200': content: application/json: examples: - privileges: + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] + responses: + '200': content: application/json: examples: - badRequest: + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/step/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/step/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + testStepRequestExample: + description: Example request to test a single workflow step + value: + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml + responses: + '200': content: application/json: examples: - unauthorized: + testStepResponseExample: + description: Example response returning the step test execution ID value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID + value: + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. + type: string + workflowYaml: + description: YAML definition to test. + type: string + required: + - inputs + responses: + '200': content: application/json: examples: - forbidden: + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition + value: + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + responses: + '200': content: application/json: examples: - serverError: + createWorkflowResponseExample: + description: Example response returning the created workflow value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow tags: - - Security Lists API - /api/ml/saved_objects/sync: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow + { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + getWorkflowResponseExample: + description: Example response returning a single workflow + value: + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: - post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - updateADJobSpacesRequest: + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: + items: + type: string + type: array + yaml: + type: string responses: '200': content: application/json: examples: - successADResponse: - value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: + updateWorkflowResponseExample: + description: Example response returning the updated workflow value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/clone: post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces - requestBody: - content: - application/json: - examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - successTMResponse: + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. - + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/run: + post: + description: |- + **Spaces method and path for this operation:** - The response has HTTP 200 with an empty body on success. +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - deleteOne: - summary: Delete a single note by id + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e + inputs: + message: hello from the API schema: - oneOf: - - nullable: true + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the workflow execution. type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true + metadata: + additionalProperties: + nullable: true + description: Optional metadata for the execution. type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + required: + - inputs responses: '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + content: + application/json: + examples: + runWorkflowResponseExample: + description: Example response returning the execution ID + value: + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: > - Returns Security Timeline notes as saved objects. - + description: |- + **Spaces method and path for this operation:** - **Query modes (mutually exclusive branches on the server):** +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions + parameters: + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by execution status. + in: query + name: statuses + required: false + schema: + items: + enum: + - pending + - waiting + - waiting_for_input + - waiting_for_child + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 10 + type: array + - description: Filter by execution type. + in: query + name: executionTypes + required: false + schema: + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. + in: query + name: executedBy + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: Filter by evaluated concurrency group key. + in: query + name: concurrencyGroupKey + required: false + schema: + type: string + - description: Whether to exclude step-level execution data. + in: query + name: omitStepRuns + required: false + schema: + type: boolean + - description: Datemath lower bound for filtering executions by finishedAt (inclusive when parsed). + in: query + name: finishedAfter + required: false + schema: + type: string + - description: Datemath upper bound for filtering executions by finishedAt (inclusive when parsed with roundUp). + in: query + name: finishedBefore + required: false + schema: + type: string + - description: Field to sort executions by. + in: query + name: sortField + required: false + schema: + enum: + - createdAt + - finishedAt + type: string + - description: Sort order. + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering executions by startedAt (inclusive when parsed). + in: query + name: startedAfter + required: false + schema: + type: string + - description: Datemath upper bound for filtering executions by startedAt (inclusive when parsed with roundUp). + in: query + name: startedBefore + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow + value: + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20&startedAfter=now-1d&startedBefore=now + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: + post: + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
- 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel all active workflow executions + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: + get: + description: |- + **Spaces method and path for this operation:** - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by step ID. in: query - name: documentIds + name: stepId + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + - description: Include step input data. in: query - name: savedObjectIds + name: includeInput + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' + type: boolean + - description: Include step output data. + in: query + name: includeOutput + required: false + schema: + type: boolean + - description: Page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering step executions by startedAt (inclusive when parsed). + in: query + name: startedAfter + required: false + schema: + type: string + - description: Datemath upper bound for filtering step executions by startedAt (inclusive when parsed with roundUp). + in: query + name: startedBefore + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow + value: + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos: + get: + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' in: query - name: page + name: kqlQuery schema: - nullable: true type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 + example: 1 in: query - name: perPage + name: size schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). + default: 1 + type: integer + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query - name: search + name: searchAfter schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). + items: + type: string + type: array + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 in: query - name: sortField + name: page schema: - nullable: true - type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 in: query - name: sortOrder + name: perPage schema: - nullable: true - type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status in: query - name: filter + name: sortBy schema: - nullable: true + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + - description: Sort order + example: asc in: query - name: createdByFilter + name: sortDirection schema: - nullable: true + default: asc + enum: + - asc + - desc type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query - name: associatedFilter + name: hideStale schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + type: boolean responses: '200': content: application/json: examples: - notesPage: - summary: Paged notes for a timeline + findSloResponse: + summary: A paginated list of SLOs value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 + page: 1 + perPage: 25 + results: + - budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + total: 42 schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''invalid'' supplied to: sortBy' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. - - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - addNote: - summary: Add a note on an event + createSloKqlExample: + summary: Create an SLO with a KQL indicator value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + budgetingMethod: occurrences + description: Availability of my web service measured by successful HTTP responses + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling schema: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true - type: string - required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. + $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: examples: - persisted: - summary: Persisted note wrapper + createSloResponse: + summary: Create SLO response value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd + id: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '409': + content: + application/json: + examples: + conflictExample: + summary: Conflict + value: + error: Conflict + message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + statusCode: 409 + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. - - - It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + bulkDeleteRequest: + summary: Bulk delete two SLOs + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 schema: - type: object - properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. - type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. - type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message - type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string - required: - - messages - - connectorId - - persist + $ref: '#/components/schemas/SLOs_bulk_delete_request' + required: true responses: '200': content: application/json: examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample + bulkDeleteResponse: + summary: Bulk delete response with task ID + value: + taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 schema: - type: object + $ref: '#/components/schemas/SLOs_bulk_delete_response' description: Successful response - summary: Generate a chat completion + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - - observability_ai_assistant - x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - - { - - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - - "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] - - }' - x-state: Technical Preview - /api/osquery/history: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation + in: path + name: taskId + required: true schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string responses: '200': content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response + bulkDeleteStatusComplete: + summary: Completed bulk deletion value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - id: d077e940-1515-11ee-9c50-9d096392f520 + success: true + bulkDeleteStatusPartialFailure: + summary: Completed with partial failure + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found + id: d077e940-1515-11ee-9c50-9d096392f520 + success: false schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse - description: Indicates a successful call. - summary: Get unified query history - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: - get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries - parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + '400': content: application/json: examples: - liveQueriesList: - summary: A list of recent live queries + badRequestExample: + summary: Bad request value: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - user_id: elastic - total: 1 + error: Bad Request + message: 'Invalid value ''foo'' supplied to: taskId' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse - description: Indicates a successful call. - summary: Get live queries + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Retrieve the status of the bulk deletion tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteRollupDataOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - singleQueryAllAgents: - summary: Run a single query on all agents + purgeByAgeExample: + summary: Purge rollup data older than 7 days value: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; - targetedQuery: - summary: Run a query against specific agents + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + purgePolicy: + age: 7d + purgeType: fixed-age + purgeByTimestampExample: + summary: Purge rollup data before a specific date value: - agent_ids: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - query: select * from processes; + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + purgePolicy: + purgeType: fixed-time + timestamp: '2024-12-31T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: examples: - liveQueryCreated: - summary: Live query created + bulkPurgeResponse: + summary: Bulk purge response with task ID value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse - description: Indicates a successful call. - summary: Create a live query + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Osquery API - /api/osquery/live_queries/{id}: - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + examples: + deleteInstancesExample: + summary: Delete specific SLO instances + value: + list: + - instanceId: host-abc123 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + - instanceId: host-def456 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - liveQueryDetails: - summary: Live query details with execution status + badRequestExample: + summary: Bad request value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 1 - failed: 0 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - status: completed - successful: 1 - status: completed - user_id: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list/0/sloId' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse - description: Indicates a successful call. - summary: Get live query details + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. - in: path - name: actionId - required: true - schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - liveQueryResults: - summary: Result rows from a live query execution + badRequestExample: + summary: Bad request value: - data: - edges: - - _id: doc1 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '12345' - - _id: doc2 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '67890' - total: 2 + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse - description: Indicates a successful call. - summary: Get live query results + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO tags: - - Security Osquery API - /api/osquery/packs: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getSloOp parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: string responses: '200': content: application/json: examples: - packsList: - summary: A list of query packs + getSloResponse: + summary: Get SLO response value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - queries: - - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs - tags: - - Security Osquery API - post: - description: Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json: - examples: - createPack: - summary: Create a pack with a single query - value: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': content: application/json: examples: - packCreated: - summary: Pack created + badRequestExample: + summary: Bad request value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}: - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - packDeleted: - summary: Pack deleted (empty response body) - value: {} + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack - tags: - - Security Osquery API - get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - packDetails: - summary: Pack details + forbiddenExample: + summary: Forbidden value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: updateSloOp parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: examples: - renamePack: - summary: Rename a pack and update its description + updateSloNameExample: + summary: Update the SLO name and tags value: - description: Updated pack description - enabled: true - name: my_pack_renamed + name: Updated Service Availability + tags: + - production + - updated + updateSloObjectiveExample: + summary: Update the SLO objective + value: + objective: + target: 0.995 schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: examples: - packUpdated: - summary: Pack updated + updateSloResponse: + summary: Update SLO response value: - data: - description: Updated pack description - enabled: true - name: my_pack_renamed - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - version: 2 + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: Updated Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - updated + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: resetSloOp parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: examples: - copyPackExample: - summary: Example response for copying a pack + resetSloResponse: + summary: Reset SLO response value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - savedQueriesList: - summary: A list of saved queries + badRequestExample: + summary: Bad request value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries - tags: - - Security Osquery API - post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json: - examples: - createSavedQuery: - summary: Create a saved query - value: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - savedQueryCreated: - summary: Saved query created + unauthorizedExample: + summary: Unauthorized value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse - description: Indicates a successful call. - summary: Create a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - savedQueryDeleted: - summary: Saved query deleted (empty response body) - value: {} + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: Indicates a successful call. - summary: Delete a saved query - tags: - - Security Osquery API - get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: examples: - savedQueryDetails: - summary: Saved query details + notFoundExample: + summary: Not found value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse - description: Indicates a successful call. - summary: Get saved query details + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO tags: - - Security Osquery API - put: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: enableSloOp parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json: - examples: - updateSavedQuery: - summary: Update a saved query - value: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - timeout: 60 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - savedQueryUpdated: - summary: Saved query updated + badRequestExample: + summary: Bad request value: - data: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 60 - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse - description: Indicates a successful call. - summary: Update a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - description: The ID of the saved query to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - copySavedQueryExample: - summary: Example response for copying a saved query + unauthorizedExample: + summary: Unauthorized value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - scheduledActionResultsExample: - summary: Example scheduled action results response + forbiddenExample: + summary: Forbidden value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/internal/observability/slos/_definitions: get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query - name: kuery - required: false + name: includeOutdatedOnly schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. + type: boolean + - description: Indicates if the API returns SLO health data with definitions + example: true in: query - name: page - required: false + name: includeHealth schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. + type: boolean + - description: Filters the SLOs by tag in: query - name: pageSize - required: false + name: tags schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. + type: string + - description: Filters the SLOs by name + example: my service availability in: query - name: sort - required: false + name: search schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 in: query - name: sortOrder - required: false + name: page schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. + type: number + - description: Number of SLOs returned by page + example: 100 in: query - name: startDate - required: false + name: perPage schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' + default: 100 + maximum: 1000 + type: integer + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Get the SLO definitions + tags: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name +components: + examples: + APM_UI_agent_configuration_environments_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. + value: + environments: + - alreadyConfigured: true + name: production + - alreadyConfigured: false + name: development + - alreadyConfigured: false + name: ALL_OPTION_VALUE + APM_UI_agent_configuration_intake_object_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. + value: + result: deleted + APM_UI_agent_configuration_intake_object_delete_request1: + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. + value: + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_get_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. + value: + - '@timestamp': 1581934104843 + agent_name: go + applied_by_agent: false + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '200' + transaction_sample_rate: '1' + - '@timestamp': 1581934111727 + agent_name: go + applied_by_agent: false + etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 + service: + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '300' + transaction_sample_rate: '1' + - '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_put_200_response1: + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. + value: {} + APM_UI_agent_configuration_intake_object_put_request1: + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. + value: + agent_name: nodejs + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_configuration_intake_object_search_200_response1: + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. + value: + _id: CIaqXXABmQCdPphWj8EJ + _index: .apm-agent-configuration + _score: 2 + _source: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_search_request1: + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. + value: + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_view_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. + value: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: true + etag: 5080ed25785b7b19f32713681e79f46996801a5b + id: CIaqXXABmQCdPphWj8EJ + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_keys_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. + value: + agentKey: + api_key: PjGloCGOTzaZr8ilUPvkjA + encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== + id: 3DCLmn0B3ZMhLUa7WBG9 + name: apm-key + APM_UI_agent_keys_object_post_request1: + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. + value: + name: apm-key + privileges: + - event:write + - config_agent:read + APM_UI_annotation_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. + value: + _id: Lc9I93EBh6DbmkeV7nFX + _index: observability-annotations + _primary_term: 1 + _seq_no: 12 + _source: + '@timestamp': '2020-05-08T10:31:30.452Z' + annotation: + type: deployment + event: + created: '2020-05-09T02:34:43.937Z' + message: Deployment 1.2 + service: + name: opbeans-java + version: '1.2' + tags: + - apm + - elastic.co + - customer + _version: 1 + found: true + APM_UI_annotation_object_post_request1: + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. + value: + '@timestamp': '2024-01-15T12:00:00.000Z' + message: Deployment 1.2.0 + service: + environment: production + version: 1.2.0 + tags: + - apm + - deployment + APM_UI_annotation_search_get_200_response1: + description: An example of a successful response from `GET /api/apm/services/{serviceName}/annotation/search`, which returns the annotations associated with a service over the given time range. + value: + annotations: + - '@timestamp': 1735689600000 + id: opbeans-node@2.0.0 + text: opbeans-node@2.0.0 + type: version + - '@timestamp': 1736294400000 + id: opbeans-node@2.1.0 + text: opbeans-node@2.1.0 + type: version + APM_UI_error_400_response: + description: An example of a 400 Bad Request response, returned when the request payload or query parameters fail validation. + value: + error: Bad Request + message: '[request body]: expected value of type [string] but got [undefined]' + statusCode: 400 + APM_UI_error_401_response: + description: An example of a 401 Unauthorized response, returned when the request is missing valid authentication credentials. + value: + error: Unauthorized + message: '[security_exception]: missing authentication credentials for REST request' + statusCode: 401 + APM_UI_error_403_response: + description: An example of a 403 Forbidden response, returned when the authenticated user lacks the required APM and User Experience privileges. + value: + error: Forbidden + message: Insufficient privileges to perform this action. The APM and User Experience feature requires `all` privileges. + statusCode: 403 + APM_UI_error_404_response: + description: An example of a 404 Not Found response, returned when the requested resource does not exist or the feature is not available on the current deployment. + value: + error: Not Found + message: Not Found + statusCode: 404 + APM_UI_error_500_response: + description: An example of a 500 Internal Server Error response, returned when an unexpected error occurs while processing the request. + value: + error: Internal Server Error + message: An internal server error occurred. Check the Kibana server logs for details. + statusCode: 500 + APM_UI_error_501_response: + description: An example of a 501 Not Implemented response, returned when the source map feature is not available on the current deployment. + value: + error: Not Implemented + message: Not Implemented + statusCode: 501 + APM_UI_fleet_apm_server_schema_200_response1: + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. + value: {} + APM_UI_service_agent_name_get_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/agent_name`, which returns the detected APM agent name for a service. + value: + agentName: nodejs + APM_UI_source_maps_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_get_200_response1: + description: A successful response from `GET /api/apm/sourcemaps`. + value: + artifacts: + - body: + bundleFilepath: /test/e2e/general-usecase/bundle.js + serviceName: foo + serviceVersion: 1.0.0 + sourceMap: + file: static/js/main.chunk.js + mappings: mapping + sourceRoot: '' + sources: + - fleet-source-map-client/src/index.css + - fleet-source-map-client/src/App.js + - webpack:///./src/index.css?bb0a + - fleet-source-map-client/src/index.js + - fleet-source-map-client/src/reportWebVitals.js + sourcesContent: + - content + version: 3 + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_200_response1: + description: A successful response from `POST /api/apm/sourcemaps`. + value: + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_request1: + description: | + An example of a multipart/form-data request body for `POST /api/apm/sourcemaps`. + Each field is a separate form part; `sourcemap` is the source map file content (typically uploaded as a file). + value: + bundle_filepath: /test/e2e/general-usecase/bundle.js.map + service_name: opbeans-node + service_version: 1.0.0 + sourcemap: '{"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log(''hello'');"]}' + Data_views_create_data_view_request: + description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field. + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_data_view_response: + description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version. + summary: The create data view API returns a JSON object that contains details about the new data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: {} + fields: + runtime_shape_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + name: runtime_shape_name + readFromDocValues: false + runtimeField: + script: + source: emit(doc['shape_name'].value) + type: keyword + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: b561acfb-0181-455e-84a3-ce8980b2272f + name: My Logstash data view + namespaces: + - default + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + sourceFilters: [] + title: logstash-* + typeMeta: {} + version: WzQ5LDJd + Data_views_create_runtime_field_request: + description: Create a long-type runtime field that emits a value derived from the foo source field. + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_create_runtime_field_response: + description: The response includes the newly created runtime field as an array and the full updated data view object. + summary: The API returns created runtime field object array and updated data view object. + value: + data_view: + ...: null + fields: + - ... + Data_views_error_400_response: + description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values. + summary: A bad request response. + value: + error: Bad Request + message: '[request body.data_view.title]: expected value of type [string] but got [undefined]' + statusCode: 400 + Data_views_error_404_response: + description: The requested data view or runtime field was not found in the current Kibana space. + summary: A not found response. + value: + error: Not Found + message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + statusCode: 404 + Data_views_get_data_view_response: + description: A complete data view object including all fields, runtime fields, and metadata. + summary: The get data view API returns a JSON object that contains information about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + description: A list of available data views including their identifiers, names, and index patterns. + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + description: The identifier of the default data view for the current Kibana space. + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + description: The runtime field definition along with the parent data view. + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + description: Preview the saved objects that would be affected by swapping references from one data view to another. + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_preview_swap_data_view_response: + description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint. + summary: A preview of saved objects that would be affected by a data view swap. + value: + result: + - id: 8963ca30-bca7-11e8-aa00-0123456789ab + type: visualization + - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + type: dashboard + Data_views_set_default_data_view_request: + description: Set the default data view, using the force flag to overwrite an existing default. + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_set_default_data_view_response: + description: The acknowledged flag confirms that the default data view for the current Kibana space was updated. + summary: The default data view was set successfully. + value: + acknowledged: true + Data_views_swap_data_view_request: + description: Swap all saved object references from one data view to another and delete the source data view afterward. + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_swap_data_view_response: + description: The list of saved objects whose references were updated, along with the delete status of the source. + summary: The swap references API returns a list of the affected saved objects. + value: + deleteStatus: + deletePerformed: true + remainingRefs: 0 + result: + - id: '123' + type: visualization + Data_views_update_data_view_request: + description: Update the title, time field, and other properties of an existing data view. + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + description: Update the popularity count, custom label, and custom description for specific fields in a data view. + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_field_metadata_response: + description: The acknowledged flag confirms that the field metadata changes were applied to the data view. + summary: Field metadata was updated successfully. + value: + acknowledged: true + Data_views_update_runtime_field_request: + description: Update the script of an existing runtime field. + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSync401Example: + summary: Two anomaly detection jobs required synchronization in this example. + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" + statusCode: 401 + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Observability_AI_Assistant_API_ChatCompleteRequestExample: + summary: Example of completing a chat interaction + value: | + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + } + Observability_AI_Assistant_API_ChatCompleteResponseExample: + summary: Get a chat completion from the Observability AI Assistant + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} + + data: [DONE] + Security_Detections_API_SetAlertAssigneesBodyAdd: + value: + assignees: + add: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + remove: [] + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertAssigneesBodyRemove: + value: + assignees: + add: [] + remove: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertTagsBodyAdd: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: + - Duplicate + tags_to_remove: [] + Security_Detections_API_SetAlertTagsBodyRemove: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: [] + tags_to_remove: + - Duplicate + Task_manager_health_Serverless_APIs_health_200response_serverless: + description: A successful response from `GET api/task_manager/_health`. + value: |- + { + "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", + "timestamp": "2025-03-21T21:49:50.409Z", + "status": "OK", + "last_update": "2025-03-21T21:48:53.996Z", + "stats": { + "configuration": { + "timestamp": "2025-03-21T21:47:51.663Z", + "value": { + "request_capacity": 1000, + "monitored_aggregated_stats_refresh_rate": 60000, + "monitored_stats_running_average_window": 50, + "monitored_task_execution_thresholds": { + "custom": {}, + "default": { + "error_threshold": 90, + "warn_threshold": 80 + } + }, + "claim_strategy": "mget", + "poll_interval": 500, + "capacity": { + "config": 10, + "as_workers": 10, + "as_cost": 20 + } + }, + "status": "OK" + }, + "workload": { + "timestamp": "2025-03-21T21:48:53.996Z", + "value": { + "count": 21, + "cost": 42, + "task_types": { + "Fleet-Metrics-Task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Logger": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Sender": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "ML:saved-objects-sync": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions:connector_usage_reporting": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_health_check": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerts_invalidate_api_keys": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "cases-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "dashboard_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:automatic-agent-upgrade-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:check-deleted-files-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:delete-unenrolled-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:sync-integrations-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:unenroll-inactive-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:upgrade-agentless-deployments-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "session_cleanup": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:delete_inactive_background_task_nodes": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + } + }, + "non_recurring": 1, + "non_recurring_cost": 2, + "schedule": [ + [ + "1m", + 2 + ], + [ + "5m", + 2 + ], + [ + "10m", + 1 + ], + [ + "15m", + 1 + ], + [ + "30m", + 1 + ], + [ + "1h", + 5 + ], + [ + "3600s", + 1 + ], + [ + "60m", + 1 + ], + [ + "720m", + 1 + ], + [ + "1d", + 4 + ], + [ + "1440m", + 1 + ] + ], + "overdue": 0, + "overdue_cost": 0, + "overdue_non_recurring": 0, + "estimated_schedule_density": [ + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "capacity_requirements": { + "per_minute": 2, + "per_hour": 43, + "per_day": 7 + } + }, + "status": "OK" + } + } + } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + APM_UI_kbn_xsrf: + description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read type: string - responses: - '200': - content: - application/json: - examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json: - examples: - pinEvent: - summary: Pin an event - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true + title: type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: type: string - required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true - responses: - '200': - content: - application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - description: Indicates a successful call. - summary: Pin/unpin an event - tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json: - examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - cleanupFailed: - summary: Cleanup failed - value: - cleanup_successful: false - errors: - - error: Risk engine is disabled or deleted already. - seq: 1 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject - requestBody: - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object - value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d - schema: + event: type: object properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - page_size: - description: > - Number of entities to score per page. Higher values reduce - total scoring time by reducing the number of alert-index - scans, but cannot exceed the ES|QL result limit (10,000 by - default). - maximum: 10000 - minimum: 100 - type: integer - range: - type: object - properties: - end: - type: string - start: - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - configureError: - summary: Configure saved object failed - value: - errors: - - error: Internal server error - seq: 1 - risk_engine_saved_object_configured: false - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object - tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json: - examples: - emptyRequest: - summary: No request body - value: {} - schema: - type: object - responses: - '200': - content: - application/json: - examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - scheduleNowError: - summary: Schedule now failed - value: - full_error: '{}' - message: Internal server error - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine - tags: - - Security Entity Analytics API - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionRequest: - value: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + created: + type: string + message: + type: string + service: type: object properties: - create: - description: Array of anonymization fields to create. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionResponse200Example: - value: - anonymization_fields_count: 4 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 0 - skipped: 1 - succeeded: 3 - total: 4 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Bad Request response. - summary: Apply a bulk action to anonymization fields - tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields - parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false - schema: - items: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page - in: query - name: all_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - FindAnonymizationFieldsResponse200Example: - value: - aggregations: - field_status: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object properties: - aggregations: + body: type: object properties: - field_status: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: type: object properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - FindAnonymizationFieldsResponse400Example: - value: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Get anonymization fields - tags: - - Security AI Assistant API - - AnonymizationFields API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/chat/complete: - post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete - parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - ChatCompleteRequest: - value: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream: - examples: - ChatCompleteResponse200Example: - value: (streaming binary response) - schema: - format: binary + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: type: string - description: Indicates a successful model response call. - '400': - content: - application/json: - examples: - ChatCompleteResponse400Example: - value: - error: Bad Request - message: Invalid request payload. - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Bad Request response. - summary: Create a model response - tags: - - Security AI Assistant API - - Chat Complete API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' - /api/security_ai_assistant/current_user/conversations: - delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations - requestBody: - content: - application/json: - examples: - DeleteAllConversationsRequest: - value: - excludedIds: - - abc123 - - def456 - schema: + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false type: object properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false - responses: - '200': - content: - application/json: - examples: - DeleteAllConversationsResponse200Example: - value: - failures: [] - success: true - totalDeleted: 10 - schema: - type: object - properties: - failures: - items: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': - content: - application/json: - examples: - DeleteAllConversationsResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete conversations - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"excludedIds":["abc123"]}' - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation - requestBody: - content: - application/json: - examples: - CreateConversationRequest: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true - responses: - '200': - content: - application/json: - examples: - CreateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. - '400': - content: - application/json: - examples: - CreateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required parameter: title' - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Create a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations - parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Defaults to `false`. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name - title - - createdAt - items: - type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. - in: query - name: filter - required: false - schema: - example: Security Issue + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the `?full=true` parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: The number of conversations to return per page. Default is 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. - in: query - name: is_owner - required: false - schema: - default: false - example: true - type: boolean - responses: - '200': - content: - application/json: - examples: - FindConversationsResponse200Example: - value: - data: - - category: assistant - createdAt: '2023-10-31T12:00:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: conv-abc123 - messages: [] - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:05:00Z' - users: - - id: user1 - name: John Doe - page: 1 - perPage: 20 - total: 5 - schema: + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object + Kibana_HTTP_APIs_aiops_change_point_chart: + additionalProperties: false + description: Change point detection chart embeddable schema + properties: + aggregation_function: + default: avg + description: The aggregation function used to calculate the metric values. + enum: + - avg + - sum + - min + - max + type: string + data_view_id: + description: The data view ID used to run change point detection. + minLength: 1 + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + max_series_to_plot: + default: 6 + description: The maximum number of change points to visualize. Defaults to 6. + maximum: 50 + minimum: 1 + type: number + metric_field: + description: The metric field used by the aggregation function. + minLength: 1 + type: string + partitions: + description: Optional split field values to include in the panel. + items: + minLength: 1 + type: string + maxItems: 10000 + type: array + split_field: + description: The optional field used to split change point results. + minLength: 1 + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + view_type: + default: charts + description: The type of change point detection view to display. + enum: + - charts + - table + type: string + required: + - data_view_id + - metric_field + title: aiops_change_point_chart + type: object + Kibana_HTTP_APIs_alerts_filter_query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false type: object properties: - data: - description: A list of conversations. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. - '400': - content: - application/json: - examples: - FindConversationsResponse400Example: - value: - error: Bad Request - message: Invalid filter parameter. - statusCode: 400 - schema: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + title: alerts_filter_query + type: object + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter + id: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get conversations - tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - DeleteConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - namespace: default - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. - '400': - content: - application/json: - examples: - DeleteConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID + id: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation - parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - ReadConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. - '400': - content: - application/json: - examples: - ReadConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-service-map-embeddable: + additionalProperties: false + description: APM service map embeddable schema + properties: + description: + type: string + environment: + default: ENVIRONMENT_ALL + type: string + hide_border: + type: boolean + hide_title: + type: boolean + kuery: + type: string + service_group_id: + type: string + service_name: + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + title: apm-service-map-embeddable + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - error: - example: Bad Request + id: type: string - message: - example: Invalid conversation ID + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get a conversation - tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - examples: - UpdateConversationRequest: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps - required: true - responses: - '200': - content: - application/json: - examples: - UpdateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - namespace: default - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. - '400': - content: - application/json: - examples: - UpdateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required field: title' - statusCode: 400 - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_autoColor: + additionalProperties: false + description: Coloring determined at runtime based on chart defaults + properties: + type: + enum: + - auto + type: string + required: + - type + title: Auto Color + type: object + Kibana_HTTP_APIs_backfill_error_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + title: backfill_error_response + type: object + Kibana_HTTP_APIs_backfill_response: + additionalProperties: false + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + title: backfill_response + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false type: object properties: - error: - example: Bad Request + name: type: string - message: - example: 'Missing required field: title' + prerelease: + type: boolean + version: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Update a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - GetKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ - --header "Authorization: $API_KEY" - post: - description: >- - Create a knowledge base. Use this endpoint when no specific resource - identifier is needed. - operationId: PostKnowledgeBase - parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: type: string - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ - --header "Authorization: $API_KEY" - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries: - post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry - requestBody: - content: - application/json: - examples: - CreateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - required: true - responses: - '200': - content: - application/json: - examples: - CreateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries - '400': - content: - application/json: - examples: - CreateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'name' field is required. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: - post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction - requestBody: - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionRequest: - value: - create: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - delete: - ids: - - '789' - update: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document - schema: + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object + Kibana_HTTP_APIs_byteFormat: + additionalProperties: false + description: Data size format in bits or bytes, with optional decimal places and suffix. + properties: + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Data size unit: `bits` or `bytes`.' + enum: + - bits + - bytes + type: string + required: + - type + title: Byte Format + type: object + Kibana_HTTP_APIs_categoricalColorMapping: + additionalProperties: false + description: Palette color assignment for specific categorical values. Unmapped values receive the unassigned color. + properties: + mapping: + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 1000 + type: array + required: + - values + - color + maxItems: 1000 + type: array + mode: + enum: + - categorical + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + - mapping + title: Categorical Color Mapping + type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false type: object properties: - create: - description: List of Knowledge Base Entries to create. - example: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse200Example: - value: - attributes: - results: - created: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '456' - kbResource: user - name: New Entry - namespace: default - source: manual - text: This is the content of the new entry. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - deleted: - - '789' - skipped: [] - updated: - - createdAt: '2024-01-14T09:00:00.000Z' - createdBy: user@example.com - global: false - id: '123' - kbResource: user - name: Updated Entry - namespace: default - source: manual - text: Updated content. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - summary: - failed: 0 - skipped: 0 - succeeded: 3 - total: 3 - knowledgeBaseEntriesCount: 3 - message: Bulk action completed successfully. - statusCode: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request - '400': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - name - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse200Example: - value: - data: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and - click 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse400Example: - value: - error: Bad Request - message: 'Invalid query parameter: sort_order' - statusCode: 400 - schema: + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: type: object properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' + query: type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Bad Request response. - summary: Finds Knowledge Base Entries that match the given query. - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse200Example: - value: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Deletes a single Knowledge Base Entry using the `id` field - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry - parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - ReadKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Read a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - examples: - UpdateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password (updated) - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps - required: true - responses: - '200': - content: - application/json: - examples: - UpdateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password (updated) - namespace: default - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - updatedAt: '2024-01-15T10:05:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. - '400': - content: - application/json: - examples: - UpdateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'text' field cannot be empty. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Update a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json: - examples: - PerformPromptsBulkActionRequest: - value: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 - schema: + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false type: object properties: - create: - description: List of prompts to be created. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - description: Criteria for deleting prompts in bulk. + classic: + additionalProperties: false type: object properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: items: - type: string - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - examples: - PerformPromptsBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid prompt ID or missing required fields. - statusCode: 400 - schema: + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: type: object properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. + name: type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Bad Request response. - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"delete":{"query":"name: test","ids":[]}}' - /api/security_ai_assistant/prompts/_find: - get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - examples: - FindPromptsResponse200Example: - value: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - examples: - FindPromptsResponse400Example: - value: - error: Bad Request - message: Invalid sort order value provided. - statusCode: 400 - schema: - type: object - properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. - type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts - tags: - - Security AI Assistant API - - Prompts API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health - responses: - '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless - schema: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless - description: Indicates a successful call - summary: Get the task manager health - tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_collapseBy: + description: Aggregation function used to collapse a breakdown dimension into a single value. + enum: + - avg + - sum + - max + - min + title: collapseBy + type: string + Kibana_HTTP_APIs_color_code: + additionalProperties: false + description: A color specified as a hex or CSS color code string. + properties: + type: + enum: + - color_code + type: string + value: + description: The static color value to use. + type: string + required: + - type + - value + title: Color Code + type: object + Kibana_HTTP_APIs_colorByValue: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValuePercentage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValue' + description: Dynamic color mapping by numeric range, with support for absolute and percentage-based ranges. + title: Color By Value + Kibana_HTTP_APIs_colorByValueAbsolute: + additionalProperties: false + description: Color by absolute value configuration + properties: + range: + enum: + - absolute + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Absolute) + type: object + Kibana_HTTP_APIs_colorByValuePercentage: + additionalProperties: false + description: Color by percentage value configuration + properties: + range: + enum: + - percentage + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Percentage) + type: object + Kibana_HTTP_APIs_colorFromPalette: + additionalProperties: false + description: Color at a fixed index position in a named palette. + properties: + index: + description: The index of the color in the palette. + type: number + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + type: + enum: + - from_palette + type: string + required: + - type + - index + title: Color From Palette + type: object + Kibana_HTTP_APIs_colorMapping: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_categoricalColorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gradientColorMapping' + description: Color mapping for dimension values, either categorical (for specific values) or as a gradient. + title: Color Mapping + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false type: object properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: items: - type: string - maxItems: 100 + type: object + properties: + id: + type: string + required: + - id type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines + routing: items: - type: string - maxItems: 100 + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination type: array required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true - responses: - '200': - content: - application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline - parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - timelineDetail: - summary: Timeline detail - value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true + required: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. type: string required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true - responses: - '200': - content: - application/json: - examples: - patched: - summary: Updated timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_counterRateOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_countMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object + Kibana_HTTP_APIs_cumulativeSumOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_customFormat: + additionalProperties: false + description: Custom format using a Kibana field format pattern string. + properties: + pattern: + description: Kibana field format pattern string. + type: string + type: + enum: + - custom + type: string + required: + - type + - pattern + title: Custom Format + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - body: - description: The error message. - example: update timeline error + id: type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline - tags: - - Security Timeline API - - access:securitySolution - post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true + blob: + maxLength: 10000 type: string required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: - post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json: - examples: - copyWithTitle: - summary: Copy with a new title - value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. + index: type: string required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true - responses: - '200': - content: - application/json: - examples: - copied: - summary: Newly saved timeline - value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: - get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines - parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json: - examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_datatableDensity: + additionalProperties: false + description: Density configuration for the datatable. + properties: + height: + additionalProperties: false + type: object + properties: + header: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + max_lines: + default: 3 + maximum: 5 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines before the header is truncated. + value: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + lines: + default: 1 + maximum: 20 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines to display per table body cell. + mode: + description: Display density mode. + enum: + - compact + - default + - expanded + type: string + title: datatableDensity + type: object + Kibana_HTTP_APIs_datatableESQL: + additionalProperties: false + description: Datatable state configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - message: + dashboard_id: type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - message: + label: type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - post: - description: > - Create a clean draft Timeline or Timeline template for the current user. - - > info - - > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - message: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQLMetric' + maxItems: 1000 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + additionalProperties: false + type: object + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for ESQL datatable rows. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + title: Datatable (ES|QL) + type: object + Kibana_HTTP_APIs_datatableESQLMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + title: Datatable Metric (ES|QL) + type: object + Kibana_HTTP_APIs_datatableMetricCounterRate: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_datatableMetricCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricCumulativeSum: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_datatableMetricDifferences: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_datatableMetricFormula: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_datatableMetricLastValue: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_datatableMetricMovingAverage: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentile: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentileRanks: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_datatableMetricStatsMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricSumMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricUniqueCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableNoESQL: + additionalProperties: false + description: Datatable state configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - message: + dashboard_id: type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: - post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - exportIds: - summary: Export by timeline ids - value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - ids: - items: + label: type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true - responses: - '200': - content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: - examples: - badRequest: - summary: Export error - value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute - requestBody: - content: - application/json: - examples: - favoriteDefault: - summary: Favorite a default timeline - value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true - responses: - '200': - content: - application/json: - examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden - value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: + type: + enum: + - dashboard_drilldown type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: - post: - description: Import Timelines. - operationId: ImportTimelines - requestBody: - content: - application/json: - examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) - value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' - schema: - type: object - properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The Timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json: - examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - body: - description: The error message - example: Invalid file extension + label: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing - value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': - content: - application/json: - examples: - conflict: - summary: Import conflict - value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines + type: + enum: + - discover_drilldown type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: - post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json: - examples: - emptyArrays: - summary: Installer payload shape - value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true - responses: - '200': - content: - application/json: - examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error - value: - body: Internal error - statusCode: 500 - schema: + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - body: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: - get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timelines: - get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricFormula' + maxItems: 1000 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowFilters' + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + - metrics + title: Datatable (DSL) + type: object + Kibana_HTTP_APIs_datatableRowDateHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowFilters: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_datatableRowHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowRanges: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_datatableRowTerms: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` - in: query - name: sort_order - schema: - enum: - - asc - - desc + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_datatableStyling: + additionalProperties: false + description: Visual chart styling options + properties: + density: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableDensity' + paging: + description: Rows per page. When set, pagination is enabled with the specified number of rows. + enum: + - 10 + - 20 + - 30 + - 50 + - 100 + type: integer + row_numbers: + additionalProperties: false + description: Configuration for row numbers + type: object + properties: + visible: + description: When `true`, displays row numbers. + type: boolean + required: + - visible + sort_by: + anyOf: + - additionalProperties: false + description: Sort by a metric or row column + type: object + properties: + column_type: + description: Type of column to sort by. + enum: + - metric + - row + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: Index of the column or row to sort by (0-based). + minimum: 0 + type: number + required: + - column_type + - index + - direction + - additionalProperties: false + description: Sort by a pivoted metric column (created when metrics are pivoted by split_metrics_by) + type: object + properties: + column_type: + enum: + - pivoted_metric + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: 0-based index into the "metrics" array for the metric to sort; use "values" to identify the pivoted column + minimum: 0 + type: number + values: + description: Array of pivot values, one for each split_metrics_by column in order + items: + type: string + maxItems: 20 + minItems: 1 + type: array + required: + - column_type + - index + - values + - direction + description: Sorting configuration. Only one column can be sorted at a time. Use "column_type" to specify the column type. + title: Datatable styling + type: object + Kibana_HTTP_APIs_dateHistogramOperation: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: type: string - - description: How many results should returned at once - in: query - name: page_size - schema: - nullable: true + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: type: string - - description: How many pages should be skipped - in: query - name: page_index - schema: - nullable: true + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + Kibana_HTTP_APIs_differencesOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: type: string - - description: Allows to search for timelines by their title - in: query - name: search - schema: - nullable: true + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json: - examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body - value: - body: get timeline error - statusCode: 400 - schema: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - /s/{spaceId}/api/observability/slos: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 - example: 1 - in: query - name: size - schema: - default: 1 - type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. - in: query - name: searchAfter - schema: - items: - type: string - type: array - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - findSloResponse: - summary: A paginated list of SLOs - value: - page: 1 - perPage: 25 - results: - - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name - : "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - total: 42 - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''invalid'' supplied to: sortBy' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - createSloKqlExample: - summary: Create an SLO with a KQL indicator - value: - budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - createSloResponse: - summary: Create SLO response - value: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '409': - content: - application/json: - examples: - conflictExample: - summary: Conflict - value: - error: Conflict - message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - statusCode: 409 - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete: - post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. - operationId: bulkDeleteOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - bulkDeleteRequest: - summary: Bulk delete two SLOs - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkDeleteResponse: - summary: Bulk delete response with task ID - value: - taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: - get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. - operationId: bulkDeleteStatusOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: The task id of the bulk delete operation - in: path - name: taskId - required: true - schema: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + title: dry_run_package_policy + type: object + Kibana_HTTP_APIs_durationFormat: + additionalProperties: false + description: Duration format between time units. + properties: + from: + description: Source time unit for conversion, for example `milliseconds`, `seconds`, `minutes`, `hours`, or `days`. + type: string + suffix: + description: Suffix appended to the formatted value. + type: string + to: + description: Display time unit after conversion, for example `seconds`, `minutes`, `hours`, or `days`. + type: string + type: + enum: + - duration + type: string + required: + - type + - from + - to + title: Duration Format + type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - responses: - '200': - content: - application/json: - examples: - bulkDeleteStatusComplete: - summary: Completed bulk deletion - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - id: d077e940-1515-11ee-9c50-9d096392f520 - success: true - bulkDeleteStatusPartialFailure: - summary: Completed with partial failure - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found - id: d077e940-1515-11ee-9c50-9d096392f520 - success: false - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_status_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: taskId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Retrieve the status of the bulk deletion - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: - post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. - operationId: deleteRollupDataOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - purgeByAgeExample: - summary: Purge rollup data older than 7 days - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - purgePolicy: - age: 7d - purgeType: fixed-age - purgeByTimestampExample: - summary: Purge rollup data before a specific date - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - purgePolicy: - purgeType: fixed-time - timestamp: '2024-12-31T00:00:00.000Z' - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkPurgeResponse: - summary: Bulk purge response with task ID - value: - taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - deleteInstancesExample: - summary: Delete specific SLO instances - value: - list: - - instanceId: host-abc123 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - - instanceId: host-def456 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list/0/sloId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_esqlDataSource: + additionalProperties: false + description: Uses an ES|QL query as the data source. The query is executed at render time; resulting columns are available as fields. + properties: + query: + description: 'An ES|QL query that drives the data source. The query must produce a tabular result set; column names are used as field references. Example: "FROM logs-* | STATS count = COUNT(*) BY host.name".' + type: string + type: + enum: + - esql + type: string + required: + - type + - query + title: ES|QL Data Source + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_fieldMetricOperations: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_sumMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + title: Field Metric Operations + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_filterSimple: + additionalProperties: false + description: A KQL or Lucene query that filters panel data. Applied on top of any dashboard-level filters. + properties: + expression: + description: A query expression in KQL or Lucene syntax + type: string + language: + default: kql + description: 'Query language: `kql` (Kibana Query Language) or `lucene`. Defaults to `kql`.' + enum: + - kql + - lucene + type: string + required: + - expression + title: Filter + type: object + Kibana_HTTP_APIs_filtersOperation: + additionalProperties: false + properties: + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_filterWithLabel: + additionalProperties: false + description: A KQL or Lucene filter with an optional display label. + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + label: + description: Label for the filter + type: string + required: + - filter + title: Filter with Label + type: object + Kibana_HTTP_APIs_find_backfill_response: + additionalProperties: false + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + title: find_backfill_response + type: object + Kibana_HTTP_APIs_formatType: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_numericFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_byteFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_durationFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_customFormat' + description: Number display format for the dimension value. + title: Format Type + Kibana_HTTP_APIs_formulaOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object + Kibana_HTTP_APIs_gaugeESQL: + additionalProperties: false + description: Gauge configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + label: + description: Label for the operation + type: string + max: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + min: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (ES|QL) + type: object + Kibana_HTTP_APIs_gaugeMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_gaugeMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_gaugeMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_get_agent_policy_outputs_response: + additionalProperties: false + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + title: get_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_agent_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + required: + - inputs + title: get_inputs_response + type: object + Kibana_HTTP_APIs_get_installed_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number + required: + - items + - total + title: get_installed_packages_response + type: object + Kibana_HTTP_APIs_get_k8s_manifest_response: + additionalProperties: false + properties: + item: + type: string + required: + - item + title: get_k8s_manifest_response + type: object + Kibana_HTTP_APIs_get_limited_packages_response: + additionalProperties: false + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + title: get_limited_packages_response + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: + nullable: true + type: string + required: + - id + title: get_verification_key_id_response + type: object + Kibana_HTTP_APIs_gradientColorMapping: + additionalProperties: false + description: Gradient color mapping across categorical values. + properties: + gradient: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + maxItems: 3 + type: array + mapping: + items: + additionalProperties: false + type: object + properties: + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 100 + type: array + required: + - values + maxItems: 100 + type: array + mode: + enum: + - gradient + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + sort: + description: Sort direction + enum: + - asc + - desc + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + title: Gradient Color Mapping + type: object + Kibana_HTTP_APIs_heatmapAxes: + additionalProperties: false + description: Axis configuration for X and Y axes + properties: + x: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapXAxis' + 'y': + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapYAxis' + title: Axes + type: object + Kibana_HTTP_APIs_heatmapCells: + additionalProperties: false + description: Cells configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show cell labels + type: boolean + title: Cells + type: object + Kibana_HTTP_APIs_heatmapESQL: + additionalProperties: false + description: Heatmap configuration using an ES|QL query. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_heatmapLegend: + additionalProperties: false + description: Legend configuration + properties: + position: + enum: + - top + - bottom + - left + - right + type: string + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_heatmapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_heatmapMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_heatmapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_heatmapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_heatmapMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_heatmapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapNoESQL: + additionalProperties: false + description: Heatmap configuration using a data view. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + 'y': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (DSL) + type: object + Kibana_HTTP_APIs_heatmapStyling: + additionalProperties: false + description: Visual chart styling options + properties: + cells: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapCells' + title: Heatmap styling + type: object + Kibana_HTTP_APIs_heatmapXAxis: + additionalProperties: false + description: X axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + visible: + description: Show axis labels + type: boolean + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - scale + title: X Axis + type: object + Kibana_HTTP_APIs_heatmapYAxis: + additionalProperties: false + description: Y axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show axis labels + type: boolean + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + title: Y Axis + type: object + Kibana_HTTP_APIs_histogramOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - responses: - '200': - content: - application/json: - examples: - getSloResponse: - summary: Get SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json: - examples: - updateSloNameExample: - summary: Update the SLO name and tags - value: - name: Updated Service Availability - tags: - - production - - updated - updateSloObjectiveExample: - summary: Update the SLO objective - value: - objective: - target: 0.995 - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateSloResponse: - summary: Update SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: Updated Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - updated - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - content: - application/json: - examples: - resetSloResponse: - summary: Reset SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/disable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo - /s/{spaceId}/internal/observability/slos/_definitions: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getDefinitionsOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions - in: query - name: includeOutdatedOnly - schema: - type: boolean - - description: Indicates if the API returns SLO health data with definitions - example: true - in: query - name: includeHealth - schema: - type: boolean - - description: Filters the SLOs by tag - in: query - name: tags - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided, assets are installed in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: + additionalProperties: false + description: A filter that evaluates a single field condition such as equality, range, or existence. + properties: + condition: + description: A filter condition with strict operator/value type matching. + discriminator: + mapping: + exists: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + is: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + is_one_of: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + range: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + propertyName: operator + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - condition + type: string + required: + - type + - condition + title: condition + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema: + additionalProperties: false + description: A filter expressed as a raw [Elasticsearch Query DSL](https://www.elastic.co/docs/reference/query-languages/querydsl) object, used for queries that cannot be represented by condition or group filters. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch Query DSL object passed directly to the query. + type: object + field: + description: Field name for scripted filters where the field cannot be extracted from the DSL query. + type: string + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + params: + description: Filter parameters metadata. May contain display values, formats, and parameters for scripted filters. + nullable: true + type: + enum: + - dsl + type: string + required: + - type + - dsl + - params + title: dsl + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema: + additionalProperties: false + description: A filter that combines multiple conditions or nested groups using a logical `and` or `or` operator. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + group: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - group + type: string + required: + - type + - group + title: group + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema: + additionalProperties: false + description: A filter that applies an Elasticsearch geo query, used for geographic boundary and shape matching. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch geo query DSL object. + type: object + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - spatial + type: string + required: + - type + - dsl + title: spatial + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists: + additionalProperties: false + description: Matches documents where `field` exists and contains a non-null value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - exists + type: string + required: + - field + - operator + title: exists + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is: + additionalProperties: false + description: Matches documents where `field` equals a single specified value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is + type: string + value: + anyOf: + - title: value + type: string + - title: value + type: number + - title: value + type: boolean + description: Single value to compare against the field. + required: + - field + - operator + - value + title: is + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of: + additionalProperties: false + description: Matches documents where `field` equals any value in a provided list. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is_one_of + type: string + value: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - items: + type: number + maxItems: 10000 + type: array + - items: + type: boolean + maxItems: 10000 + type: array + description: Homogeneous array of values to match against the field. + required: + - field + - operator + - value + title: is_one_of + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range: + additionalProperties: false + description: Matches documents where `field` falls within a specified numeric or date range. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - range + type: string + value: + additionalProperties: false + description: Boundary values for a range comparison. + type: object + properties: + format: + description: Elasticsearch [date format](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/mapping-date-format) string applied when parsing date boundary values. For example, `strict_date_optional_time` or `epoch_millis`. + type: string + gt: + anyOf: + - type: number + - type: string + description: Greater than. + gte: + anyOf: + - type: number + - type: string + description: Greater than or equal to. + lt: + anyOf: + - type: number + - type: string + description: Less than. + lte: + anyOf: + - type: number + - type: string + description: Less than or equal to. + required: + - field + - operator + - value + title: range + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter: + additionalProperties: false + description: Logical group that combines one or more conditions or nested groups. + properties: + conditions: + description: Ordered list of conditions or nested groups combined by the group `operator`. + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + description: A filter condition with strict operator/value type matching. + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + type: array + operator: + description: Logical operator applied across all entries in `conditions`. Use `and` to require all conditions, or `or` to require at least one. + enum: + - and + - or + type: string + required: + - operator + - conditions + title: kbn-as-code-filters-schema_groupFilter + type: object + Kibana_HTTP_APIs_kbn-as-code-meta: + additionalProperties: false + properties: + created_at: + description: Timestamp when the object was created (ISO 8601). + type: string + created_by: + description: User profile ID of the user who created the object. + type: string + managed: + description: When `true`, the object is managed by Kibana and cannot be edited by users. + type: boolean + owner: + description: Identifier of the plugin or team that owns this object. + type: string + updated_at: + description: Timestamp when the object was last updated (ISO 8601). + type: string + updated_by: + description: User profile ID of the user who last updated the object. + type: string + version: + description: Internal version identifier for optimistic concurrency control. + type: string + title: kbn-as-code-meta + type: object + Kibana_HTTP_APIs_kbn-as-code-query: + additionalProperties: false + description: A search query consisting of an expression and its language. Supports KQL and Lucene syntax. + properties: + expression: + description: A query expression in KQL or Lucene syntax. + type: string + language: + description: Query language. Use `kql` for Kibana Query Language (KQL) or `lucene` for Lucene query syntax. + enum: + - kql + - lucene + type: string + required: + - expression + - language + title: Query + type: object + Kibana_HTTP_APIs_kbn-composite-runtime-field-schema: + additionalProperties: false + properties: + fields: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + type: object + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + enum: + - composite + type: string + required: + - type + - fields + title: Composite runtime field + type: object + Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema: + additionalProperties: false + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + title: kbn-content-management-utils-referenceSchema + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control: + additionalProperties: false + description: An ES|QL variable control whose selected value is injected into ES|QL visualizations using the `?variable_name` syntax. Options can come from a fixed list or an ES|QL query. Define the options source in `config`. + properties: + config: + discriminator: + mapping: + STATIC_VALUES: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + VALUES_FROM_QUERY: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + propertyName: control_type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - esql_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: esql_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control: + additionalProperties: false + description: A dropdown control that filters data by selecting field values from a data view. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - options_list_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: options_list_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control: + additionalProperties: false + description: A slider control that filters data by selecting a numeric range for the configured field. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - range_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: range_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control: + additionalProperties: false + description: A control panel that filters a time field to a selected sub-range of the global time range. Define the start and end positions in `config` as fractions of the global range (0 to 1). + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - time_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: time_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values: + additionalProperties: false + description: An ES|QL variable control with a fixed list of selectable options defined directly in `available_options`. + properties: + available_options: + description: A fixed list of option strings displayed in the control. + items: + type: string + maxItems: 1000 + type: array + control_type: + enum: + - STATIC_VALUES + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - available_options + title: STATIC_VALUES + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query: + additionalProperties: false + description: An ES|QL variable control whose selectable options are dynamically retrieved by running an ES|QL query. + properties: + control_type: + enum: + - VALUES_FROM_QUERY + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + esql_query: + description: An ES|QL query whose results populate the list of available options in the control popover. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - esql_query + title: VALUES_FROM_QUERY + type: object + Kibana_HTTP_APIs_kbn-dashboard-access-control: + additionalProperties: false + description: Access control settings for the dashboard. + properties: + access_mode: + description: Controls edit access to the dashboard. Set to `write_restricted` to prevent edits by users without explicit write permission. Defaults to `default` (all viewers can edit). + enum: + - write_restricted + - default + type: string + title: Access control + type: object + Kibana_HTTP_APIs_kbn-dashboard-data: + additionalProperties: false + properties: + access_control: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-access-control' + description: + description: A short description of the dashboard. + type: string + filters: + description: Filters applied across all panels, including pinned panels. + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + options: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-options' + panels: + default: [] + description: Panels and sections in the dashboard. Each entry is either a panel (with a `type` and `config`) or a collapsible section (with a `title`, `collapsed` state, and nested `panels`). + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-section' + maxItems: 100 + type: array + pinned_panels: + default: [] + description: An array of control panels and their state in the control group. + items: + discriminator: + mapping: + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + maxItems: 100 + type: array + project_routing: + description: Controls [cross-project search](https://www.elastic.co/docs/explore-analyze/cross-project-search/cross-project-search-project-routing) behavior for this dashboard (Serverless only). Set to `_alias:_origin` to scope data to the current project, or `_alias:*` to search across all projects. When omitted, the space default applies. + type: string + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + refresh_interval: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema' + tags: + description: Tag IDs to associate with this dashboard. + items: + type: string + maxItems: 100 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + description: A human-readable title for the dashboard. + minLength: 1 + type: string + required: + - title + title: kbn-dashboard-data + type: object + Kibana_HTTP_APIs_kbn-dashboard-dropped-panel-warning: + additionalProperties: false + description: A panel that was excluded from the response because its type is not supported by the API. + properties: + message: + description: Human-readable explanation of why the panel was dropped. + type: string + panel_config: + additionalProperties: true + description: The original configuration of the dropped panel. + type: object + properties: {} + panel_references: + description: Saved object references used by the dropped panel. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + maxItems: 100 + type: array + panel_type: + description: The type identifier of the dropped panel. + type: string + type: + enum: + - dropped_panel + type: string + required: + - type + - message + - panel_type + - panel_config + title: Dropped panel + type: object + Kibana_HTTP_APIs_kbn-dashboard-options: + additionalProperties: false + default: + auto_apply_filters: true + hide_panel_borders: false + hide_panel_titles: false + sync_colors: false + sync_cursor: true + sync_tooltips: false + use_margins: true + description: Display and behavior settings for the dashboard. + properties: + auto_apply_filters: + default: true + description: When `true`, control filter changes are applied automatically. When `false`, control filter changes are applied manually through the dashboard's search update button. Defaults to `true`. + type: boolean + hide_panel_borders: + default: false + description: When `true`, panel borders are hidden. Defaults to `false`. + type: boolean + hide_panel_titles: + default: false + description: When `true`, panel titles are hidden. Defaults to `false`. + type: boolean + sync_colors: + default: false + description: When `true`, colors are synchronized across panels that share a data source. Defaults to `false`. + type: boolean + sync_cursor: + default: true + description: When `true`, the cursor position is synchronized across panels. Defaults to `true`. + type: boolean + sync_tooltips: + default: false + description: When `true`, tooltips are synchronized across panels. Defaults to `false`. + type: boolean + use_margins: + default: true + description: When `true`, panels are separated by a margin. Defaults to `true`. + type: boolean + title: Options + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-grid: + additionalProperties: false + description: The position and size of the panel on the dashboard grid. + properties: + h: + default: 15 + description: The height of the panel in grid units. Minimum `1`. Defaults to `15`. + minimum: 1 + type: number + w: + default: 24 + description: The width of the panel in grid units. Minimum `1`, maximum `48`. Defaults to `24`. + maximum: 48 + minimum: 1 + type: number + x: + description: The x coordinate of the panel in grid units. + type: number + 'y': + description: The y coordinate of the panel in grid units. + type: number + required: + - x + - 'y' + title: Panel grid + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_aiops_change_point_chart' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - aiops_change_point_chart + type: string + required: + - grid + - type + - config + title: Change point detection chart + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-service-map-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - apm_service_map + type: string + required: + - grid + - type + - config + title: APM Service map + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + tabs: + description: Inline tab configuration. Used when no `ref_id` is set. Currently supports one tab. + items: + anyOf: + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + discriminator: + mapping: + data_view_reference: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + data_view_spec: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + filters: + default: [] + description: List of filters to apply to the data in the tab. + items: + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + discriminator: + mapping: + condition: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + dsl: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + group: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + spatial: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + maxItems: 100 + type: array + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + rows_per_page: + description: The number of rows to display per page in the data table. If omitted, defaults to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: The number of documents to sample for the data table. If omitted, defaults to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + view_mode: + default: documents + description: Discover view mode. Choose "documents" (search hits), "patterns" (pattern analysis), or "aggregated" (field statistics). + enum: + - documents + - patterns + - aggregated + type: string + required: + - data_source + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + required: + - data_source + maxItems: 1 + minItems: 1 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - tabs + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + overrides: + additionalProperties: false + default: {} + type: object + properties: + column_order: + description: When set, overrides column order for the data table relative to the referenced saved object (`ref_id`) or the inline tab in `tabs`. If omitted, the source configuration is used. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation overrides (e.g. widths) keyed by field name. When set, merges with the source configuration for the referenced session or inline tab. + type: object + density: + description: 'Data grid row spacing: `compact`, `expanded`, or `normal`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Header row height: number (1–5) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Data row height: number (1–20) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:rowHeightOption".' + rows_per_page: + description: Number of rows per page. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: Number of documents to sample. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + description: Sort configuration (field and direction) for the data table. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used. + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + ref_id: + type: string + selected_tab_id: + description: Tab to select from the referenced saved object. If omitted, defaults to the first tab. + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - discover_session + type: string + required: + - grid + - type + - config + title: Discover session + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control: + additionalProperties: false + properties: + config: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - esql_control + type: string + required: + - grid + - type + - config + title: ES|QL variable control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-image: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Image embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_click_image + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_image + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + image_config: + additionalProperties: false + type: object + properties: + alt_text: + type: string + background_color: + type: string + object_fit: + default: contain + description: How the image should be sized within its container + enum: + - fill + - contain + - cover + - none + type: string + src: + anyOf: + - additionalProperties: false + properties: + file_id: + type: string + type: + enum: + - file + type: string + required: + - type + - file_id + title: file + type: object + - additionalProperties: false + properties: + type: + enum: + - url + type: string + url: + description: URL of the image + type: string + required: + - type + - url + title: url + type: object + description: Image source + required: + - src + title: + type: string + required: + - image_config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - image + type: string + required: + - grid + - type + - config + title: Image + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-links: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + layout: + description: Denote whether to display the links in a horizontal or vertical layout + enum: + - horizontal + - vertical + type: string + links: + description: The list of links to display + items: + discriminator: + mapping: + dashboardLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + externalLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + maxItems: 100 + type: array + title: + type: string + required: + - links + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the Links library item + title: Reference ID + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Links embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - links + type: string + required: + - grid + - type + - config + title: Links + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + content: + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + settings: + additionalProperties: false + type: object + properties: + open_links_in_new_tab: + default: true + type: boolean + title: + type: string + required: + - content + - settings + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the markdown library item. + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Markdown panel config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - markdown + type: string + required: + - grid + - type + - config + title: Markdown + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - options_list_control + type: string + required: + - grid + - type + - config + title: Options list control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - range_slider_control + type: string + required: + - grid + - type + - config + title: Range slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-alerts-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_alerts + type: string + required: + - grid + - type + - config + title: SLO alerts + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-burn-rate-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_burn_rate + type: string + required: + - grid + - type + - config + title: SLO burn rate + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-error-budget-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_error_budget + type: string + required: + - grid + - type + - config + title: SLO error budget + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview: + additionalProperties: false + properties: + config: + description: SLO Overview embeddable schema + discriminator: + mapping: + groups: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + single: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + propertyName: overview_mode + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_overview + type: string + required: + - grid + - type + - config + title: SLO overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics monitors embeddable schema + type: object + properties: + description: + type: string + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + view: + description: View mode for the monitors embeddable (defaults to cardView) + enum: + - cardView + - compactView + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_monitors + type: string + required: + - grid + - type + - config + title: Synthetics monitors + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics stats overview embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_stats_overview + type: string + required: + - grid + - type + - config + title: Synthetics stats overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - time_slider_control + type: string + required: + - grid + - type + - config + title: Time slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis: + additionalProperties: false + properties: + config: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleESQL' + description: Panel configuration stored inline + title: By value + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + type: string + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Lens embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - vis + type: string + required: + - grid + - type + - config + title: Visualization + type: object + Kibana_HTTP_APIs_kbn-dashboard-section: + additionalProperties: false + description: A collapsible group of panels. + properties: + collapsed: + default: false + description: When `true`, the section is collapsed and its panels are not rendered until expanded. Useful for improving initial load time on large dashboards. Defaults to `false`. + type: boolean + grid: + additionalProperties: false + type: object + properties: + 'y': + description: The y coordinate of the section in grid units. + type: number + required: + - 'y' + id: + description: The unique ID of the section. + type: string + panels: + default: [] + description: The panels that belong to the section. + items: + discriminator: + mapping: + aiops_change_point_chart: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + apm_service_map: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + discover_session: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + image: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + links: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + markdown: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + slo_alerts: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + slo_burn_rate: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + slo_error_budget: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + slo_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + synthetics_monitors: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + synthetics_stats_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + vis: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + maxItems: 100 + type: array + title: + description: The title of the section. + type: string + required: + - title + - grid + title: Section + type: object + Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema: + additionalProperties: false + description: Specifies the auto-refresh interval for the object. + properties: + pause: + description: When `true`, auto-refresh is paused. + type: boolean + value: + description: The refresh interval in milliseconds. + type: number + required: + - pause + - value + title: Refresh interval + type: object + Kibana_HTTP_APIs_kbn-data-view-field-setting: + additionalProperties: false + description: Display overrides for a field. These settings can define a custom label, description, and format. + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + title: Field settings + type: object + Kibana_HTTP_APIs_kbn-data-view-reference-schema: + additionalProperties: false + properties: + ref_id: + description: 'The id of the Kibana data view to use as the data source. Example: "my-data-view".' + type: string + type: + enum: + - data_view_reference + type: string + required: + - type + - ref_id + title: Data view reference + type: object + Kibana_HTTP_APIs_kbn-data-view-spec-schema: + additionalProperties: false + properties: + field_settings: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-settings-entry' + type: object + index_pattern: + description: 'The index pattern (Elasticsearch index expression) to use as the data source. Example: "my-index-*".' + title: Index pattern + type: string + time_field: + description: 'The name of the time field in the index. Used for time-based filtering. Example: "@timestamp".' + title: Time field + type: string + type: + enum: + - data_view_spec + type: string + required: + - type + - index_pattern + title: Data view inline spec + type: object + Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema: + additionalProperties: false + description: Specifies the time range for a query. + properties: + from: + description: The start of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now-7d`) or ISO 8601 timestamps. + type: string + mode: + description: The time range mode. Use `absolute` for fixed start and end timestamps. Use `relative` for [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions that are re-evaluated at query time (for example, `now-7d`). + enum: + - absolute + - relative + type: string + to: + description: The end of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now`) or ISO 8601 timestamps. + type: string + required: + - from + - to + title: Time range + type: object + Kibana_HTTP_APIs_kbn-field-format: + additionalProperties: false + description: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. + properties: + params: + nullable: true + type: + type: string + required: + - type + - params + title: Format + type: object + Kibana_HTTP_APIs_kbn-field-settings-entry: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-composite-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + description: Display overrides for an indexed field, or a runtime field definition when `type` is set to a runtime field kind. + title: Field settings or runtime field + Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink: + additionalProperties: false + properties: + destination: + description: Linked dashboard saved object id + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + type: object + properties: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + type: + enum: + - dashboardLink + type: string + required: + - type + - destination + title: kbn-link-panel-type-dashboardLink + type: object + Kibana_HTTP_APIs_kbn-link-type-externalLink: + additionalProperties: false + properties: + destination: + description: The external URL to link to + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + encode_url: true + open_in_new_tab: true + type: object + properties: + encode_url: + default: true + description: Whether to escape the URL with percent encoding + type: boolean + open_in_new_tab: + default: true + description: Whether to open this link in a new tab when clicked + type: boolean + type: + enum: + - externalLink + type: string + required: + - type + - destination + title: kbn-link-type-externalLink + type: object + Kibana_HTTP_APIs_kbn-runtime-field-schema: + additionalProperties: false + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-type' + required: + - type + title: Runtime field + type: object + Kibana_HTTP_APIs_kbn-runtime-field-type: + description: The type of the runtime field (e.g., "keyword", "long", "date"). + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + title: Type + type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object + Kibana_HTTP_APIs_lastValueOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyColorByValue: + additionalProperties: false + deprecated: true + description: Legacy color by value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + description: Determines whether the range is interpreted as absolute or as a percentage of the data. + enum: + - absolute + - percentage + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value + type: object + Kibana_HTTP_APIs_legacyColorByValueAbsolute: + additionalProperties: false + deprecated: true + description: Legacy color by absolute value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + enum: + - absolute + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value (absolute) + type: object + Kibana_HTTP_APIs_legacyMetricCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_legacyMetricLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyMetricNoESQL: + additionalProperties: false + description: Legacy Metric configuration using a data view. Superseded by the Metric chart type. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - legacy_metric + type: string + required: + - type + - data_source + - metric + title: Legacy Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_legacyMetricPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_legacyMetricPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_legacyMetricStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricSumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_legendSize: + description: Legend size. + enum: + - auto + - s + - m + - l + - xl + title: Legend Size + type: string + Kibana_HTTP_APIs_lensApiConfigNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + title: Visualizations (DSL) + Kibana_HTTP_APIs_lensPanelFilters: + description: Filters applied to the panel + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 100 + title: lensPanelFilters + type: array + Kibana_HTTP_APIs_lensResponseItem: + additionalProperties: false + properties: + data: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensApiConfigNoESQL' + id: + type: string + meta: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-meta' + required: + - id + - data + - meta + title: Visualization Response + type: object + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_metricBarBackgroundChart: + additionalProperties: false + description: Bar chart shown as background context behind the primary metric value. + properties: + max_value: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_differencesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_movingAverageOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_cumulativeSumOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_counterRateOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + description: Metric dimension configuration, supporting field-based aggregations (count, sum, average, median, standard deviation, unique count, last value), percentile operations, time-series operations (differences, moving average, cumulative sum, counter rate), and mathematical formulas. + title: Metric Operation + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Bar Background Chart + type: object + Kibana_HTTP_APIs_metricBreakdownDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_metricBreakdownHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_metricBreakdownTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_metricCompareToBaseline: + additionalProperties: false + properties: + baseline: + default: 0 + description: Baseline value. + type: number + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - baseline + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Baseline + type: object + Kibana_HTTP_APIs_metricCompareToPrimary: + additionalProperties: false + properties: + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - primary + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Primary + type: object + Kibana_HTTP_APIs_metricComplementaryBar: + additionalProperties: false + properties: + max_value: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Complementary Bar + type: object + Kibana_HTTP_APIs_metricComplementaryViz: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBarBackgroundChart' + - additionalProperties: false + type: object + properties: + type: + enum: + - trend + type: string + required: + - type + description: Secondary visualization displayed behind the primary metric value, either a bar chart (with optional max value) or a trend line. + title: Complementary Visualization + Kibana_HTTP_APIs_metricESQL: + additionalProperties: false + description: Metric chart configuration for ES|QL queries + properties: + breakdown_by: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + column: + description: Column to use + type: string + columns: + default: 3 + description: Number of columns. + type: number + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - additionalProperties: false + type: object + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryBar' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + type: + enum: + - primary + type: string + required: + - column + - type + - additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + column: + description: Column to use + type: string + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + type: + enum: + - secondary + type: string + required: + - column + - type + maxItems: 2 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (ES|QL) + type: object + Kibana_HTTP_APIs_metricIconConfig: + additionalProperties: false + description: Icon configuration for the metric chart + properties: + alignment: + description: 'Icon alignment. Accepted values: `left`, `right`. Defaults to `right`.' + enum: + - left + - right + type: string + name: + description: Icon name + enum: + - alert + - asterisk + - bell + - bolt + - bug + - compute + - editor_comment + - flag + - globe + - heart + - map_marker + - pin + - sort_down + - sort_up + - star_empty + - tag + - temperature + type: string + required: + - name + title: Icon Configuration + type: object + Kibana_HTTP_APIs_metricNoESQL: + additionalProperties: false + description: Metric chart configuration for standard queries + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryFormula' + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryFormula' + maxItems: 2 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_metricPrimaryCounterRate: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCumulativeSum: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricPrimaryDifferences: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricPrimaryFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - primary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricPrimaryLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricPrimaryMovingAverage: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricPrimaryStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimarySumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_metricSecondaryCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricSecondaryDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricSecondaryFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - secondary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricSecondaryLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricSecondaryMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricSecondaryStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondarySumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metricStyling: + additionalProperties: false + description: Visual chart styling options + properties: + icon: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricIconConfig' + primary: + additionalProperties: false + type: object + properties: + labels: + additionalProperties: false + description: Labels (title and subtitle) configuration + type: object + properties: + alignment: + description: 'Horizontal alignment for the title and subtitle text. Accepted values: `left`, `center`, `right`. Defaults to `left`.' + enum: + - left + - center + - right + type: string + position: + description: Position of the primary metric value (top, middle, or bottom). + enum: + - top + - middle + - bottom + type: string + value: + additionalProperties: false + description: Primary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for the primary metric value. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + sizing: + description: Controls how the primary value text is sized within the panel. 'auto' selects a font size from predefined breakpoints based on panel height, then shrinks if the text overflows horizontally. 'fill' scales the text to be as large as possible, filling all available space. + enum: + - auto + - fill + type: string + secondary: + additionalProperties: false + type: object + properties: + label: + additionalProperties: false + type: object + properties: + placement: + description: Label placement relative to the secondary metric value (before or after). + enum: + - before + - after + type: string + visible: + description: When `true`, displays the label. + type: boolean + value: + additionalProperties: false + description: Secondary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for secondary values. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + title: metricStyling + type: object + Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: Filters the SLOs by name - example: my service availability - in: query - name: search - schema: + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - type: number - - description: Number of SLOs returned by page - example: 100 - in: query - name: perPage - schema: - default: 100 - maximum: 1000 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_definitions_response' - description: Successful request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Get the SLO definitions - tags: - - slo -components: - examples: - APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. - value: - environments: - - alreadyConfigured: true - name: production - - alreadyConfigured: false - name: development - - alreadyConfigured: false - name: ALL_OPTION_VALUE - APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. - value: - result: deleted - APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. - value: - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. - value: - - '@timestamp': 1581934104843 - agent_name: go - applied_by_agent: false - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '200' - transaction_sample_rate: '1' - - '@timestamp': 1581934111727 - agent_name: go - applied_by_agent: false - etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 - service: - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '300' - transaction_sample_rate: '1' - - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. - value: {} - APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. - value: - agent_name: nodejs - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. - value: - _id: CIaqXXABmQCdPphWj8EJ - _index: .apm-agent-configuration - _score: 2 - _source: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. - value: - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. - value: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: true - etag: 5080ed25785b7b19f32713681e79f46996801a5b - id: CIaqXXABmQCdPphWj8EJ - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. - value: - agentKey: - api_key: PjGloCGOTzaZr8ilUPvkjA - encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== - id: 3DCLmn0B3ZMhLUa7WBG9 - name: apm-key - APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. - value: - name: apm-key - privileges: - - event:write - - config_agent:read - APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. - value: - _id: Lc9I93EBh6DbmkeV7nFX - _index: observability-annotations - _primary_term: 1 - _seq_no: 12 - _source: - '@timestamp': '2020-05-08T10:31:30.452Z' - annotation: - type: deployment - event: - created: '2020-05-09T02:34:43.937Z' - message: Deployment 1.2 - service: - name: opbeans-java - version: '1.2' - tags: - - apm - - elastic.co - - customer - _version: 1 - found: true - APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. - value: - '@timestamp': '2024-01-15T12:00:00.000Z' - message: Deployment 1.2.0 - service: - environment: production - version: 1.2.0 + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - - apm - - deployment - APM_UI_annotation_search_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/services/{serviceName}/annotation/search`, which returns the - annotations associated with a service over the given time range. - value: - annotations: - - '@timestamp': 1735689600000 - id: opbeans-node@2.0.0 - text: opbeans-node@2.0.0 - type: version - - '@timestamp': 1736294400000 - id: opbeans-node@2.1.0 - text: opbeans-node@2.1.0 - type: version - APM_UI_error_400_response: - description: >- - An example of a 400 Bad Request response, returned when the request - payload or query parameters fail validation. - value: - error: Bad Request - message: '[request body]: expected value of type [string] but got [undefined]' - statusCode: 400 - APM_UI_error_401_response: - description: >- - An example of a 401 Unauthorized response, returned when the request is - missing valid authentication credentials. - value: - error: Unauthorized - message: >- - [security_exception]: missing authentication credentials for REST - request - statusCode: 401 - APM_UI_error_403_response: - description: >- - An example of a 403 Forbidden response, returned when the authenticated - user lacks the required APM and User Experience privileges. - value: - error: Forbidden - message: >- - Insufficient privileges to perform this action. The APM and User - Experience feature requires `all` privileges. - statusCode: 403 - APM_UI_error_404_response: - description: >- - An example of a 404 Not Found response, returned when the requested - resource does not exist or the feature is not available on the current - deployment. - value: - error: Not Found - message: Not Found - statusCode: 404 - APM_UI_error_500_response: - description: >- - An example of a 500 Internal Server Error response, returned when an - unexpected error occurs while processing the request. - value: - error: Internal Server Error - message: >- - An internal server error occurred. Check the Kibana server logs for - details. - statusCode: 500 - APM_UI_error_501_response: - description: >- - An example of a 501 Not Implemented response, returned when the source - map feature is not available on the current deployment. - value: - error: Not Implemented - message: Not Implemented - statusCode: 501 - APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. - value: {} - APM_UI_service_agent_name_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/agent_name`, which returns the - detected APM agent name for a service. - value: - agentName: nodejs - APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_get_200_response1: - description: A successful response from `GET /api/apm/sourcemaps`. - value: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' artifacts: - - body: - bundleFilepath: /test/e2e/general-usecase/bundle.js - serviceName: foo - serviceVersion: 1.0.0 - sourceMap: - file: static/js/main.chunk.js - mappings: mapping - sourceRoot: '' - sources: - - fleet-source-map-client/src/index.css - - fleet-source-map-client/src/App.js - - webpack:///./src/index.css?bb0a - - fleet-source-map-client/src/index.js - - fleet-source-map-client/src/reportWebVitals.js - sourcesContent: - - content - version: 3 - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_200_response1: - description: A successful response from `POST /api/apm/sourcemaps`. - value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_request1: - description: > - An example of a multipart/form-data request body for `POST - /api/apm/sourcemaps`. - - Each field is a separate form part; `sourcemap` is the source map file - content (typically uploaded as a file). - value: - bundle_filepath: /test/e2e/general-usecase/bundle.js.map - service_name: opbeans-node - service_version: 1.0.0 - sourcemap: >- - {"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log('hello');"]} - Data_views_create_data_view_request: - description: >- - Create a data view for logstash indices that includes a runtime field - which extracts the shape name from a source field. - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_data_view_response: - description: >- - The response includes the full data view specification, including - auto-generated fields such as the unique identifier and version. - summary: >- - The create data view API returns a JSON object that contains details - about the new data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: {} - fields: - runtime_shape_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - name: runtime_shape_name - readFromDocValues: false - runtimeField: - script: - source: emit(doc['shape_name'].value) - type: keyword - scripted: false - searchable: true - shortDotsEnable: false + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: type: string - id: b561acfb-0181-455e-84a3-ce8980b2272f - name: My Logstash data view - namespaces: - - default - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - sourceFilters: [] - title: logstash-* - typeMeta: {} - version: WzQ5LDJd - Data_views_create_runtime_field_request: - description: >- - Create a long-type runtime field that emits a value derived from the foo - source field. - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_create_runtime_field_response: - description: >- - The response includes the newly created runtime field as an array and - the full updated data view object. - summary: >- - The API returns created runtime field object array and updated data view - object. - value: - data_view: - ...: null - fields: - - ... - Data_views_error_400_response: - description: >- - The request was rejected because the payload or query parameters are - missing required fields or contain invalid values. - summary: A bad request response. - value: - error: Bad Request - message: >- - [request body.data_view.title]: expected value of type [string] but - got [undefined] - statusCode: 400 - Data_views_error_404_response: - description: >- - The requested data view or runtime field was not found in the current - Kibana space. - summary: A not found response. - value: - error: Not Found - message: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not - found - statusCode: 404 - Data_views_get_data_view_response: - description: >- - A complete data view object including all fields, runtime fields, and - metadata. - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - taxless_total_price: - id: number - params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false + limit: + type: string + threshold: type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name + limit: type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + limit: type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: + type: string + limit: + type: string + threshold: type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + limit: type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer + filterQuery: type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id + filterQueryText: type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + threshold: type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer + filterQueryText: type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + threshold: type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: + type: string + limit: + type: string + threshold: type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: + type: string + filterQueryText: + type: string + indexPattern: + type: string + limit: + type: string + threshold: type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_mosaicESQL: + additionalProperties: false + description: Mosaic chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + additionalProperties: false + description: Metric configuration for ES|QL mode, combining generic options, primary metric options, and column selection + type: object + properties: + column: + description: Column to use type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - description: >- - A list of available data views including their identifiers, names, and - index patterns. - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - description: The identifier of the default data view for the current Kibana space. - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - description: The runtime field definition along with the parent data view. - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (ES|QL) + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicLegend: + additionalProperties: false + description: Legend configuration for mosaic chart appearance and behavior + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_mosaicMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_mosaicMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_mosaicMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_mosaicMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_mosaicMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentile: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentileRanks: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_mosaicMetricStatsMetric: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricSumMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicNoESQL: + additionalProperties: false + description: Mosaic chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters' + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (DSL) + type: object + Kibana_HTTP_APIs_mosaicStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Mosaic styling + type: object + Kibana_HTTP_APIs_movingAverageOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_multi_field_key: + additionalProperties: false + properties: + keys: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - multi_field_key + type: string + required: + - type + - keys + title: Multi Field Key + type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + host: type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + port: + maximum: 65353 + minimum: 0 type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + title: new_agent_policy + type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + title: new_enrollment_api_key + type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_elasticsearch + type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + random: type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: new_output_kafka + type: object + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: new_output_logstash + type: object + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_new_rule: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + title: new_rule + type: object + Kibana_HTTP_APIs_new_rule_action: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + title: new_rule_action + type: object + Kibana_HTTP_APIs_new_rule_action_alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - days + - hours + - timezone + title: new_rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_new_rule_action_frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + title: new_rule_action_frequency + type: object + Kibana_HTTP_APIs_noColor: + additionalProperties: false + description: Explicitly disables coloring + properties: + type: + enum: + - none + type: string + required: + - type + title: No Color + type: object + Kibana_HTTP_APIs_numericFormat: + additionalProperties: false + description: Number or percentage format with optional decimal places, suffix, and compact notation. + properties: + compact: + default: false + description: When `true`, uses compact notation (for example, 1.2k instead of 1,200). Defaults to `false`. + type: boolean + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Value format type: `number` for plain numbers, `percent` for percentages.' + enum: + - number + - percent + type: string + required: + - type + title: Numeric Format + type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. + properties: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - description: >- - Preview the saved objects that would be affected by swapping references - from one data view to another. - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_preview_swap_data_view_response: - description: >- - The result array lists every saved object that references the source - data view. No saved objects are modified by the preview endpoint. - summary: A preview of saved objects that would be affected by a data view swap. - value: - result: - - id: 8963ca30-bca7-11e8-aa00-0123456789ab - type: visualization - - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - type: dashboard - Data_views_set_default_data_view_request: - description: >- - Set the default data view, using the force flag to overwrite an existing - default. - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_set_default_data_view_response: - description: >- - The acknowledged flag confirms that the default data view for the - current Kibana space was updated. - summary: The default data view was set successfully. - value: - acknowledged: true - Data_views_swap_data_view_request: - description: >- - Swap all saved object references from one data view to another and - delete the source data view afterward. - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_swap_data_view_response: - description: >- - The list of saved objects whose references were updated, along with the - delete status of the source. - summary: The swap references API returns a list of the affected saved objects. - value: - deleteStatus: - deletePerformed: true - remainingRefs: 0 - result: - - id: '123' - type: visualization - Data_views_update_data_view_request: - description: >- - Update the title, time field, and other properties of an existing data - view. - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - description: >- - Update the popularity count, custom label, and custom description for - specific fields in a data view. - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_field_metadata_response: - description: >- - The acknowledged flag confirms that the field metadata changes were - applied to the data view. - summary: Field metadata was updated successfully. - value: - acknowledged: true - Data_views_update_runtime_field_request: - description: Update the script of an existing runtime field. - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSync401Example: - summary: Two anomaly detection jobs required synchronization in this example. - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" - statusCode: 401 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Observability_AI_Assistant_API_ChatCompleteRequestExample: - summary: Example of completing a chat interaction - value: | - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - } - Observability_AI_Assistant_API_ChatCompleteResponseExample: - summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - - - data: [DONE] - Security_Detections_API_SetAlertAssigneesBodyAdd: - value: - assignees: - add: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - remove: [] - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertAssigneesBodyRemove: - value: - assignees: - add: [] - remove: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertTagsBodyAdd: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: - - Duplicate - tags_to_remove: [] - Security_Detections_API_SetAlertTagsBodyRemove: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query + required: + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - tags_to_add: [] - tags_to_remove: - - Duplicate - Task_manager_health_Serverless_APIs_health_200response_serverless: - description: A successful response from `GET api/task_manager/_health`. - value: |- - { - "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", - "timestamp": "2025-03-21T21:49:50.409Z", - "status": "OK", - "last_update": "2025-03-21T21:48:53.996Z", - "stats": { - "configuration": { - "timestamp": "2025-03-21T21:47:51.663Z", - "value": { - "request_capacity": 1000, - "monitored_aggregated_stats_refresh_rate": 60000, - "monitored_stats_running_average_window": 50, - "monitored_task_execution_thresholds": { - "custom": {}, - "default": { - "error_threshold": 90, - "warn_threshold": 80 - } - }, - "claim_strategy": "mget", - "poll_interval": 500, - "capacity": { - "config": 10, - "as_workers": 10, - "as_cost": 20 - } - }, - "status": "OK" - }, - "workload": { - "timestamp": "2025-03-21T21:48:53.996Z", - "value": { - "count": 21, - "cost": 42, - "task_types": { - "Fleet-Metrics-Task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Logger": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Sender": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "ML:saved-objects-sync": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions:connector_usage_reporting": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_health_check": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerts_invalidate_api_keys": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "cases-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "dashboard_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:automatic-agent-upgrade-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:check-deleted-files-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:delete-unenrolled-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:sync-integrations-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:unenroll-inactive-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:upgrade-agentless-deployments-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "session_cleanup": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:delete_inactive_background_task_nodes": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - } - }, - "non_recurring": 1, - "non_recurring_cost": 2, - "schedule": [ - [ - "1m", - 2 - ], - [ - "5m", - 2 - ], - [ - "10m", - 1 - ], - [ - "15m", - 1 - ], - [ - "30m", - 1 - ], - [ - "1h", - 5 - ], - [ - "3600s", - 1 - ], - [ - "60m", - 1 - ], - [ - "720m", - 1 - ], - [ - "1d", - 4 - ], - [ - "1440m", - 1 - ] - ], - "overdue": 0, - "overdue_cost": 0, - "overdue_non_recurring": 0, - "estimated_schedule_density": [ - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - ], - "capacity_requirements": { - "per_minute": 2, - "per_hour": 43, - "per_day": 7 - } - }, - "status": "OK" - } - } - } - parameters: - APM_UI_elastic_api_version: - description: The version of the API to use - in: header - name: elastic-api-version - required: true - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - APM_UI_kbn_xsrf: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - APM_UI_400_response: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold + type: object + Kibana_HTTP_APIs_operationTimeScaleSetting: + description: Time scale + enum: + - s + - m + - h + - d + title: Operation Time Scale Setting + type: string + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_elasticsearch + type: object + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: true + type: object + properties: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: output_kafka + type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: output_logstash + type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true + properties: + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper + type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + title: package_icon + type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + id: + type: string + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + title: package_policy_package + type: object + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response + type: object + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false + properties: + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + title: package_policy_status_response + type: object + Kibana_HTTP_APIs_percentileOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_percentileRanksOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieESQL: + additionalProperties: false + description: Pie chart configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + additionalProperties: false + description: ES|QL column reference for primary metric + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie + type: string + required: + - type + - data_source + - metrics + title: Pie Chart (ES|QL) + type: object + Kibana_HTTP_APIs_pieGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_pieGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_pieGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_pieLegend: + additionalProperties: false + description: Legend configuration for pie chart + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_pieMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_pieMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_pieMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_pieMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_pieMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_pieMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_pieMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_pieMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_pieNoESQL: + additionalProperties: false + description: Pie chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie + type: string + required: + - type + - data_source + - metrics + title: Pie Chart (DSL) + type: object + Kibana_HTTP_APIs_pieStyling: + additionalProperties: false + description: Visual chart styling options + properties: + donut_hole: + description: 'Donut hole size. Accepted values: `none` (full pie), `s`, `m`, `l`.' + enum: + - none + - s + - m + - l + type: string + labels: + additionalProperties: false + description: Label configuration for pie chart slice labels inside or outside the pie + type: object + properties: + position: + description: 'Slice label position: `inside` or `outside`.' + enum: + - inside + - outside + type: string + visible: + description: When `true`, displays slice labels. + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Pie chart styling + type: object + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + view: + type: string + required: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - query + type: string + required: + - description + - type + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_r_rule_response: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + title: r_rule_response + type: object + Kibana_HTTP_APIs_range_key: + additionalProperties: false + properties: + from: + anyOf: + - type: string + - type: number + ranges: + items: + additionalProperties: false + type: object + properties: + from: + anyOf: + - type: string + - type: number + label: + type: string + to: + anyOf: + - type: string + - type: number + required: + - from + - to + - label + maxItems: 100 + type: array + to: + anyOf: + - type: string + - type: number + type: + enum: + - range_key + type: string + required: + - type + - from + - to + - ranges + title: Range Key + type: object + Kibana_HTTP_APIs_rangesOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + title: reauthorize_transform_request + type: object + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + type: object + Kibana_HTTP_APIs_regionMapESQL: + additionalProperties: false + description: Region Map configuration using an ES|QL query, mapping metric values to geographic regions by color. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + label: + description: Label for the operation + type: string + required: + - column + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - region_map + type: string + required: + - type + - data_source + - metric + - region + title: Region Map (ES|QL) + type: object + Kibana_HTTP_APIs_regionMapNoESQL: + additionalProperties: false + description: Region Map configuration using a data view, mapping metric values to geographic regions by color. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation or a mathematical formula. + title: Field Metric or Formula Operation + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionFilters' + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - region_map + type: string + required: + - type + - data_source + - metric + - region + title: Region Map (DSL) + type: object + Kibana_HTTP_APIs_regionMapRegionDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_regionMapRegionFilters: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_regionMapRegionHistogram: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_regionMapRegionRanges: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_regionMapRegionTerms: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_review_upgrade_request: + additionalProperties: false + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version + title: review_upgrade_request + type: object + Kibana_HTTP_APIs_review_upgrade_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: review_upgrade_response + type: object + Kibana_HTTP_APIs_rollback_package_response: + additionalProperties: false + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + title: rollback_package_response + type: object + Kibana_HTTP_APIs_rule_action: + additionalProperties: false + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action_alerts_filter' + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + title: rule_action + type: object + Kibana_HTTP_APIs_rule_action_alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + title: rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_rule_action_frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + title: rule_action_frequency + type: object + Kibana_HTTP_APIs_rule_alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + title: rule_alert_delay + type: object + Kibana_HTTP_APIs_rule_artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + title: rule_artifacts + type: object + Kibana_HTTP_APIs_rule_execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + title: rule_execution_status + type: object + Kibana_HTTP_APIs_rule_flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + title: rule_flapping + type: object + Kibana_HTTP_APIs_rule_interval_schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + title: rule_interval_schedule + type: object + Kibana_HTTP_APIs_rule_last_run: + additionalProperties: false + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + title: rule_last_run + type: object + Kibana_HTTP_APIs_rule_monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + title: rule_monitoring + type: object + Kibana_HTTP_APIs_rule_response: + additionalProperties: false + properties: + actions: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action' + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_artifacts' + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_execution_status' + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_last_run' + nullable: true + mapped_params: + additionalProperties: + nullable: true + type: object + monitoring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_monitoring' + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_interval_schedule' + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_snooze_schedule' + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + title: rule_response type: object + Kibana_HTTP_APIs_rule_snooze_schedule: + additionalProperties: false properties: - error: - description: Error type - example: Not Found + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. type: string - message: - description: Error message - example: Not Found + rRule: + $ref: '#/components/schemas/Kibana_HTTP_APIs_r_rule_response' + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + title: rule_snooze_schedule + type: object + Kibana_HTTP_APIs_schedule_request: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: schedule_request + type: object + Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: + additionalProperties: false + description: The response payload for the bulk create-or-update roles API. + properties: + created: + items: + description: The name of a role that was created. + type: string + type: array + errors: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' + type: object + noop: + items: + description: The name of a role that was unchanged by the request. + type: string + type: array + updated: + items: + description: The name of a role that was updated. + type: string + type: array + title: security_bulk_create_or_update_roles_response + type: object + Kibana_HTTP_APIs_security_bulk_roles_error_detail: + additionalProperties: false + description: Error information for a single role in a bulk create-or-update request. + properties: + reason: + description: A human readable error reason. + type: string + type: + description: The error type. + type: string + required: + - type + - reason + title: security_bulk_roles_error_detail + type: object + Kibana_HTTP_APIs_security_query_roles_body: + additionalProperties: false + description: The request body for querying roles. + properties: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters' + from: + type: number + query: + type: string + size: + type: number + sort: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort' + title: security_query_roles_body + type: object + Kibana_HTTP_APIs_security_query_roles_filters: + additionalProperties: false + description: The filter criteria for the query. + properties: + showReservedRoles: + type: boolean + title: security_query_roles_filters + type: object + Kibana_HTTP_APIs_security_query_roles_response: + additionalProperties: false + description: The response payload for a roles query. + properties: + count: + description: The number of roles returned in this response page. + type: number + roles: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + total: + description: The total number of roles that match the query. + type: number + required: + - roles + - count + - total + title: security_query_roles_response + type: object + Kibana_HTTP_APIs_security_query_roles_sort: + additionalProperties: false + description: The sort criteria for the query. + properties: + direction: + enum: + - asc + - desc + type: string + field: + type: string + required: + - field + - direction + title: security_query_roles_sort + type: object + Kibana_HTTP_APIs_security_role_elasticsearch: + additionalProperties: false + description: The Elasticsearch cluster, index, and remote cluster security privileges for the role. + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges' + maxItems: 1000 + type: array + remote_cluster: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges' + maxItems: 100 + type: array + remote_indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges' + maxItems: 1000 + type: array + run_as: + items: + description: A username that members of this role can impersonate. + type: string + maxItems: 100 + type: array + title: security_role_elasticsearch + type: object + Kibana_HTTP_APIs_security_role_indices_privileges: + additionalProperties: false + description: The indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + title: security_role_indices_privileges + type: object + Kibana_HTTP_APIs_security_role_kibana_application: + additionalProperties: false + description: A raw Elasticsearch application privilege entry tied to Kibana. + properties: + application: + type: string + privileges: + items: + type: string + type: array + resources: + items: + type: string + type: array + required: + - application + - privileges + - resources + title: security_role_kibana_application + type: object + Kibana_HTTP_APIs_security_role_kibana_privilege: + additionalProperties: false + description: The Kibana privilege entry for the role. + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + title: security_role_kibana_privilege + type: object + Kibana_HTTP_APIs_security_role_kibana_privilege_response: + additionalProperties: false + description: A Kibana privilege entry returned for a role. + properties: + _reserved: + items: + description: A reserved Kibana privilege granted globally. + type: string + type: array + base: + items: + description: A base Kibana privilege. + type: string + type: array + feature: + additionalProperties: + items: + description: A privilege the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. The wildcard `*` indicates all spaces. + type: string + type: array + required: + - spaces + - base + - feature + title: security_role_kibana_privilege_response + type: object + Kibana_HTTP_APIs_security_role_put_payload: + additionalProperties: false + description: The role definition to create or update. + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege' + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + title: security_role_put_payload + type: object + Kibana_HTTP_APIs_security_role_remote_cluster_privileges: + additionalProperties: false + description: The remote cluster privileges entry. + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + title: security_role_remote_cluster_privileges + type: object + Kibana_HTTP_APIs_security_role_remote_indices_privileges: + additionalProperties: false + description: The remote indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + title: security_role_remote_indices_privileges + type: object + Kibana_HTTP_APIs_security_role_response: + additionalProperties: false + description: A Kibana role definition returned by the Roles API. + properties: + _transform_error: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' + type: array + _unrecognized_applications: + items: + description: Application names found on the role that are not recognized by Kibana. + type: string + type: array + description: + description: A description for the role. + type: string + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' + type: array + metadata: + additionalProperties: + nullable: true + type: object + name: + description: The role name. + type: string + transient_metadata: + additionalProperties: + nullable: true + type: object + required: + - name + - elasticsearch + - kibana + title: security_role_response + type: object + Kibana_HTTP_APIs_security_role_transform_error: + additionalProperties: false + description: Diagnostic information about a role whose Kibana privileges could not be transformed. + properties: + reason: + description: The reason the role could not be fully transformed. + type: string + state: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' + type: array + required: + - reason + title: security_role_transform_error + type: object + Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload: + additionalProperties: false + description: The request body for bulk creating or updating roles. + properties: + roles: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + type: object + required: + - roles + title: security_roles_bulk_create_or_update_payload + type: object + Kibana_HTTP_APIs_simplified_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + type: array + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: - type: object - properties: - error: - description: Error type - example: Unauthorized + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. type: string - message: - description: Error message + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + title: simplified_create_package_policy_request type: object + Kibana_HTTP_APIs_slo-alerts-embeddable: + additionalProperties: false + description: SLO Alerts embeddable schema properties: - error: - description: Error type - example: Forbidden + description: type: string - message: - description: Error message + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + slos: + default: [] + description: List of SLOs to display alerts for + items: + additionalProperties: false + type: object + properties: + slo_id: + description: SLO ID + type: string + slo_instance_id: + default: '*' + description: SLO instance ID + type: string + required: + - slo_id + maxItems: 100 + type: array + title: type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: + title: slo-alerts-embeddable type: object + Kibana_HTTP_APIs_slo-burn-rate-embeddable: + additionalProperties: false + description: SLO Burn Rate embeddable schema properties: - error: - description: Error type - example: Not Found + description: type: string - message: - description: Error message - example: Not Found + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + duration: + description: Duration for the burn rate chart in the format [value][unit], e.g. 5m, 3h, or 6d type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: - type: object - properties: - error: - description: Error type - example: Internal Server Error + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the burn rate for type: string - message: - description: Error message + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: + title: + type: string + required: + - slo_id + - duration + title: slo-burn-rate-embeddable type: object + Kibana_HTTP_APIs_slo-error-budget-embeddable: + additionalProperties: false + description: SLO Error Budget embeddable schema properties: - error: - description: Error type - example: Not Implemented + description: type: string - message: - description: Error message - example: Not Implemented + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the error budget for type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: - type: object - properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - slo_id + title: slo-error-budget-embeddable type: object + Kibana_HTTP_APIs_slo-group-overview-embeddable: + additionalProperties: false + description: SLO Group Overview embeddable schema properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name + description: type: string - applied_by_agent: - description: Applied by agent - example: true + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + group_filters: + additionalProperties: false + default: + group_by: status + type: object + properties: + filters: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + group_by: + default: status + enum: + - slo.tags + - status + - slo.indicator.type + - _index + type: string + groups: + items: + type: string + maxItems: 100 + type: array + kql_query: + type: string + hide_border: type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + hide_title: + type: boolean + overview_mode: + enum: + - groups + type: string + title: type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + - overview_mode + title: slo-group-overview-embeddable type: object + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: + additionalProperties: false properties: - configurations: - description: Agent configuration + actions: + default: [] items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - APM_UI_agent_keys_object: - type: object - properties: + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: - description: The name of the APM agent key. + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. + properties: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: + type: string + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array + required: + - sloId + - windows + title: SLO Burn Rate Rule Params + type: object + rule_type_id: + enum: + - slo.rules.burnRate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - enum: - - event:write - - config_agent:read type: string type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string required: - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate type: object + Kibana_HTTP_APIs_slo-single-overview-embeddable: + additionalProperties: false + description: SLO Single Overview embeddable schema properties: - annotations: - description: Annotations + description: + type: string + drilldowns: items: - type: object + additionalProperties: false properties: - '@timestamp': - type: number - id: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - text: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu type: string type: enum: - - version + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - APM_UI_base_source_map_object: + hide_border: + type: boolean + hide_title: + type: boolean + overview_mode: + enum: + - single + type: string + remote_name: + description: The name of the remote SLO + type: string + slo_id: + description: The ID of the SLO + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string + required: + - slo_id + - overview_mode + title: slo-single-overview-embeddable type: object + Kibana_HTTP_APIs_staticColor: + additionalProperties: false + description: Fixed color for all values in the dimension. properties: - compressionAlgorithm: - description: Compression Algorithm + color: + description: The static color to be used for all values. type: string - created: - description: Created date + type: + enum: + - static type: string - decodedSha256: - description: Decoded SHA-256 + required: + - type + - color + title: Static Color + type: object + Kibana_HTTP_APIs_staticOperationDefinition: + additionalProperties: false + properties: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 + operation: + enum: + - static_value type: string - encodedSize: - description: Encoded size + value: + default: 100 + description: Static value type: number - encryptionAlgorithm: - description: Encryption Algorithm + required: + - operation + title: Static Operation Definition + type: object + Kibana_HTTP_APIs_StreamlangConditionBlock: + additionalProperties: false + type: object + properties: + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: type: string - id: - description: Identifier + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns + type: object + properties: + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: + additionalProperties: + type: string + description: Custom pattern definitions to use in the patterns + type: object + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") + type: string + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + type: object + properties: + action: + enum: + - uppercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - join + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + minLength: 1 + type: string + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator + type: object + properties: + action: + enum: + - split + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + preserve_trailing: + description: Preserve empty trailing fields in the split result + type: boolean + separator: + description: Regex separator used to split the field value into an array + minLength: 1 + type: string + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - separator + - additionalProperties: false + type: object + properties: + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + type: object + properties: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 + type: string + type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - type + - additionalProperties: false + type: object + properties: + action: + enum: + - concat + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + anyOf: + - type: object + properties: + type: + enum: + - field + type: string + value: + minLength: 1 + type: string + required: + - type + - value + - type: object + properties: + type: + enum: + - literal + type: string + value: + type: string + required: + - type + - value + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false + type: object + properties: + action: + enum: + - network_direction + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + destination_ip: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false + type: object + properties: + internal_networks: + items: + type: string + type: array + required: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field + - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors + type: object + properties: + action: + enum: + - json_extract + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + extractions: + description: List of extraction specifications + items: + description: A single extraction specification + type: object + properties: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 + type: string + target_field: + description: Target field to store the extracted value + minLength: 1 + type: string + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean + type: string + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false + type: object + properties: + action: + enum: + - enrich + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + policy_name: + description: A non-empty string. + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - policy_name + - to + - additionalProperties: false + description: Registered domain processor - extracts domain, registered_domain, top_level_domain, subdomain from a FQDN + type: object + properties: + action: + enum: + - registered_domain + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: The string expression containing the FQDN to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when expression field is missing + type: boolean + prefix: + description: The prefix for the output columns. The extracted parts are available as prefix.part_name + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - prefix + - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors + type: object + properties: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails + items: + additionalProperties: {} + type: object + type: array + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_sumMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - identifier: - description: Identifier + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - packageName: - description: Package name + operation: + enum: + - sum type: string - relative_url: - description: Relative URL + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - type: - description: Type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - APM_UI_create_annotation_object: + required: + - field + - operation + title: Sum Metric Operation type: object + Kibana_HTTP_APIs_tagcloudESQL: + additionalProperties: false + description: Tag Cloud configuration using an ES|QL query. properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - service: - description: The service that identifies the configuration to create or update. + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false type: object properties: - environment: - description: The environment of the service. + column: + description: Column to use type: string - version: - description: The version of the service. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - version - tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. + - column + references: items: - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _source: - description: Response + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: + additionalProperties: false type: object properties: - '@timestamp': + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - annotation: - type: object - properties: - title: - type: string - type: - type: string - event: - type: object - properties: - created: - type: string - message: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result + required: + - column + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' required: - - service - APM_UI_search_agent_configuration_object: + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (ES|QL) type: object + Kibana_HTTP_APIs_tagcloudMetricCounterRate: + additionalProperties: false properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. + field: + description: Field to be used for the metric type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier + operation: + enum: + - counter_rate type: string - _index: - description: Index + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - APM_UI_service_environment_object: + required: + - field + - operation + title: Counter Rate Operation type: object + Kibana_HTTP_APIs_tagcloudMetricCountMetric: + additionalProperties: false properties: - alreadyConfigured: - description: Already configured + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE + field: + description: Field to be used for the metric type: string - APM_UI_service_environments_response: - type: object - properties: - environments: - description: Service environment list - items: - $ref: '#/components/schemas/APM_UI_service_environment_object' - type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - name: - description: The name of the service. - example: node + operation: + enum: + - count type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts - items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - type: array - APM_UI_upload_source_map_object: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object + Kibana_HTTP_APIs_tagcloudMetricCumulativeSum: + additionalProperties: false properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. + field: + description: Field to be used for the metric type: string - service_name: - description: The name of the service that the service map should apply to. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - service_version: - description: The version of the service that the service map should apply to. + operation: + enum: + - cumulative_sum type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object - properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Data_views_400_response: - title: Bad request + - field + - operation + title: Cumulative Sum Operation type: object + Kibana_HTTP_APIs_tagcloudMetricDifferences: + additionalProperties: false properties: - error: - example: Bad Request + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - message: + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - statusCode: - example: 400 - type: number required: - - statusCode - - error - - message - Data_views_404_response: + - operation + - of + title: Differences Operation type: object + Kibana_HTTP_APIs_tagcloudMetricFormula: + additionalProperties: false properties: - error: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: enum: - - Not Found - example: Not Found + - formula type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - statusCode: + time_scale: + description: Time scale enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation type: object + Kibana_HTTP_APIs_tagcloudMetricLastValue: + additionalProperties: false properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 + operation: + enum: + - last_value type: string - customLabel: - description: Custom label for the field. + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - field + - operation + - time_field + title: Last Value Operation type: object + Kibana_HTTP_APIs_tagcloudMetricMovingAverage: + additionalProperties: false properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - fromId: - description: The saved object reference to change. + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - toId: - description: New saved object reference value to replace the old value. + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string + window: + default: 5 + description: Window + type: number required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + - operation + - of + title: Moving Average Operation type: object + Kibana_HTTP_APIs_tagcloudMetricPercentile: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - field + - operation + title: Percentile Operation type: object + Kibana_HTTP_APIs_tagcloudMetricPercentileRanks: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricStatsMetric: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation type: object + Kibana_HTTP_APIs_tagcloudMetricSumMetric: + additionalProperties: false properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: + empty_as_null: default: false - description: Reloads the data view fields after the data view is updated. + description: When `true`, treats empty buckets as null instead of zero. type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - data_view - Kibana_HTTP_APIs_action_id_response: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric: additionalProperties: false properties: - actionId: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - actionId - title: action_id_response + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_action_message_response: + Kibana_HTTP_APIs_tagcloudNoESQL: additionalProperties: false + description: Tag Cloud configuration using a data view. properties: - message: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagFilters' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud type: string required: - - message - title: action_message_response + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (DSL) type: object - Kibana_HTTP_APIs_agent_policy_response: + Kibana_HTTP_APIs_tagcloudStyling: additionalProperties: false + description: Visual chart styling options properties: - advanced_settings: + caption: additionalProperties: false + description: Caption configuration representing the metric and the tag_by operations labels type: object properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: + visible: + default: true + description: When `true`, displays the caption. + type: boolean + font_size: additionalProperties: false + description: Font size range for tags. type: object properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: + max: + default: 72 + description: Maximum font size. + maximum: 120 + type: number + min: + default: 18 + description: Minimum font size. + minimum: 1 + type: number + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + title: Tag cloud styling + type: object + Kibana_HTTP_APIs_tagcloudTagDateHistogram: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_tagcloudTagFilters: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - created_at: + label: + description: Label for the operation type: string - data_output_id: - nullable: true + operation: + enum: + - filters type: string - description: + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_tagcloudTagHistogram: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - download_source_id: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true + operation: + enum: + - histogram type: string - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_tagcloudTagRanges: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: additionalProperties: false type: object properties: - name: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_tagcloudTagTerms: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: - enum: - - logs - - metrics - - traces + description: Fields to be used for the terms. type: string - maxItems: 3 + maxItems: 4 + minItems: 1 type: array - monitoring_http: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: additionalProperties: false type: object properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: + as_regex: + description: When `true`, treats the values as regular expressions. type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: >- - This field is present only when retrieving a single agent - policy, or when retrieving a list of agent policies with the - ?full=true parameter + values: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade + description: Values to include. type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. type: number - schema_version: + operation: + enum: + - terms type: string - space_ids: + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_termsOperation: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 + minItems: 1 type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: + label: + description: Label for the operation type: string - updated_by: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - version: + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_termsRankByAlphabetical: + additionalProperties: false + description: Terms ranked alphabetically. + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabeticalDirection' + type: + enum: + - alphabetical type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - title: agent_policy_response + - type + - direction + title: Terms Rank By Alphabetical type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + Kibana_HTTP_APIs_termsRankByAlphabeticalDirection: + description: Sort direction for alphabetical ranking. + enum: + - asc + - desc + title: termsRankByAlphabeticalDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomCountOperation: additionalProperties: false + description: Terms ranked by count, either of all documents or of a specific field. properties: - forceDelete: - default: false - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. - type: boolean - includeHidden: - default: false - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. type: string - tokenIds: - description: List of enrollment token IDs to delete. - items: - type: string - maxItems: 10000 - type: array - title: bulk_delete_enrollment_api_keys_request + operation: + enum: + - count + type: string + type: + enum: + - custom + type: string + required: + - type + - direction + - operation + title: Terms Rank By Custom Count Operation type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + Kibana_HTTP_APIs_termsRankByCustomDirection: + description: Sort direction for custom ranking. + enum: + - asc + - desc + title: termsRankByCustomDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomOperation: additionalProperties: false + description: Terms ranked by custom operation. properties: - action: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + - unique_count + - sum + - last_value + type: string + type: + enum: + - custom type: string - count: - type: number - errorCount: - type: number - successCount: - type: number required: - - action - - count - - successCount - - errorCount - title: bulk_delete_enrollment_api_keys_response + - type + - field + - direction + - operation + title: Terms Rank By Custom Operation type: object - Kibana_HTTP_APIs_bulk_get_agent_policies_response: + Kibana_HTTP_APIs_termsRankByMetric: additionalProperties: false + description: Terms ranked by a linked metric. properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' - maxItems: 10000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetricDirection' + metric_index: + default: 0 + description: Zero-based index into the metrics array identifying which metric to rank by. + minimum: 0 + type: number + type: + enum: + - metric + type: string required: - - items - title: bulk_get_agent_policies_response + - type + - direction + title: Terms Rank By Metric type: object - Kibana_HTTP_APIs_bulk_get_package_policies_response: + Kibana_HTTP_APIs_termsRankByMetricDirection: + description: Sort direction for metric-based ranking. + enum: + - asc + - desc + title: termsRankByMetricDirection + type: string + Kibana_HTTP_APIs_termsRankByPercentileOperation: additionalProperties: false + description: Terms ranked by a percentile of a numeric field, for example the 95th percentile of response time. properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: The percentile threshold (0–100) at which to compute the field value used for ranking terms. + type: number + type: + enum: + - custom + type: string required: - - items - title: bulk_get_package_policies_response + - type + - field + - direction + - operation + title: Terms Rank By Percentile Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + Kibana_HTTP_APIs_termsRankByPercentileRankOperation: additionalProperties: false + description: 'Terms ranked by the percentile rank of a single value: the proportion of field values at or below that value.' properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: The numeric value for which to compute the percentile rank (the percentage of field values at or below this value). + type: number + type: + enum: + - custom + type: string required: - - packages - title: bulk_install_packages_from_registry_request + - type + - field + - direction + - operation + title: Terms Rank By Percentile Rank Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + Kibana_HTTP_APIs_termsRankByRare: additionalProperties: false + description: Terms ranked by rarity. properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error - maxItems: 10000 - type: array + max: + description: Maximum number of rare terms to include. + type: number + type: + enum: + - rare + type: string required: - - items - title: bulk_install_packages_from_registry_response + - type + - max + title: Terms Rank By Rarity type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + Kibana_HTTP_APIs_termsRankBySignificant: additionalProperties: false + description: Terms ranked by significance. properties: - error: - anyOf: - - type: string - - nullable: true - name: + type: + enum: + - significant type: string - statusCode: - type: number required: - - name - - statusCode - title: bulk_install_packages_response_item_error + - type + title: Terms Rank By Significance type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: additionalProperties: false properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - result: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: additionalProperties: false - type: object + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. properties: - assets: + excludeTransforms: + default: [] items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 + type: string + nullable: true type: array - error: + includeTransforms: + items: + type: string + type: array + testsConfig: + additionalProperties: false nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed + type: object + properties: + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params + type: object + rule_type_id: + enum: + - transform_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string required: - - error - - installType - version: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - name - - version - - result - title: bulk_install_packages_response_item_success + - consumer + - schedule + - rule_type_id + - params + title: Transform health type: object - Kibana_HTTP_APIs_bulk_namespace_customization_request: + Kibana_HTTP_APIs_treemapESQL: additionalProperties: false + description: Treemap chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration properties: - disable: - description: >- - Namespaces to disable namespace-level customization for on each - package. - items: - type: string - maxItems: 100 - type: array - enable: - description: >- - Namespaces to enable namespace-level customization for on each - package. + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: items: - type: string + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - packages: - description: Package names to apply the customization changes to. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - title: bulk_namespace_customization_request - type: object - Kibana_HTTP_APIs_bulk_namespace_customization_response: - additionalProperties: false - properties: - items: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: - error: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - name: - type: string - namespace_customization_enabled_for: - description: >- - The opt-in list on the package. Returned whenever the package - is installed: the new list on success, or the unchanged list - when the request is rejected (for example, because of a - namespace-prefix restriction). - items: - type: string - maxItems: 100 - type: array - success: - type: boolean - required: - - name - - success - maxItems: 1000 - type: array - required: - - items - title: bulk_namespace_customization_response - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_request: - additionalProperties: false - properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - name - maxItems: 1000 + - column + maxItems: 100 minItems: 1 type: array - required: - - packages - title: bulk_rollback_packages_request - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_response: - additionalProperties: false - properties: - taskId: - type: string - required: - - taskId - title: bulk_rollback_packages_response - type: object - Kibana_HTTP_APIs_bulk_uninstall_packages_request: - additionalProperties: false - properties: - force: - default: false + hide_border: type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - title: bulk_uninstall_packages_request - type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_request: - additionalProperties: false - properties: - force: + hide_title: + type: boolean + ignore_global_filters: default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - packages: + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) items: additionalProperties: false type: object properties: - name: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use type: string - version: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - name - maxItems: 1000 + - column + maxItems: 100 minItems: 1 type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages - title: bulk_upgrade_packages_request - type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_response: - additionalProperties: false - properties: - taskId: + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - treemap type: string required: - - taskId - title: bulk_upgrade_packages_response + - type + - data_source + - metrics + title: Treemap Chart (ES|QL) type: object - Kibana_HTTP_APIs_category_summary_item: + Kibana_HTTP_APIs_treemapGroupByDateHistogram: additionalProperties: false properties: - count: - type: number - id: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - parent_id: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - parent_title: + operation: + enum: + - date_histogram type: string - title: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - id - - title - - count - title: category_summary_item + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_copy_agent_policy_request: + Kibana_HTTP_APIs_treemapGroupByFilters: additionalProperties: false properties: - description: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation type: string - name: - minLength: 1 + operation: + enum: + - filters type: string required: - - name - title: copy_agent_policy_request + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_create_custom_integration_request: + Kibana_HTTP_APIs_treemapGroupByHistogram: additionalProperties: false properties: - datasets: - items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 - type: array - force: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - integrationName: + label: + description: Label for the operation + type: string + operation: + enum: + - histogram type: string required: - - integrationName - - datasets - title: create_custom_integration_request + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_create_package_policy_request: + Kibana_HTTP_APIs_treemapGroupByRanges: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - description: - description: Package policy description + operation: + enum: + - range type: string - enabled: - type: boolean - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: + ranges: items: additionalProperties: false type: object properties: - name: - description: The name of the custom field. Cannot contain spaces. + gt: + description: Greater than. + type: number + label: + description: Label. type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_treemapGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - spaceIds: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 + minItems: 1 type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - name - - package - - inputs - title: create_package_policy_request + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_create_package_policy_response: + Kibana_HTTP_APIs_treemapLegend: additionalProperties: false + description: Configuration for the treemap chart legend appearance and behavior properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - required: - - item - title: create_package_policy_response + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend type: object - Kibana_HTTP_APIs_delete_agent_policy_request: + Kibana_HTTP_APIs_treemapMetricCounterRate: additionalProperties: false properties: - agentPolicyId: - description: The ID of the agent policy + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - force: - description: bypass validation checks that can prevent agent policy deletion + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_treemapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - agentPolicyId - title: delete_agent_policy_request + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_delete_agent_policy_response: + Kibana_HTTP_APIs_treemapMetricCumulativeSum: additionalProperties: false properties: - id: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - name: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - id - - name - title: delete_agent_policy_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_delete_enrollment_api_key_response: + Kibana_HTTP_APIs_treemapMetricDifferences: additionalProperties: false properties: - action: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: enum: - - deleted + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - action - title: delete_enrollment_api_key_response + - operation + - of + title: Differences Operation type: object - Kibana_HTTP_APIs_delete_one_package_policy_response: + Kibana_HTTP_APIs_treemapMetricFormula: additionalProperties: false properties: - id: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d type: string required: - - id - title: delete_one_package_policy_response + - operation + - formula + title: Formula Operation type: object - Kibana_HTTP_APIs_delete_package_datastream_assets_response: + Kibana_HTTP_APIs_treemapMetricLastValue: additionalProperties: false properties: - success: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - success - title: delete_package_datastream_assets_response + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_delete_package_policies_request: + Kibana_HTTP_APIs_treemapMetricMovingAverage: additionalProperties: false properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - packagePolicyIds - title: delete_package_policies_request + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_treemapMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_delete_package_response: + Kibana_HTTP_APIs_treemapMetricPercentileRanks: additionalProperties: false properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - items - title: delete_package_response + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_deprecation_info: + Kibana_HTTP_APIs_treemapMetricStatsMetric: additionalProperties: false properties: - description: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - replaced_by: - additionalProperties: - type: string - type: object - since: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - description - title: deprecation_info + - field + - operation + title: Stats Metric Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_dry_run_package_policies_request: + Kibana_HTTP_APIs_treemapMetricSumMetric: additionalProperties: false properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - packagePolicyIds - title: dry_run_package_policies_request + - field + - operation + title: Sum Metric Operation type: object - Kibana_HTTP_APIs_dry_run_package_policy: - additionalProperties: true + Kibana_HTTP_APIs_treemapMetricUniqueCountMetric: + additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + operation: + enum: + - unique_count type: string - created_at: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - created_by: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_treemapNoESQL: + additionalProperties: false + description: Treemap chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: type: string - inputs: + drilldowns: items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input maxItems: 100 type: array - is_managed: - type: boolean - missingVars: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - type: string + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByFilters' maxItems: 100 + minItems: 1 type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricFormula' + maxItems: 100 + minItems: 1 type: array - revision: - type: number - secret_references: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - version: - description: Package policy ES version. + type: + enum: + - treemap type: string required: - - name - - enabled - - package - - inputs - title: dry_run_package_policy + - type + - data_source + - metrics + title: Treemap Chart (DSL) type: object - Kibana_HTTP_APIs_enrollment_api_key: + Kibana_HTTP_APIs_treemapStyling: additionalProperties: false + description: Visual chart styling options properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + visible: + description: Show category labels + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Treemap styling + type: object + Kibana_HTTP_APIs_unassignedColorSchema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + description: The color to use for unassigned values. + title: unassignedColorSchema + Kibana_HTTP_APIs_uniqueCountMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. + field: + description: Field to be used for the metric type: string - created_at: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - hidden: - type: boolean - id: + operation: + enum: + - unique_count type: string - name: - description: The name of the enrollment API key. + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - id - - api_key_id - - api_key - - active - - created_at - title: enrollment_api_key + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_enrollment_api_key_response: + Kibana_HTTP_APIs_update_output_elasticsearch: additionalProperties: false properties: - action: - enum: - - created + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: type: string - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - required: - - item - - action - title: enrollment_api_key_response - type: object - Kibana_HTTP_APIs_es_asset_reference: - additionalProperties: false - properties: - deferred: + otel_disable_beatsauth: + nullable: true type: boolean - id: + otel_exporter_config_yaml: + nullable: true type: string - type: + preset: enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view + - balanced + - custom + - throughput + - scale + - latency type: string - version: + proxy_id: + nullable: true type: string - required: - - id - - type - title: es_asset_reference - type: object - Kibana_HTTP_APIs_full_agent_policy: - additionalProperties: false - properties: - agent: + secrets: additionalProperties: false type: object properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: + ssl: additionalProperties: false type: object properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false + key: + anyOf: + - additionalProperties: false type: object properties: - init_dur: + hash: type: string - max_dur: + id: type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol - required: - - kibana - id: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch type: string - inputs: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch + type: object + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false + properties: + allow_edit: items: type: string - maxItems: 100 + maxItems: 1000 type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: type: number - secret_references: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: items: additionalProperties: false type: object properties: - id: + key: + type: string + value: type: string required: - - id - maxItems: 10000 + - key + - value + maxItems: 100 type: array - service: + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: additionalProperties: false type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: additionalProperties: false type: object properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs - title: full_agent_policy - type: object - Kibana_HTTP_APIs_get_agent_policy_outputs_response: - additionalProperties: false - properties: - item: + group_events: + type: number + sasl: additionalProperties: false + nullable: true type: object properties: - agentPolicyId: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false type: object properties: - id: + hash: type: string - name: + id: type: string required: - id - - name - required: - - output - monitoring: + - type: string + ssl: additionalProperties: false type: object properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string required: - - output - required: - - monitoring - - data - required: - - item - title: get_agent_policy_outputs_response - type: object - Kibana_HTTP_APIs_get_agent_policy_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string required: - - item - title: get_agent_policy_response + - name + title: update_output_kafka type: object - Kibana_HTTP_APIs_get_bulk_assets_request: + Kibana_HTTP_APIs_update_output_logstash: additionalProperties: false properties: - assetIds: + allow_edit: items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 + type: string + maxItems: 1000 type: array - required: - - assetIds - title: get_bulk_assets_request - type: object - Kibana_HTTP_APIs_get_bulk_assets_response: - additionalProperties: false - properties: - items: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 + type: string + maxItems: 10 + minItems: 1 type: array - required: - - items - title: get_bulk_assets_response + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + title: update_output_logstash type: object - Kibana_HTTP_APIs_get_categories_response: + Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: - items: + allow_edit: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' - maxItems: 10000 + type: string + maxItems: 1000 type: array - required: - - items - title: get_categories_response + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_remote_elasticsearch type: object - Kibana_HTTP_APIs_get_data_streams_response: + Kibana_HTTP_APIs_update_package_policy_request: additionalProperties: false properties: - items: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + global_data_tags: items: additionalProperties: false type: object properties: name: + description: The name of the custom field. Cannot contain spaces. type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. required: - name - maxItems: 10000 + - value + maxItems: 100 + nullable: true type: array - required: - - items - title: get_data_streams_response - type: object - Kibana_HTTP_APIs_get_dependencies_response: - additionalProperties: false - properties: - items: + inputs: items: additionalProperties: false type: object properties: - name: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' type: string - title: + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: type: string - version: + keep_enabled: + type: boolean + migrate_from: type: string - required: - - name - - version - - title - maxItems: 1000 - type: array - required: - - items - title: get_dependencies_response - type: object - Kibana_HTTP_APIs_get_full_agent_policy_response: - additionalProperties: false - properties: - item: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' - required: - - item - title: get_full_agent_policy_response - type: object - Kibana_HTTP_APIs_get_info_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' - metadata: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' - required: - - item - - metadata - title: get_info_response - type: object - Kibana_HTTP_APIs_get_inputs_response: - additionalProperties: false - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: + name: + type: string + policy_template: type: string streams: items: - additionalProperties: true + additionalProperties: false type: object properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object data_stream: - additionalProperties: true + additionalProperties: false type: object properties: dataset: type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array type: type: string required: - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id + - enabled - data_stream - maxItems: 10000 + - compiled_stream + maxItems: 1000 type: array type: type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id - type - maxItems: 10000 + - enabled + maxItems: 1000 type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: + inputs: additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true + nullable: true type: object - required: - - inputs - title: get_inputs_response - type: object - Kibana_HTTP_APIs_get_installed_packages_response: - additionalProperties: false - properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: - type: number - required: - - items - - total - title: get_installed_packages_response - type: object - Kibana_HTTP_APIs_get_k8s_manifest_response: - additionalProperties: false - properties: - item: + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: type: string - required: - - item - title: get_k8s_manifest_response - type: object - Kibana_HTTP_APIs_get_limited_packages_response: - additionalProperties: false - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - title: get_limited_packages_response - type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: - additionalProperties: false - properties: - ids: - description: list of package policy ids + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: items: + description: IDs of the agent policies that the package policy will be added to. type: string maxItems: 1000 type: array - required: - - ids - title: get_list_agent_policy_outputs_request - type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: - additionalProperties: false - properties: - items: + spaceIds: items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 + type: string + maxItems: 100 type: array - required: - - items - title: get_list_agent_policy_outputs_response - type: object - Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: - additionalProperties: false - properties: - error: - additionalProperties: false + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - properties: - message: - type: string - required: - - message - results: - items: + vars: + additionalProperties: additionalProperties: false type: object properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: + frozen: type: boolean + type: + type: string + value: + nullable: true required: - - name - - success - maxItems: 10000 - type: array - status: + - value + description: Package variable (see integration documentation for more information) + type: object + version: type: string - required: - - status - title: get_one_bulk_operation_packages_response + title: update_package_policy_request type: object - Kibana_HTTP_APIs_get_package_info: - additionalProperties: true + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. items: type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - required: - - deprecated - data_streams: + maxItems: 100 + type: array + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_update_rule: + additionalProperties: false + properties: + actions: + default: [] items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action' type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - description: - type: string - discovery: - additionalProperties: true + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false type: object properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: + dashboards: items: - additionalProperties: true + additionalProperties: false type: object properties: - name: + id: type: string required: - - name - maxItems: 100 + - id + maxItems: 10 type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - signature_path: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - source: - additionalProperties: true + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false type: object properties: - license: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: + - interval + tags: + default: [] items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + description: The tags for the rule. + type: string type: array - version: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - installationInfo - name - - version - - title - - deprecated - - assets - title: get_package_info + - schedule + title: update_rule type: object - Kibana_HTTP_APIs_get_packages_response: + Kibana_HTTP_APIs_update_rule_action: additionalProperties: false + description: An action that runs under defined conditions. properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' - maxItems: 10000 - type: array + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string required: - - items - title: get_packages_response + - id + title: update_rule_action type: object - Kibana_HTTP_APIs_get_stats_response: + Kibana_HTTP_APIs_update_rule_action_alerts_filter: additionalProperties: false properties: - response: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: additionalProperties: false + description: Defines a period that limits whether the action runs. type: object properties: - agent_policy_count: - type: number - package_policy_count: - type: number + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string required: - - agent_policy_count - - package_policy_count - required: - - response - title: get_stats_response + - days + - hours + - timezone + title: update_rule_action_alerts_filter type: object - Kibana_HTTP_APIs_get_verification_key_id_response: + Kibana_HTTP_APIs_update_rule_action_frequency: additionalProperties: false properties: - id: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - - id - title: get_verification_key_id_response + - summary + - notify_when + - throttle + title: update_rule_action_frequency type: object - Kibana_HTTP_APIs_install_kibana_assets_request: + Kibana_HTTP_APIs_upgrade_package_policies_request: additionalProperties: false properties: - force: - type: boolean - space_ids: - description: >- - When provided install assets in the specified spaces instead of the - current space. + packagePolicyIds: items: type: string - maxItems: 100 - minItems: 1 + maxItems: 1000 type: array - title: install_kibana_assets_request + required: + - packagePolicyIds + title: upgrade_package_policies_request type: object - Kibana_HTTP_APIs_install_kibana_assets_response: + Kibana_HTTP_APIs_valueDisplay: additionalProperties: false + description: Configure the visibility and the format of the values rendered on each chart partition section properties: - success: + mode: + description: How to format values when visible. + enum: + - absolute + - percentage + type: string + percent_decimals: + description: Decimal places for percentage display (0-10) + maximum: 10 + minimum: 0 + type: number + visible: + description: Show metric values on the chart + type: boolean + title: valueDisplay + type: object + Kibana_HTTP_APIs_vis_api_direction: + description: Sort direction. + enum: + - asc + - desc + title: vis_api_direction + type: string + Kibana_HTTP_APIs_vis_api_domain_custom: + additionalProperties: false + description: Uses explicitly provided domain bounds (min and max). + properties: + max: + description: Max domain value + type: number + min: + description: Min domain value + type: number + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean + type: + enum: + - custom + type: string required: - - success - title: install_kibana_assets_response + - type + - min + - max + title: vis_api_domain_custom type: object - Kibana_HTTP_APIs_install_package_from_registry_request: + Kibana_HTTP_APIs_vis_api_domain_fit: additionalProperties: false + description: Uses tight domain bounds from the observed data minimum to maximum, without baseline expansion. properties: - force: - default: false + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - ignore_constraints: - default: false + type: + enum: + - fit + type: string + required: + - type + title: vis_api_domain_fit + type: object + Kibana_HTTP_APIs_vis_api_domain_full: + additionalProperties: false + description: Uses the full chart domain, including baseline expansion when applicable (for example, includes zero for bar-like series). + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - title: install_package_from_registry_request + type: + enum: + - full + type: string + required: + - type + title: vis_api_domain_full type: object - Kibana_HTTP_APIs_install_package_response: + Kibana_HTTP_APIs_vis_api_orientation: + description: Orientation of the tagcloud. + enum: + - horizontal + - vertical + - angled + title: vis_api_orientation + type: string + Kibana_HTTP_APIs_vis_api_simple_orientation: + default: horizontal + description: Orientation + enum: + - horizontal + - vertical + title: vis_api_simple_orientation + type: string + Kibana_HTTP_APIs_vis_api_xy_axis_config: additionalProperties: false + description: Axis configuration for X, Y, and Y2 axes. The Y axis is on the start (leading) side, the Y2 axis is on the end (trailing) side. properties: - _meta: + x: additionalProperties: false + description: X-axis configuration type: object properties: - install_source: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: X-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear type: string - name: + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + 'y': + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + description: Y-axis domain configuration + discriminator: + mapping: + custom: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + fit: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + full: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + y2: + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: Y-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean required: - - install_source - - name - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - required: - - items - - _meta - title: install_package_response + - domain + title: Axis type: object - Kibana_HTTP_APIs_install_rule_assets_request: + Kibana_HTTP_APIs_waffleESQL: additionalProperties: false + description: Waffle chart configuration for ES|QL queries properties: - force: - type: boolean - title: install_rule_assets_request - type: object - Kibana_HTTP_APIs_installation_info: - additionalProperties: true - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 100 - type: array - type: object - created_at: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - experimental_data_stream_features: + drilldowns: items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - doc_value_only_numeric: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - doc_value_only_other: + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. type: boolean - synthetic_source: + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. type: boolean - tsdb: + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - installed_kibana: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of ES|QL breakdown columns (minimum 1) items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 10000 + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: + hide_border: type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - additionalProperties: true + additionalProperties: false type: object properties: - created_at: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - created_at - - target_version - - error - maxItems: 10 + - column + maxItems: 100 + minItems: 1 type: array - name: - type: string - namespaces: + references: items: - type: string - maxItems: 100 + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - previous_version: - nullable: true + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - rolled_back: - type: boolean type: + enum: + - waffle type: string - updated_at: + required: + - type + - data_source + - metrics + title: Waffle Chart (ES|QL) + type: object + Kibana_HTTP_APIs_waffleGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - verification_key_id: - nullable: true + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - verification_status: + operation: enum: - - unverified - - verified - - unknown + - date_histogram type: string - version: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - title: installation_info + - operation + - field + title: Date Histogram Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_installed_package: + Kibana_HTTP_APIs_waffleGroupByFilters: additionalProperties: false properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array - name: - type: string - status: - type: string - title: + label: + description: Label for the operation type: string - version: + operation: + enum: + - filters type: string required: - - name - - version - - status - - dataStreams - title: installed_package + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_kibana_asset_reference: + Kibana_HTTP_APIs_waffleGroupByHistogram: additionalProperties: false properties: - deferred: - type: boolean - id: - type: string - originId: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - type: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag + - auto type: string - - type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string required: - - id - - type - title: kibana_asset_reference + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_new_agent_policy: + Kibana_HTTP_APIs_waffleGroupByRanges: additionalProperties: false properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - download_source_id: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - fleet_server_host_id: - nullable: true + operation: + enum: + - range type: string - force: - type: boolean - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + ranges: items: additionalProperties: false type: object properties: - name: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_waffleGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: - enum: - - logs - - metrics - - traces + description: Fields to be used for the terms. type: string - maxItems: 3 + maxItems: 4 + minItems: 1 type: array - monitoring_http: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: additionalProperties: false type: object properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: + as_regex: + description: When `true`, treats the values as regular expressions. type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - name: - minLength: 1 + label: + description: Label for the operation type: string - namespace: - minLength: 1 + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true + other_bucket: + additionalProperties: false type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_waffleLegend: + additionalProperties: false + description: Legend configuration for waffle chart + properties: + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + values: items: + description: 'Legend value display mode: absolute (show raw metric values in legend)' + enum: + - absolute type: string - maxItems: 100 + maxItems: 1 + minItems: 1 type: array - supports_agentless: + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_waffleMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_waffleMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_waffleMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_waffleMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_waffleMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false - deprecated: true - description: >- - Indicates whether the agent policy supports agentless integrations. - Deprecated in favor of the Fleet agentless policies API. - nullable: true + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - unenroll_timeout: - minimum: 0 - type: number + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - name - - namespace - title: new_agent_policy + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_new_enrollment_api_key: + Kibana_HTTP_APIs_waffleMetricMovingAverage: additionalProperties: false properties: - expiration: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - name: + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average type: string - policy_id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - policy_id - title: new_enrollment_api_key + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_new_output_elasticsearch: + Kibana_HTTP_APIs_waffleMetricPercentile: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - ca_trusted_fingerprint: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - config_yaml: - nullable: true + operation: + enum: + - percentile type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_waffleMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - preset: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - percentile_rank type: string - proxy_id: - nullable: true + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - write_to_logs_streams: - nullable: true - type: boolean required: - - name - - type - - hosts - title: new_output_elasticsearch + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_new_output_kafka: + Kibana_HTTP_APIs_waffleMetricStatsMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - none - - user_pass - - ssl - - kerberos + - min + - max + - average + - median + - standard_deviation type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - ca_trusted_fingerprint: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - client_id: + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - compression: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - gzip - - snappy - - lz4 - - none + - sum type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - connection_type: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - plaintext - - encryption + - unique_count type: string - hash: - additionalProperties: false - type: object - properties: - hash: - type: string - random: - type: boolean - headers: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleNoESQL: + additionalProperties: false + description: Waffle chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - hosts: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - type: string - maxItems: 10 + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByFilters' + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: + hide_border: type: boolean - is_preconfigured: + hide_title: type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - otel_exporter_config_yaml: - nullable: true + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - partition: + type: enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true + - waffle type: string - random: - additionalProperties: false - type: object - properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: false - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: false - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: false - type: object - properties: - password: - anyOf: - - additionalProperties: false + required: + - type + - data_source + - metrics + title: Waffle Chart (DSL) + type: object + Kibana_HTTP_APIs_waffleStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Waffle styling + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: type: object properties: - hash: - type: string id: type: string + run_id: + type: string required: - id - - type: string - ssl: + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false type: object properties: - hash: - type: string - id: - type: string + value: + type: number required: - - id - - type: string + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string required: - - key - shipper: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - timeout: - type: number - topic: type: string - type: + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + properties: + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: + nullable: true + type: string + lookbackInterval: + nullable: true + type: string + resultType: + enum: + - record + - bucket + - influencer + type: string + severity: + maximum: 100 + minimum: 0 + type: number + topNBuckets: + minimum: 1 + nullable: true + type: number + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: enum: - - kafka + - xpack.ml.anomaly_detection_alert type: string - username: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string - version: - type: string required: - name - - type - - hosts - - auth_type - title: new_output_kafka + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection type: object - Kibana_HTTP_APIs_new_output_logstash: + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: + actions: + default: [] items: - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - otel_disable_beatsauth: - nullable: true + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - otel_exporter_config_yaml: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - proxy_id: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - secrets: + params: additionalProperties: false - type: object + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. properties: - ssl: + excludeJobs: additionalProperties: false + nullable: true type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + includeJobs: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false + nullable: true + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: enum: - - logstash + - xpack.ml.anomaly_detection_jobs_health type: string - required: - - name - - type - - hosts - title: new_output_logstash - type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: - additionalProperties: false - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string - hosts: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - format: uri - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - type: string name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - secrets: + params: additionalProperties: false - type: object + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + condition: additionalProperties: false type: object properties: - key: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet + type: string + window: anyOf: - additionalProperties: false type: object properties: - hash: - type: string - id: - type: string + time: + additionalProperties: false + type: object + properties: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d + type: string required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + - time + - additionalProperties: false + type: object + properties: + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string + type: array + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: enum: - - remote_elasticsearch + - xpack.synthetics.alerts.monitorStatus type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string - hosts: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - format: uri - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false type: object properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - type: + type: string + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + search: + type: string + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: enum: - - elasticsearch + - xpack.synthetics.alerts.tls type: string - write_to_logs_streams: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true - type: boolean + type: string required: - name - - type - - hosts - title: output_elasticsearch + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false properties: - allow_edit: + actions: + default: [] items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - ca_trusted_fingerprint: + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - client_id: - type: string - compression: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - nullable: true - type: number - config_yaml: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - connection_type: + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. + properties: + monitorId: + type: string + severity: + type: number + stackVersion: + type: string + required: + - monitorId + - severity + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: enum: - - plaintext - - encryption + - xpack.uptime.alerts.durationAnomaly type: string - hash: - additionalProperties: true + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - hash: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - random: - type: boolean - headers: - items: - additionalProperties: true - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 10 - minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - name: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - otel_disable_beatsauth: - nullable: true + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - otel_exporter_config_yaml: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - partition: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - random - - round_robin - - hash - type: string - password: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: true - type: object + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. properties: - group_events: + availability: + additionalProperties: false + type: object + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false + type: object + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: + type: boolean + locations: + items: + type: string + type: array + numTimes: type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: true - type: object - properties: - group_events: + search: + type: string + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: + type: string + timerange: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: type: number - sasl: - additionalProperties: true - nullable: true + timerangeUnit: + type: string + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - secrets: - additionalProperties: true + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false type: object properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + blob: + maxLength: 10000 + type: string required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - timeout: - type: number - topic: + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - type: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - kafka - type: string - username: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - version: + params: + additionalProperties: false + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate type: string - required: - - name - - type - - hosts - - auth_type - title: output_kafka - type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string - ca_trusted_fingerprint: - nullable: true + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object + Kibana_HTTP_APIs_xyAnnotationByRefLayer: + additionalProperties: false + description: Reference to a library annotation group + properties: + group_id: + description: ID of the linked annotation group from the library type: string - config_yaml: - nullable: true + type: + enum: + - annotation_group type: string - hosts: + required: + - type + - group_id + title: Annotation Layer (By Reference) + type: object + Kibana_HTTP_APIs_xyAnnotationLayerNoESQL: + additionalProperties: false + description: Layer containing annotations (query-based, points, and ranges) + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + events: + description: Array of annotation configurations items: - type: string - maxItems: 10 + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationQuery' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualEvent' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualRange' + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: + ignore_global_filters: default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + type: + enum: + - annotations type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - type + - data_source + - events + title: Annotation Layer (DSL) + type: object + Kibana_HTTP_APIs_xyAnnotationManualEvent: + additionalProperties: false + description: Manual point annotation at specific timestamp + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - proxy_id: - nullable: true + label: + description: Label text for the annotation type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + text: + additionalProperties: false + description: Annotation text label visibility + type: object + properties: + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + timestamp: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string type: enum: - - logstash + - point type: string + visible: + description: Show the annotation + type: boolean required: - - name - type - - hosts - title: output_logstash + - timestamp + title: xyAnnotationManualEvent type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_xyAnnotationManualRange: + additionalProperties: false + description: Manual range annotation spanning time interval properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for range + enum: + - inside + - outside type: string - ca_trusted_fingerprint: - nullable: true + interval: + additionalProperties: false + description: Time range for annotation + type: object + properties: + from: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + to: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + required: + - from + - to + label: + description: Label text for the annotation type: string - config_yaml: - nullable: true + type: + enum: + - range type: string - hosts: + visible: + description: Show the annotation + type: boolean + required: + - type + - interval + title: xyAnnotationManualRange + type: object + Kibana_HTTP_APIs_xyAnnotationQuery: + additionalProperties: false + description: Annotation from query results matching a filter + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + extra_fields: + description: Additional fields for annotation tooltip items: - format: uri + description: Additional field to include in tooltip type: string - maxItems: 10 - minItems: 1 + maxItems: 100 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: + icon: + description: Icon to display at the annotation point enum: - - balanced - - custom - - throughput - - scale - - latency + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - proxy_id: - nullable: true + label: + description: Label text for the annotation type: string - secrets: - additionalProperties: true + line: + additionalProperties: false + description: Vertical line configuration for point annotation type: object properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + text: + additionalProperties: false + description: Annotation text label configuration + type: object + properties: + field: + description: Field name for text label source + type: string + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + time_field: + description: Field containing the timestamp type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean type: enum: - - remote_elasticsearch + - query type: string - write_to_logs_streams: - nullable: true + visible: + description: Show the annotation type: boolean required: - - name - type - - hosts - title: output_remote_elasticsearch + - query + - time_field + title: xyAnnotationQuery type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownDateHistogram: + additionalProperties: false properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - disk_queue_enabled: - default: false - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. type: boolean - disk_queue_encryption_enabled: - nullable: true + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + label: + description: Label for the operation type: string - loadbalance: - nullable: true + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true - type: number required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownFilters: + additionalProperties: false properties: - certificate: - type: string - certificate_authorities: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - type: string - maxItems: 10 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - key: + label: + description: Label for the operation type: string - verification_mode: + operation: enum: - - full - - none - - certificate - - strict + - filters type: string - title: output_ssl + required: + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_package_icon: + Kibana_HTTP_APIs_xyBreakdownHistogram: additionalProperties: false properties: - dark_mode: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - path: - type: string - size: - type: string - src: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - title: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - type: + operation: + enum: + - histogram type: string required: - - src - title: package_icon + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_package_list_item: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownRanges: + additionalProperties: false properties: - categories: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - type: string + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - conditions: - additionalProperties: true + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyBreakdownTerms: + additionalProperties: false + properties: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array required: - - deprecated - data_streams: + - values + fields: items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - description: - type: string - discovery: - additionalProperties: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name + description: Values to include. + type: string maxItems: 100 type: array - download: - type: string - format_version: - type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - id: - type: string - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - integration: - type: string - internal: + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: + label: + description: Label for the operation type: string - release: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: enum: - - ga - - beta - - experimental - type: string - signature_path: + - terms type: string - source: - additionalProperties: true + other_bucket: + additionalProperties: false type: object properties: - license: - type: string + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean required: - - license - status: - type: string - title: - type: string - type: + - include_documents_without_field + rank_by: anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - installationInfo - - name - - version - - title - - deprecated - - id - title: package_list_item - type: object - Kibana_HTTP_APIs_package_metadata: - additionalProperties: false - properties: - has_policies: - type: boolean + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - has_policies - title: package_metadata + - operation + - fields + title: Terms Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_package: + Kibana_HTTP_APIs_xyChartESQL: additionalProperties: false + description: XY chart configuration for ES|QL queries properties: - experimental_data_stream_features: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - doc_value_only_numeric: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - doc_value_only_other: + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. type: boolean - synthetic_source: + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. type: boolean - tsdb: + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true type: boolean - required: - - data_stream - - features + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - fips_compatible: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - name: - description: Package name - type: string - requires_root: + hide_title: type: boolean + layers: + description: ES|QL chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string - version: - description: Package version + type: + enum: + - xy type: string required: - - name - - version - title: package_policy_package + - type + - layers + title: XY Chart (ES|QL) type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_response: + Kibana_HTTP_APIs_xyChartNoESQL: additionalProperties: false + description: XY chart configuration for DSL queries properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: - description: Package policy description type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: + drilldowns: items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + dashboard_id: type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: + label: type: string - keep_enabled: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - migrate_from: + trigger: + enum: + - on_apply_filter type: string - name: + type: + enum: + - dashboard_drilldown type: string - policy_template: + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array type: + enum: + - discover_drilldown type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object required: + - label + - trigger - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false + title: discover_drilldown type: object + - additionalProperties: false properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that input. Defaults to `true` - (enabled). + open_in_new_tab: + default: true type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to - know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - name: - description: Unique name for the package policy. + hide_title: + type: boolean + layers: + description: Chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayersNoESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + type: + enum: + - xy type: string - output_id: - nullable: true + required: + - type + - layers + title: XY Chart (DSL) + type: object + Kibana_HTTP_APIs_xyFitting: + additionalProperties: false + description: Missing data interpolation configuration for line and area series + properties: + emphasize: + description: Visually distinguish fitted segments with a dashed line style and reduced area opacity + type: boolean + extend: + description: How to render line and area edges when data does not cover the full X domain + enum: + - none + - zero + - nearest type: string - overrides: + type: + description: Fitting function type for missing data + enum: + - none + - zero + - linear + - carry + - lookahead + - average + - nearest + type: string + required: + - type + title: xyFitting + type: object + Kibana_HTTP_APIs_xyLayerESQL: + additionalProperties: false + description: Data layer for ES|QL queries with column references + properties: + breakdown_by: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true + description: ES|QL column for breakdown type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 type: number - secret_references: + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + description: Array of ES|QL columns for Y-axis metrics items: additionalProperties: false + description: ES|QL column for Y-axis metric type: object properties: - id: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string + - column maxItems: 100 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: + required: + - data_source + - type + - 'y' + title: Layer (ES|QL) + type: object + Kibana_HTTP_APIs_xyLayerNoESQL: + additionalProperties: false + description: Data layer for standard queries with metrics and buckets + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXFilters' + 'y': + description: Array of metrics to display on Y-axis + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYFormula' + maxItems: 100 + type: array + required: + - type + - data_source + - 'y' + title: Layer (DSL) + type: object + Kibana_HTTP_APIs_xyLayersESQL: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + description: XY chart layer types for ES|QL queries + title: xyLayersESQL + Kibana_HTTP_APIs_xyLayersNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationByRefLayer' + description: XY chart layer types for DSL queries + title: xyLayersNoESQL + Kibana_HTTP_APIs_xyLegend: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideHorizontal' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideVertical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendInside' + description: Legend configuration for XY chart + title: Legend + Kibana_HTTP_APIs_xyLegendInside: + additionalProperties: false + description: Inside legend + properties: + columns: + description: Number of legend columns + maximum: 5 + minimum: 1 + type: number + layout: + additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: + enum: + - inside + type: string + position: + description: Legend position inside the chart + enum: + - top_left + - top_right + - bottom_left + - bottom_right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + required: + - placement + title: Inside + type: object + Kibana_HTTP_APIs_xyLegendOutsideHorizontal: + additionalProperties: false + description: Outside legend positioned horizontal (top/bottom) of the chart + properties: + layout: anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + - additionalProperties: false type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. + type: + enum: + - grid + type: string + required: + - type + - additionalProperties: false type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + properties: + type: + enum: + - list + type: string + required: + - type + placement: + enum: + - outside type: string - required: - - name - - enabled - - package - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - title: package_policy_response + position: + enum: + - top + - bottom + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside horizontal type: object - Kibana_HTTP_APIs_package_policy_status_response: + Kibana_HTTP_APIs_xyLegendOutsideVertical: additionalProperties: false + description: Outside legend positioned vertical (left/right) of the chart properties: - body: + layout: additionalProperties: false type: object properties: - message: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid type: string required: - - message - id: + - type + placement: + enum: + - outside type: string - name: + position: + enum: + - left + - right type: string - statusCode: - type: number - success: + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside vertical + type: object + Kibana_HTTP_APIs_xyLegendSeriesHeader: + additionalProperties: false + description: Legend table series header configuration. + properties: + text: + description: Legend table series header text. + type: string + visible: + description: When true, shows the legend table series header. type: boolean - required: - - id - - success - title: package_policy_status_response + title: xyLegendSeriesHeader type: object - Kibana_HTTP_APIs_reauthorize_transform_request: + Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL: additionalProperties: false + description: Reference line layer for standard queries properties: - transforms: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + thresholds: + description: Array of reference line thresholds items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatic' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineFormula' + maxItems: 100 + minItems: 1 type: array + type: + enum: + - reference_lines + type: string required: - - transforms - title: reauthorize_transform_request + - type + - data_source + - thresholds + title: Reference Line Layer (DSL) type: object - Kibana_HTTP_APIs_review_upgrade_request: + Kibana_HTTP_APIs_xyRefLineCountMetric: additionalProperties: false properties: - action: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - accept - - decline - - pending + - x + - 'y' + - y2 type: string - target_version: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - action - - target_version - title: review_upgrade_request + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_review_upgrade_response: + Kibana_HTTP_APIs_xyRefLineFormula: additionalProperties: false properties: - success: - type: boolean + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string required: - - success - title: review_upgrade_response + - operation + - formula + title: Formula Operation type: object - Kibana_HTTP_APIs_rollback_package_response: + Kibana_HTTP_APIs_xyRefLineLastValue: additionalProperties: false properties: - success: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - version: + operation: + enum: + - last_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - version - - success - title: rollback_package_response + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_simplified_create_package_policy_request: + Kibana_HTTP_APIs_xyRefLinePercentile: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - cloud_connector_id: - description: >- - ID of an existing cloud connector to reuse. If not provided, a - new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. + visible: + description: Show text label on the reference line type: boolean - name: - description: >- - Optional name for the cloud connector. If not provided, will be - auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: >- - Target cloud service provider. If not provided, will be - auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - description: - description: Policy description. + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentileRanks: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - type: array - id: - description: Policy unique identifier. + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to know - which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - name: - description: Unique name for the policy. + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - namespace: - description: >- - Policy namespace. When not specified, it inherits the agent policy - namespace. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - policy_template: - description: >- - The policy template to use for the agentless package policy. If not - provided, the default policy template will be used. + label: + description: Label for the operation type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + operation: + enum: + - percentile_rank + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration documentation - for more information. + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyRefLineStatic: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - static_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + value: + default: 100 + description: Static value + type: number required: - - name - - package - title: simplified_create_package_policy_request + - operation + title: Static Operation Definition type: object - Kibana_HTTP_APIs_update_output_elasticsearch: + Kibana_HTTP_APIs_xyRefLineStatsMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + label: + description: Label for the operation type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + operation: + enum: + - min + - max + - average + - median + - standard_deviation type: string - preset: + position: + description: Position of the icon and label relative to the reference line enum: - - balanced - - custom - - throughput - - scale - - latency + - auto + - left + - right type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_elasticsearch + required: + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_update_output_kafka: + Kibana_HTTP_APIs_xyRefLineSumMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - none - - user_pass - - ssl - - kerberos + - x + - 'y' + - y2 type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - ca_trusted_fingerprint: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - client_id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - compression: + label: + description: Label for the operation + type: string + operation: enum: - - gzip - - snappy - - lz4 - - none + - sum type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - connection_type: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style enum: - - plaintext - - encryption + - solid + - dashed + - dotted type: string - hash: + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - hash: - type: string - random: + visible: + description: Show text label on the reference line type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + field: + description: Field to be used for the metric type: string - name: + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - partition: + label: + description: Label for the operation + type: string + operation: enum: - - random - - round_robin - - hash + - unique_count type: string - password: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - random: + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - required_acks: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_xyStyling: + additionalProperties: false + description: Visual styling options for the chart + properties: + areas: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingAreas' + bars: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingBars' + fitting: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyFitting' + interpolation: + description: Curve interpolation method for line and area series enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + - linear + - smooth + - stepped + type: string + overlays: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingOverlays' + points: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingPoints' + title: xyStyling + type: object + Kibana_HTTP_APIs_xyStylingAreas: + additionalProperties: false + description: Area-specific rendering settings + properties: + fill_opacity: + description: Area fill opacity (0-1 typical, max 2 for legacy) + maximum: 2 + minimum: 0 + type: number + title: xyStylingAreas + type: object + Kibana_HTTP_APIs_xyStylingBars: + additionalProperties: false + description: Bar-specific rendering settings + properties: + data_labels: additionalProperties: false + description: Data label configuration for bar series type: object properties: - group_events: - type: number - sasl: + visible: + default: false + description: Display value labels on bar data points + type: boolean + minimum_height: + description: Minimum bar height in pixels + minimum: 0 + type: number + title: xyStylingBars + type: object + Kibana_HTTP_APIs_xyStylingOverlays: + additionalProperties: false + description: Visual overlays drawn on top of the chart canvas + properties: + current_time_marker: additionalProperties: false - nullable: true + description: Current time marker configuration type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + visible: + default: false + description: Show current time marker line + type: boolean + partial_buckets: additionalProperties: false + description: Partial (incomplete) bucket indicator configuration type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: + visible: + default: false + description: Show partial bucket indicators at time range edges + type: boolean + title: xyStylingOverlays + type: object + Kibana_HTTP_APIs_xyStylingPoints: + additionalProperties: false + description: Data point marker settings for line and area series + properties: + visibility: + description: Data point marker visibility on line and area series enum: - - kafka + - auto + - visible + - hidden type: string - username: - nullable: true + title: xyStylingPoints + type: object + Kibana_HTTP_APIs_xyXDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - version: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - name - title: update_output_kafka + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_update_output_logstash: + Kibana_HTTP_APIs_xyXFilters: additionalProperties: false properties: - allow_edit: + filters: items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - ca_sha256: - nullable: true + label: + description: Label for the operation type: string - ca_trusted_fingerprint: - nullable: true + operation: + enum: + - filters type: string - config_yaml: - nullable: true + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_xyXHistogram: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. type: string - hosts: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_xyXRanges: + additionalProperties: false + properties: + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyXTerms: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 10 + maxItems: 4 minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - proxy_id: - nullable: true + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - secrets: + other_bucket: additionalProperties: false type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyYCounterRate: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_xyYCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_xyYCumulativeSum: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - logstash + - cumulative_sum type: string - title: update_output_logstash + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: + Kibana_HTTP_APIs_xyYDifferences: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - config_yaml: - nullable: true + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - kibana_url: - nullable: true + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_xyYFormula: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - name: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - preset: + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - formula type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + time_scale: + description: Time scale + enum: + - s + - m + - h + - d type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyYLastValue: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. enum: - - remote_elasticsearch + - 'y' + - y2 type: string - write_to_logs_streams: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - title: update_output_remote_elasticsearch + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_update_package_policy_request: + Kibana_HTTP_APIs_xyYMovingAverage: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average type: string - description: - description: Package policy description + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - enabled: - type: boolean - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 - type: array - is_managed: - type: boolean - name: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_xyYPercentile: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - output_id: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + operation: + enum: + - percentile type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - version: + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - package - title: update_package_policy_request + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_update_package_request: + Kibana_HTTP_APIs_xyYPercentileRanks: additionalProperties: false properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: >- - Namespaces for which namespace-level customization is enabled on - this package. - items: - type: string - maxItems: 100 - type: array - title: update_package_request + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_update_package_response: + Kibana_HTTP_APIs_xyYStatsMetric: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: update_package_response + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_upgrade_package_policies_request: + Kibana_HTTP_APIs_xyYSumMetric: additionalProperties: false properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packagePolicyIds - title: upgrade_package_policies_request + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyYUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -52319,97 +105779,63 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -52417,11 +105843,7 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -52501,8 +105923,7 @@ components: description: The name associated with the message. type: string role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: @@ -52608,8 +106029,7 @@ components: example: user.name type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id @@ -52627,15 +106047,12 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -52659,8 +106076,7 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: @@ -52671,14 +106087,12 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated @@ -52874,9 +106288,7 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. + description: List of field names within the data object that should be anonymized. example: - user.name - source.ip @@ -52899,18 +106311,12 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object @@ -53062,9 +106468,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -53074,8 +106478,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -53093,18 +106496,14 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -53140,10 +106539,8 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -53163,16 +106560,13 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -53218,9 +106612,7 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -53281,9 +106673,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -53293,8 +106683,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -53312,27 +106701,21 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. + description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author @@ -53343,9 +106726,7 @@ components: type: object properties: description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -53357,9 +106738,7 @@ components: example: knowledge_base_index type: string queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -53376,10 +106755,8 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -53399,20 +106776,15 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: @@ -53435,8 +106807,7 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -53476,11 +106847,9 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -53491,11 +106860,9 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -53514,8 +106881,7 @@ components: example: Skipped Entry type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason @@ -53535,15 +106901,12 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary @@ -53578,29 +106941,23 @@ components: text: This is the content of the new entry. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. + description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. + description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -53612,8 +106969,7 @@ components: text: Updated content. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated @@ -53628,15 +106984,11 @@ components: example: 2 type: integer skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. + description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: @@ -53673,16 +107025,12 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -53728,37 +107076,27 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: @@ -53778,9 +107116,7 @@ components: example: complete type: string security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. + description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: @@ -53788,9 +107124,7 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights @@ -53878,16 +107212,10 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -53903,9 +107231,7 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -53916,8 +107242,7 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. @@ -53945,8 +107270,7 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. @@ -53972,8 +107296,7 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. @@ -54132,8 +107455,7 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id @@ -54146,15 +107468,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -54192,8 +107511,7 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. @@ -54350,8 +107668,7 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -54360,9 +107677,7 @@ components: example: SELECT_OPTION type: string value: - description: >- - The value of the selected option to resume the graph execution - with + description: The value of the selected option to resume the graph execution with example: option_1 type: string required: @@ -54384,8 +107699,7 @@ components: - label: Option 1 - label: Option 2 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: @@ -54429,9 +107743,7 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: @@ -54529,9 +107841,7 @@ components: type: string type: array alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -54540,22 +107850,16 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert + description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert + description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -54566,20 +107870,13 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery + description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -54588,9 +107885,7 @@ components: description: The unique ID of the attack discovery type: string index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -54599,13 +107894,9 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields + description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert + description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -54625,14 +107916,10 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -54653,8 +107940,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created @@ -54670,19 +107956,16 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -54704,30 +107987,22 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary @@ -54740,9 +108015,7 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval @@ -54750,14 +108023,10 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -54768,8 +108037,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled @@ -54778,12 +108046,10 @@ components: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -54803,8 +108069,7 @@ components: message: type: string status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date @@ -54826,20 +108091,15 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -54889,11 +108149,9 @@ components: description: The action type used for sending notifications. type: string id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -54907,19 +108165,16 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -54927,9 +108182,7 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string @@ -54937,10 +108190,7 @@ components: type: object properties: alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -54950,29 +108200,19 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user + description: The number of successful generations for the same connector id, for the current user type: number discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -55003,23 +108243,15 @@ components: type: object properties: alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - + description: | + The (space specific) index pattern that contains the alerts to use as context for the attack discovery. - Example: .alerts-security.alerts-default type: string anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -55030,10 +108262,8 @@ components: type: string filter: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { @@ -55078,10 +108308,7 @@ components: - size - subAction Security_Attack_discovery_API_AttackDiscoveryGenericError: - description: >- - Error response for Attack discovery schedule operations when the request - is rejected. Uses `status_code` (snake_case), `error`, and `message` to - match the implementation. + description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation. type: object properties: error: @@ -55106,8 +108333,7 @@ components: type: object properties: id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the failed schedule. name: description: The name of the failed schedule. @@ -55137,13 +108363,10 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError' type: array ids: - description: >- - The unique identifiers of the schedules successfully affected by the - bulk action. + description: The unique identifiers of the schedules successfully affected by the bulk action. items: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' type: array @@ -55155,9 +108378,7 @@ components: - errors - total Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -55175,9 +108396,7 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -55233,18 +108452,14 @@ components: properties: add: items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -55271,8 +108486,7 @@ components: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -55280,9 +108494,7 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged @@ -55293,21 +108505,18 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer @@ -55328,72 +108537,48 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created - suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. + description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. + description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -55404,19 +108589,12 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > + description: | Edits index patterns of rulesClient. - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -55434,20 +108612,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > + description: | Edits investigation fields of rules. - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -55462,18 +108632,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > + description: | Edits rule actions of rules. - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -55486,30 +108649,22 @@ components: properties: actions: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: > + description: | Overwrites schedule of rules. + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -55520,20 +108675,15 @@ components: type: object properties: interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: > + description: | Lookback time for the rules. - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -55563,24 +108713,17 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: > + description: | Edits tags of rules. - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -55595,12 +108738,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: > + description: | Edits timeline of rules. - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -55613,8 +108754,7 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title @@ -55645,8 +108785,7 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason @@ -55658,14 +108797,10 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55676,10 +108811,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55698,14 +108831,10 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55716,10 +108845,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55751,14 +108878,10 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55769,10 +108892,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55791,15 +108912,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary @@ -55838,13 +108956,7 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: @@ -55874,14 +108986,10 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55892,10 +109000,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55919,14 +109025,10 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55937,10 +109039,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55961,14 +109061,10 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55979,10 +109075,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56005,9 +109099,7 @@ components: - fill_gaps type: string fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: @@ -56020,14 +109112,10 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -56038,10 +109126,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56061,14 +109147,10 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -56079,10 +109161,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56113,9 +109193,7 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -56178,9 +109256,7 @@ components: - items: type: string type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object @@ -56240,18 +109316,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56265,8 +109337,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56282,35 +109353,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56337,13 +109397,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56382,18 +109440,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56407,8 +109461,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56424,35 +109477,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56481,13 +109523,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56518,18 +109558,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56543,12 +109579,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -56562,35 +109597,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56619,13 +109643,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56640,18 +109662,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56665,12 +109683,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -56684,35 +109701,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56741,13 +109747,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56794,18 +109798,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56819,8 +109819,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56836,35 +109835,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56891,13 +109879,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56936,18 +109922,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56961,8 +109943,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56978,35 +109959,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57035,13 +110005,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57062,18 +110030,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57087,12 +110051,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57108,13 +110071,11 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -57122,23 +110083,14 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57167,13 +110119,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -57209,18 +110159,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57234,12 +110180,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57253,35 +110198,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57310,13 +110244,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57342,9 +110274,7 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: @@ -57355,27 +110285,18 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external @@ -57410,31 +110331,20 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). - + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info - > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: @@ -57444,12 +110354,9 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: @@ -57463,19 +110370,14 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -57498,18 +110400,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57523,8 +110421,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -57540,35 +110437,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57595,13 +110481,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57630,31 +110514,24 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57668,8 +110545,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -57685,35 +110561,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57742,13 +110607,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57758,8 +110621,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -57772,32 +110634,26 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57811,12 +110667,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57830,35 +110685,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57887,19 +110731,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -57918,27 +110759,21 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57952,12 +110787,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57971,35 +110805,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58028,13 +110851,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58044,25 +110865,13 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_NewTermsFields: @@ -58077,18 +110886,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58102,8 +110907,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58119,35 +110923,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58174,13 +110967,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58209,33 +111000,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58249,8 +111032,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58266,35 +111048,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58323,13 +111094,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58339,8 +111108,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -58372,27 +111140,21 @@ components: enum: - new_terms type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58406,12 +111168,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -58425,35 +111186,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58482,13 +111232,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58515,10 +111263,8 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: @@ -58530,18 +111276,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58555,12 +111297,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -58574,35 +111315,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58631,13 +111361,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58647,8 +111375,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -58675,8 +111402,7 @@ components: type: object properties: err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: @@ -58695,31 +111421,20 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object @@ -58773,18 +111488,13 @@ components: type: object properties: command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object @@ -58836,18 +111546,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58861,8 +111567,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58878,35 +111583,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58933,13 +111627,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58973,25 +111665,20 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59005,8 +111692,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -59022,35 +111708,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59079,13 +111754,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59126,25 +111799,20 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59158,12 +111826,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -59177,35 +111844,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59234,13 +111890,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59274,18 +111928,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59299,12 +111949,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -59318,35 +111967,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59375,13 +112013,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59393,11 +112029,7 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -59411,45 +112043,23 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. - package's "integrations" that this package contains. It is represented - by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -59471,35 +112081,23 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and + description: | + Describes an Elasticsearch field that is needed for the rule to function. + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - - Required field is an event field that must be present in the source - indices of a given rule. - + Required field is an event field that must be present in the source indices of a given rule. @example - const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; - @example - const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -59508,10 +112106,7 @@ components: type: object properties: ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field @@ -59532,10 +112127,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: @@ -59571,7 +112163,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -59610,9 +112202,7 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: @@ -59675,34 +112265,27 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: > + description: | Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -59712,9 +112295,7 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. + description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -59728,10 +112309,8 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - + description: | + Object containing the allowed connector fields, which varies according to the connector type. For Slack: @@ -59779,30 +112358,22 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -59819,11 +112390,8 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: @@ -59857,10 +112425,7 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: @@ -59881,9 +112446,7 @@ components: type: object properties: type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) + description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -59891,50 +112454,25 @@ components: required: - type total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle + description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle + description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running @@ -59961,14 +112499,12 @@ components: message: type: string metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status @@ -59978,33 +112514,22 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info - > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -60014,13 +112539,10 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: > + description: | Placeholder for metadata about the rule. - > info - - > This field is overwritten when you save changes to the rule’s - settings. + > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -60028,31 +112550,19 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -60078,8 +112588,7 @@ components: type: array requests: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -60103,22 +112612,14 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array @@ -60144,47 +112645,26 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: > + description: | The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array @@ -60192,47 +112672,31 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: - description: > + description: | The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. - > info - - > It is not incremented on each update. Compare this to the `revision` - field. + > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -60258,22 +112722,17 @@ components: - runscript type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log + description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -60290,28 +112749,21 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60325,8 +112777,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -60342,35 +112793,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60397,13 +112837,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60432,33 +112870,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60472,8 +112902,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -60489,35 +112918,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60546,13 +112964,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60562,8 +112978,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -60593,27 +113008,21 @@ components: enum: - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60627,12 +113036,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -60646,35 +113054,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60703,19 +113100,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -60731,10 +113125,8 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: @@ -60746,18 +113138,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60771,12 +113159,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -60790,35 +113177,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60847,13 +113223,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60863,8 +113237,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SetAlertAssigneesBody: type: object properties: @@ -60883,15 +113256,12 @@ components: propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' Security_Detections_API_SetAlertsStatusByIdsBase: type: object properties: signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -60910,8 +113280,7 @@ components: propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' Security_Detections_API_SetAlertsStatusByQueryBase: type: object properties: @@ -60951,25 +113320,15 @@ components: - ids - tags Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. type: string Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred + * `critical`: Alerts that indicate it is highly likely a security incident has occurred enum: - low - medium @@ -61014,11 +113373,9 @@ components: - desc type: string Security_Detections_API_Threat: - description: > + description: | > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. type: object properties: framework: @@ -61040,9 +113397,7 @@ components: type: array Security_Detections_API_ThreatFilters: items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. @@ -61050,28 +113405,17 @@ components: type: string type: array Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) + description: Defines the path to the threat indicator in the indicator documents (optional) type: string Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - field: field from the event indices on which the rule runs - - type: must be mapping - - value: field from the Elasticsearch threat index - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. items: type: object properties: @@ -61105,18 +113449,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61130,8 +113470,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61147,35 +113486,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61202,13 +113530,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61237,33 +113563,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61277,8 +113595,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61294,35 +113611,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61351,13 +113657,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61367,8 +113671,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -61414,27 +113717,21 @@ components: enum: - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61448,12 +113745,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -61467,35 +113763,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61524,19 +113809,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -61561,10 +113843,8 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: @@ -61576,18 +113856,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61601,12 +113877,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -61620,35 +113895,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61677,13 +113941,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61693,12 +113955,9 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -61773,8 +114032,7 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: @@ -61786,9 +114044,7 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -61796,10 +114052,7 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: @@ -61812,18 +114065,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61837,8 +114086,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61854,35 +114102,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61909,13 +114146,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61944,33 +114179,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61984,8 +114211,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -62001,35 +114227,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62058,13 +114273,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -62074,8 +114287,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -62085,8 +114297,7 @@ components: type: object properties: alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -62108,27 +114319,21 @@ components: enum: - threshold type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -62142,12 +114347,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -62161,35 +114365,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62218,19 +114411,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -62249,10 +114439,8 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: @@ -62264,18 +114452,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -62289,12 +114473,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -62308,35 +114491,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62365,13 +114537,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -62381,26 +114551,17 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: > + description: | Defines the maximum interval in which a rule’s actions are executed. - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h @@ -62417,17 +114578,10 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -62462,10 +114616,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -62475,39 +114626,28 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -62516,8 +114656,7 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id @@ -62537,30 +114676,17 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -62575,14 +114701,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -62591,46 +114713,32 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -62683,32 +114791,24 @@ components: - comment (string): Comments about the exception item. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -62716,8 +114816,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -62742,8 +114841,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -62759,8 +114857,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -62778,16 +114875,14 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: @@ -62801,8 +114896,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -62819,8 +114913,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -62835,21 +114928,16 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -62874,14 +114962,11 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -62908,20 +114993,15 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -62937,21 +115017,14 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -62965,17 +115038,12 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -63038,8 +115106,7 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -63057,8 +115124,7 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -63067,9 +115133,7 @@ components: type: object properties: canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for response - actions. + description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data @@ -63084,8 +115148,7 @@ components: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions @@ -63138,17 +115201,12 @@ components: example: updatedAt type: string Security_Endpoint_Management_API_ArchivePathToExecutableSchema: - description: >- - Used only for when the uploaded script is an archive (.zip file for - example). This property defines the relative path to the file included - in the archive that should be executed once its contents are extracted. - The path should be relative to the root of the archive. + description: Used only for when the uploaded script is an archive (.zip file for example). This property defines the relative path to the file included in the archive that should be executed once its contents are extracted. The path should be relative to the root of the archive. example: ./bin/script.sh type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63174,10 +115232,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63188,9 +115243,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63203,8 +115256,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63284,24 +115336,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -63309,8 +115356,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array required: - name @@ -63321,10 +115367,8 @@ components: type: object properties: downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - + description: | + The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -63352,9 +115396,7 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -63433,9 +115475,7 @@ components: type: object properties: {} Security_Endpoint_Management_API_EndpointRunScriptParameters: - description: >- - Parameters for Run Script response action against Elastic Defend agent - type. + description: Parameters for Run Script response action against Elastic Defend agent type. example: agent_type: endpoint endpoint_ids: @@ -63449,9 +115489,7 @@ components: minLength: 1 type: string scriptInput: - description: >- - The input parameter arguments (if any) for the script that will be - executed. + description: The input parameter arguments (if any) for the script that will be executed. minLength: 1 type: string required: @@ -63472,11 +115510,8 @@ components: example: Collects host data for investigation type: string downloadUri: - description: >- - URI to download the script file. Note that this is the relative path - and does not include the space (if applicable) - example: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + description: URI to download the script file. Note that this is the relative path and does not include the space (if applicable) + example: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download type: string example: type: string @@ -63497,31 +115532,25 @@ components: format: uuid type: string instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: example: Collect host data type: string pathToExecutable: - description: > - The relative path to the file included in the archive that should be - executed once its contents are extracted. Applicable only for - scripts uploaded as an archive (.zip file for example). + description: | + The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example). type: string platform: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: type: boolean tags: description: Tags that categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array updatedAt: format: date-time @@ -63532,12 +115561,7 @@ components: version: type: string Security_Endpoint_Management_API_EndpointScriptFileType: - description: >- - The type of the uploaded file, which determines the expected value of - `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` - should not be included. If `fileType` is "archive", then - `pathToExecutable` is required and should specify the path to the - executable file within the archive. + description: The type of the uploaded file, which determines the expected value of `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` should not be included. If `fileType` is "archive", then `pathToExecutable` is required and should specify the path to the executable file within the archive. enum: - script - archive @@ -63564,8 +115588,7 @@ components: type: string Security_Endpoint_Management_API_Execute: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63574,8 +115597,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -63613,10 +115635,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63627,9 +115646,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63642,8 +115659,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63658,9 +115674,7 @@ components: minLength: 1 type: string timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. + description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: @@ -63738,8 +115752,7 @@ components: data: description: The list of response actions. items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -63773,8 +115786,7 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63783,8 +115795,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -63819,10 +115830,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63833,9 +115841,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63848,8 +115854,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63872,10 +115877,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63938,8 +115940,7 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -63949,12 +115950,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64005,9 +116004,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -64016,10 +116013,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64030,9 +116024,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64045,8 +116037,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64072,9 +116063,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -64085,9 +116074,7 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -64110,8 +116097,7 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64123,17 +116109,13 @@ components: code: type: string disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk + description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: >- - The path to the memory dump compressed file on the - host machine + description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object @@ -64187,10 +116169,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64201,9 +116180,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64216,8 +116193,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64270,9 +116246,7 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -64331,9 +116305,7 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux @@ -64356,9 +116328,7 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -64458,9 +116428,7 @@ components: description: Parameters object type: object Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody: - description: >- - The script entry properties to be updated. At least one property must be - provided. + description: The script entry properties to be updated. At least one property must be provided. minProperties: 1 type: object properties: @@ -64475,24 +116443,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -64500,8 +116463,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array Security_Endpoint_Management_API_PendingActionDataType: description: Number of pending actions of this type. @@ -64511,40 +116473,31 @@ components: - type: object properties: execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object @@ -64552,9 +116505,7 @@ components: type: object properties: note: - description: >- - A note associated with the protection updates for the given package - policy. + description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -64599,8 +116550,7 @@ components: type: object properties: data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -64616,9 +116566,7 @@ components: type: object properties: completedAt: - description: >- - The date and time the response action was completed for the - agent ID + description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -64626,9 +116574,7 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to + description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -64649,9 +116595,7 @@ components: name: description: The host name type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to + description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID @@ -64669,9 +116613,7 @@ components: format: uuid properties: content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. + description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string @@ -64685,17 +116627,12 @@ components: - content title: Agent ID type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action type: object parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command + description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time @@ -64711,8 +116648,7 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64721,10 +116657,8 @@ components: properties: content: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -64755,8 +116689,7 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64765,8 +116698,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -64778,12 +116710,9 @@ components: type: object parameters: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -64818,10 +116747,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64832,9 +116758,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64847,8 +116771,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64856,28 +116779,20 @@ components: - type: object properties: parameters: - description: > - One of the following set of parameters must be provided for the - `agentType` that is specified. + description: | + One of the following set of parameters must be provided for the `agentType` that is specified. oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64902,10 +116817,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64916,9 +116828,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64931,8 +116841,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64954,8 +116863,7 @@ components: example: data: description: Collects host data for investigation - downloadUri: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + downloadUri: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download example: ./collect_host_data.sh --help fileHash: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 fileName: collect_host_data.sh @@ -64972,9 +116880,7 @@ components: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. + description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: @@ -64984,9 +116890,7 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. + description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: @@ -65027,8 +116931,7 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -65075,10 +116978,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -65089,9 +116989,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -65104,8 +117002,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -65148,8 +117045,7 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -65159,12 +117055,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -65182,10 +117076,8 @@ components: type: string type: object parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that - + description: | + The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: @@ -65204,10 +117096,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -65218,9 +117107,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -65233,8 +117120,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -65272,9 +117158,7 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. + description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 @@ -65296,8 +117180,7 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: @@ -65353,10 +117236,7 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -65366,10 +117246,8 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': @@ -65397,8 +117275,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: @@ -65408,8 +117285,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: @@ -65423,8 +117299,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65438,8 +117313,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65453,8 +117327,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65520,13 +117393,11 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -65537,17 +117408,13 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. + description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition @@ -65562,9 +117429,7 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: @@ -65595,10 +117460,9 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed @@ -65622,23 +117486,17 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. + description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -65660,9 +117518,7 @@ components: example: 10 type: integer filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -65729,10 +117585,7 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -65787,9 +117640,7 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: @@ -65801,9 +117652,7 @@ components: description: Whether the entity is classified as an asset. type: boolean managed: - description: >- - Whether the entity is managed (for example, via a directory - service). + description: Whether the entity is managed (for example, via a directory service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. @@ -65913,8 +117762,7 @@ components: type: object properties: calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: @@ -65922,9 +117770,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -65966,9 +117812,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -65977,14 +117821,10 @@ components: description: Unique identifier for the scoring run that produced this document. type: string category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). type: integer category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: @@ -65993,27 +117833,20 @@ components: format: double type: number criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array @@ -66093,9 +117926,7 @@ components: - type: object Security_Entity_Analytics_API_GenericEntity: additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. type: object properties: '@timestamp': @@ -66111,9 +117942,7 @@ components: - entity Security_Entity_Analytics_API_HostEntity: additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + description: An entity record representing a host, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66175,9 +118004,7 @@ components: type: string os: additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: family: @@ -66203,8 +118030,7 @@ components: version: type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: description: Observed host types. items: @@ -66222,10 +118048,7 @@ components: - entity.id type: string Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. example: logs-* type: string Security_Entity_Analytics_API_InspectQuery: @@ -66264,10 +118087,7 @@ components: description: Index to read latest sync markers from type: string Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -66279,11 +118099,8 @@ components: type: string type: array values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. oneOf: - items: type: string @@ -66295,12 +118112,10 @@ components: - fields - values Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: '@timestamp': @@ -66340,8 +118155,7 @@ components: properties: labels: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array id: type: string @@ -66378,19 +118192,15 @@ components: type: object properties: message: - description: >- - Error message typically only present if the engine is in error - state + description: Error message typically only present if the engine is in error state type: string status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' required: - status Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: id: @@ -66402,8 +118212,7 @@ components: - managed Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - type: object properties: managed: @@ -66518,9 +118327,7 @@ components: - category Security_Entity_Analytics_API_ServiceEntity: additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66551,8 +118358,7 @@ components: description: Primary service name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: @@ -66680,9 +118486,7 @@ components: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' Security_Entity_Analytics_API_UserEntity: additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66736,8 +118540,7 @@ components: description: Primary user name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' additionalProperties: false roles: description: Observed roles assigned to the user. @@ -66764,9 +118567,7 @@ components: description: The field name for the label type: string source: - description: >- - The source where this label was created (api, csv, or - index_sync) + description: The source where this label was created (api, csv, or index_sync) enum: - api - csv @@ -66943,8 +118744,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -66975,8 +118775,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -67063,10 +118862,8 @@ components: * Code signature entry: only 1 allowed items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -67091,18 +118888,14 @@ components: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -67118,21 +118911,16 @@ components: - description Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: @@ -67142,23 +118930,19 @@ components: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - example: description: This is a sample detection type exception item. entries: @@ -67183,63 +118967,46 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] required: - list_id - entries Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: @@ -67249,28 +119016,23 @@ components: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -67279,8 +119041,7 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' @@ -67294,15 +119055,10 @@ components: - entries Security_Exceptions_API_EndpointArtifactTags: default: [] - description: > + description: | Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) items: type: string type: array @@ -67311,24 +119067,18 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. list_id: enum: - endpoint_list example: endpoint_list type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -67339,16 +119089,11 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) **Minimum requirement:** At least 1 entry required list_id: @@ -67357,8 +119102,7 @@ components: example: endpoint_event_filters type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -67368,10 +119112,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -67381,8 +119122,7 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: @@ -67396,14 +119136,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' @@ -67435,30 +119172,17 @@ components: example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -67473,14 +119197,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -67489,19 +119209,15 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: @@ -67511,14 +119227,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' @@ -67581,18 +119294,12 @@ components: type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: @@ -67605,8 +119312,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -67631,8 +119337,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -67648,8 +119353,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -67667,8 +119371,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any @@ -67689,8 +119392,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -67707,8 +119409,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -67723,21 +119424,16 @@ components: - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: @@ -67766,9 +119462,7 @@ components: type: array Security_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -67813,28 +119507,22 @@ components: id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -67850,21 +119538,14 @@ components: minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -67899,9 +119580,7 @@ components: - match type: string value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") type: string required: - field @@ -67938,17 +119617,12 @@ components: minLength: 1 type: string Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -68035,9 +119709,7 @@ components: type: object properties: entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object @@ -68133,15 +119805,11 @@ components: type: object properties: entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) + description: Process hash or executable path entries (code signature not supported on Linux) items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' minItems: 1 type: array list_id: @@ -68170,12 +119838,9 @@ components: description: Process hash, executable path, or code signature entries items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' minItems: 1 type: array list_id: @@ -68204,12 +119869,9 @@ components: description: Process hash, executable path, or code signature entries items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -68234,9 +119896,7 @@ components: type: object properties: entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object @@ -68302,15 +119962,11 @@ components: - type - entries Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). + description: Trusted devices list item properties (macOS-only, username not supported). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: @@ -68372,22 +120028,16 @@ components: required: - list_id Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). + description: Trusted devices list item properties (Windows + macOS, username not supported). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) items: type: object properties: field: - description: >- - Device field to match against (username not available for - multi-OS) + description: Device field to match against (username not available for multi-OS) enum: - device.serial_number - device.type @@ -68445,15 +120095,11 @@ components: required: - list_id Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + description: Trusted devices list item properties (Windows-only, allows username field). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: @@ -68519,27 +120165,20 @@ components: type: object properties: _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' @@ -68556,21 +120195,16 @@ components: - description Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: @@ -68582,23 +120216,19 @@ components: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array Security_Exceptions_API_UpdateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_UpdateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_UpdateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - example: comments: [] description: Updated description @@ -68615,71 +120245,50 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' required: - entries Security_Exceptions_API_UpdateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_UUID: description: A universally unique identifier format: uuid type: string Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 @@ -68701,12 +120310,12 @@ components: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: @@ -68724,16 +120333,14 @@ components: name: $ref: '#/components/schemas/Security_Lists_API_ListName' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: @@ -68771,12 +120378,12 @@ components: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: @@ -68790,16 +120397,14 @@ components: meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: @@ -68898,17 +120503,12 @@ components: - index - application Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -68940,9 +120540,8 @@ components: minimum: 1 type: integer Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. example: WzIsMV0= type: string Security_Lists_API_PlatformErrorResponse: @@ -68977,19 +120576,19 @@ components: type: object properties: ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CopyPacksResponse: description: The response for copying a pack. example: @@ -69029,24 +120628,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: @@ -69127,10 +120722,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -69138,15 +120732,15 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -69200,7 +120794,7 @@ components: type: string type: array ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' event_ids: description: A list of event IDs associated with the live query. items: @@ -69211,13 +120805,13 @@ components: nullable: true type: object pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackId' queries: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' Security_Osquery_API_CreateLiveQueryResponse: description: The response for creating a live query. example: @@ -69308,8 +120902,7 @@ components: type: string type: array ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string platform: @@ -69359,13 +120952,13 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: @@ -69415,14 +121008,13 @@ components: description: The profile UID of the user who created the pack. type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: @@ -69472,24 +121064,23 @@ components: type: object properties: description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CreateSavedQueryResponse: description: The response for creating a saved query. example: @@ -69524,33 +121115,30 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. + description: An interval, in seconds, on which to run the query. May be returned as number or string. oneOf: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: description: Whether the saved query is prebuilt. type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: description: The saved object ID of the saved query. type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: description: The query timeout in seconds. type: integer @@ -69579,18 +121167,13 @@ components: Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields example: host.uptime: field: total_seconds type: object Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). items: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' type: array @@ -69695,8 +121278,7 @@ components: description: Number of result documents. type: integer ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' failed: description: Number of failed queries. type: integer @@ -69801,8 +121383,7 @@ components: type: string type: array ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string query: @@ -69811,9 +121392,7 @@ components: type: string type: array result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). + description: Result count statistics (present when withResultCounts is true). type: object properties: error_agents: @@ -69871,10 +121450,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' namespaces: @@ -69883,7 +121461,7 @@ components: type: string type: array policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' read_only: @@ -69956,24 +121534,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: @@ -70059,10 +121633,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70070,17 +121643,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70140,11 +121713,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70152,17 +121723,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70218,9 +121789,7 @@ components: _id: type: string _source: - description: >- - The Elasticsearch document source containing query - results. + description: The Elasticsearch document source containing query results. type: object type: array total: @@ -70255,8 +121824,7 @@ components: type: object properties: aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' currentPage: description: The current page number (zero-based). type: integer @@ -70353,9 +121921,7 @@ components: description: Whether there are more results beyond the current page. type: boolean nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. type: string required: - data @@ -70409,14 +121975,10 @@ components: description: The number of sub-queries that returned results. type: integer savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. + description: The saved query ID, if the live query was based on a saved query. type: string source: - description: >- - Whether this was a manually run live query or triggered by a - rule. + description: Whether this was a manually run live query or triggered by a rule. enum: - Live - Rule @@ -70447,21 +122009,21 @@ components: type: object properties: ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_PackDescription: description: The pack description. example: Pack description @@ -70491,10 +122053,7 @@ components: nullable: true type: integer Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: @@ -70616,10 +122175,7 @@ components: Security_Osquery_API_Shards: additionalProperties: type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. example: policy_id: 50 type: object @@ -70702,13 +122258,13 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: @@ -70755,14 +122311,13 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: @@ -70787,24 +122342,23 @@ components: type: object properties: description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_UpdateSavedQueryResponse: description: The response for updating a saved query. example: @@ -70833,10 +122387,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70844,17 +122397,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70874,26 +122427,15 @@ components: required: - data Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. + description: Uses the Osquery versions greater than or equal to the specified version string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Version' nullable: true Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). enum: - all - document_only @@ -70903,15 +122445,12 @@ components: type: string Security_Timeline_API_BareNote: allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - type: object properties: eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc nullable: true type: string @@ -70921,17 +122460,14 @@ components: nullable: true type: string timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - type: object properties: eventId: @@ -70939,9 +122475,7 @@ components: example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with + description: The `savedObjectId` of the timeline that this pinned event is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: @@ -70997,1046 +122531,2116 @@ components: id: nullable: true type: string - kqlQuery: + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + example: + favoriteDate: 1741337636741 + userName: elastic + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: + example: + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' + type: object + properties: + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true + type: object + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e + type: string + version: + description: The version of the note + example: WzQ2LDFd + type: string + required: + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true + type: string + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: + type: object + properties: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true + type: string + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true + type: string + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true + type: object + properties: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' nullable: true - type: string - name: + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all nullable: true type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: + type: array + favorite: items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' nullable: true type: array - enabled: + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' nullable: true - type: boolean - excluded: + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string nullable: true - type: boolean - id: + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search nullable: true type: string kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true type: string - name: + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 nullable: true type: number - fullName: + updatedBy: + description: The user who last updated the Timeline + example: casetester nullable: true type: string - userName: + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + version: + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string + required: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. + example: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' + type: object + properties: + filterQuery: nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + columnId: '@timestamp' + sortDirection: desc type: object properties: - exists: + columnId: nullable: true type: string - match_all: + columnType: nullable: true type: string - meta: + sortDirection: nullable: true - type: object + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - type: object properties: - alias: + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - controlledBy: + type: array + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e + items: + type: string nullable: true - type: string - disabled: + type: array + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: boolean - field: + type: array + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string nullable: true - type: string - formattedValue: + type: array + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true - type: string - index: + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - key: + type: array + noteIds: + items: + type: string nullable: true - type: string - negate: + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: boolean - params: + type: array + pinnedEventIds: + items: + type: string nullable: true - type: string - type: + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true + type: array + savedObjectId: type: string - value: - nullable: true + version: type: string - missing: - nullable: true + required: + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object + properties: + error: + example: Forbidden + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references + items: + type: object + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: array + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + required: + - list + title: Bulk delete SLO request + type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status + properties: + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + title: Bulk delete SLO response + type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. + properties: + error: + description: The error message if the bulk deletion operation failed + example: Task not found + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO + items: + type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean + type: array + title: The status of the bulk deletion + type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string + type: object + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - query: - nullable: true + title: Bulk Purge Rollup data response + type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - range: - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id type: string - script: - nullable: true + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Timeline_API_Note' + type: string type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). - type: number + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response type: object properties: - errors: - description: The list of failed Timeline imports + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id items: type: object properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string + required: + - sloId + - instanceId type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 + initial: + description: The initial error budget, as 1 - objective + example: 0.02 type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: - type: object properties: - eventNotes: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - globalNotes: + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - pinnedEventIds: + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id items: type: string - nullable: true type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd - type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true + page: + example: 1 type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true + perPage: + example: 25 type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: type: string - Security_Timeline_API_PersistPinnedEventResponse: + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value + example: + - - service.name + - service.name + - - service.name + - service.environment oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + environment: + description: The APM service environment or "*" + example: production type: string - version: - description: The version of this pinned event - example: WzQ2LDFe + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request type: string required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: - type: object - properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - Security_Timeline_API_QueryMatchResult: + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string - field: - nullable: true - type: string - operator: - nullable: true - type: string - value: - oneOf: - - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true - type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true - type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - eventCategoryField: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - query: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - size: - oneOf: - - nullable: true + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A type: string - - nullable: true - type: number - tiebreakerField: - nullable: true + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* type: string timestampField: - nullable: true + description: | + The timestamp field used in the source indice. + example: timestamp type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true - type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* - items: - type: string - nullable: true - type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - filterQuery: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - kuery: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: - expression: - nullable: true + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT type: string - kind: - nullable: true + equation: + description: The equation to calculate the metric. + example: A type: string - serializedQuery: - nullable: true + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - sortDirection: - nullable: true + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - type: object properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string - type: object properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: + filters: items: - type: string - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - pinnedEventsSaveObject: + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - savedObjectId: - type: string - version: + kqlQuery: type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - SLOs_400_response: - title: Bad request + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 type: number + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m + type: string required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. properties: - error: - example: Unauthorized + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - error: - example: Forbidden + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO type: string - statusCode: - example: 404 + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 type: number required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - error: - example: Conflict + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 409 + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id + type: string type: array - title: Artifacts + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. + SLOs_summary_status: enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. + SLOs_time_window: + description: Defines properties for the SLO time window + type: object properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d + type: string + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string required: - - list - title: Bulk delete SLO request + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count type: string - title: Bulk delete SLO response - type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. - properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true - type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO - items: - type: object - properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion - type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object required: - - list - - purgePolicy - title: Bulk Purge Rollup data request + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile type: string - title: Bulk Purge Rollup data response - type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' @@ -72047,12 +124651,6 @@ components: type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id - type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' @@ -72075,1520 +124673,1949 @@ components: type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request + title: Update SLO request type: object - SLOs_create_slo_response: - title: Create SLO response + Task_manager_health_Serverless_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_Serverless_APIs_health_response_serverless: + title: Task health response properties type: object properties: id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string + last_update: + type: string + stats: + type: object + properties: + configuration: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_configuration' + workload: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_Serverless_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. + type: object required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. + - apiUrl properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array + apiUrl: + type: string + description: The Amazon Bedrock request URL. + region: + type: string + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true - type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. + type: object required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter + - url properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + url: + type: string + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. + required: + - from type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string - controlledBy: + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true + type: boolean + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: string - disabled: + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. type: boolean - field: + service: + description: | + The name of the email service. type: string - group: + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string - index: + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. + type: object + required: + - apiUrl + - gcpRegion + - gcpProjectID + properties: + apiUrl: type: string - isMultiIndex: - type: boolean - key: + description: The Google Gemini request URL. + defaultModel: type: string - negate: + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: + type: string + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: + type: string + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector + required: + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + apiUrl: + description: The IBM Resilient instance URL. + type: string + orgId: + description: The IBM Resilient organization ID. + type: string + index_config: + title: Connector request properties for an index connector + required: + - index + description: Defines properties for connectors when type is `.index`. + type: object + properties: + executionTimeField: + description: A field that indicates when the document was indexed. + default: null + type: string + nullable: true + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false type: boolean - params: - type: object - type: + jira_config: + title: Connector request properties for a Jira connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + apiUrl: + description: The Jira instance URL. type: string - value: + projectKey: + description: The Jira project key. type: string - title: FilterMeta + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. type: object - SLOs_find_slo_definitions_response: + properties: + apiUrl: + type: string + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: + type: string + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: + type: string + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: + type: string + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object - SLOs_find_slo_response: + required: + - apiProvider + - apiUrl + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector description: | - A paginated response of SLOs matching the query. + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. + type: object + required: + - apiProvider + - apiUrl properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + apiProvider: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiUrl: + description: The PagerDuty event URL. type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - url + description: Defines properties for connectors when type is `.sentinelone`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector + required: + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. + type: object + properties: + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. + items: + type: object + required: + - id + - name + maxItems: 25 + properties: + id: + type: string + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. type: object properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "good" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "total" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. + type: object required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. + type: object required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. + type: object required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object + required: + - url + properties: + organisation: + type: string + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: type: string + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. + type: object required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + - url + properties: + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + type: string + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. type: object + required: + - webhookIntegrationUrl properties: - params: - description: An object containing the indicator parameters. - nullable: false + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: + type: string + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: + type: string + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: + type: string + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: + type: string + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: + type: string + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. + type: object + properties: + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). + type: boolean + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. + type: object + required: + - accessKey + - secret + properties: + accessKey: + type: string + description: The AWS access key for authentication. + secret: + type: string + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. + type: string + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. + required: + - token + type: object + properties: + token: + type: string + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. + type: object + properties: + clientSecret: + type: string + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: + type: string + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. + type: object + required: + - credentialsJson + properties: + credentialsJson: + type: string + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: + type: string + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: + type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector + required: + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. + type: object + properties: + apiToken: + description: The Jira API authentication token for HTTP basic authentication. + type: string + email: + description: The account email for HTTP Basic authentication. + type: string + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object + required: + - webhookUrl + properties: + webhookUrl: + type: string + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + type: object + properties: + apiKey: + type: string + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: + type: string + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: + type: string + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. + type: object + properties: + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object + required: + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. + type: object + required: + - token + properties: + token: + description: The A SentinelOne API token. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + clientSecret: + type: string + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: + type: string + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: type: string + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: + type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + - token + type: object properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + token: type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. + required: + - apiKey + type: object + properties: + apiKey: type: string - title: Settings + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. type: object - SLOs_slo_definition_response: - title: SLO definition response + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. + type: string + token: + description: The Tines API token. + type: string + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. type: object + required: + - token properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + token: + description: The secret of the webhook authentication header. type: string - description: - description: The description of the SLO. - example: My SLO description + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. + type: object + properties: + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + type: string + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. + type: object + required: + - apiProvider + - apiUrl + - defaultModel + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Other + apiUrl: + type: string + description: The OpenAI-compatible API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + certificateData: + type: string + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: + type: string + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: + type: object + description: Custom headers to include in requests. + additionalProperties: + type: string + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector + required: + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object + properties: + clientSecret: + description: The client secret for your app in the Azure portal. + type: string + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. + type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. + type: object + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + type: object + required: + - message + - subject + properties: + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: string + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: + type: array + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + items: + type: string + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object + required: + - message properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + message: type: string - description: - description: The description of the SLO. - example: My SLO description + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. + type: object + required: + - eventAction + properties: + class: + description: The class or type of the event. type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string - name: - description: The name of the SLO. - example: My Service SLO + maxLength: 255 + eventAction: + description: The type of event. type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - version: - description: The internal SLO version - example: 2 - type: number + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - addEvent + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction + type: object + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: + type: object + required: + - incident + properties: + incident: + type: object + anyOf: + - required: + - correlation_id + - required: + - externalId + properties: + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. + description: + type: string + description: A description that provides detailed information about the alert. + details: + type: object + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: + type: string + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. + enum: + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: + type: string + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: + type: string + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: + type: string + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + type: + type: string + description: The type of alert in TheHive connectors. + user: + type: string + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + subAction: type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. + description: The action to test. enum: - - rolling - - calendarAligned - example: rolling - type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - percentile: - description: The percentile value. - example: 95 - type: number + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - subAction + - subActionParams properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + subAction: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + description: The action to test. + enum: + - getIncident + subActionParams: + type: object + required: + - externalId + properties: + externalId: + type: string + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction type: object - Task_manager_health_Serverless_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction type: object - Task_manager_health_Serverless_APIs_health_response_serverless: - title: Task health response properties + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object + required: + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction + type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - postMessage + subActionParams: type: object + description: The set of configuration properties for the action. properties: - configuration: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_configuration - workload: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_workload - status: - type: string - timestamp: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - Task_manager_health_Serverless_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: The action to test. + enum: + - pushToService + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: + type: object + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: >- - You must create an API key and use the encoded value in the request - header. To learn about creating keys, go to [API - keys](https://www.elastic.co/docs/current/serverless/api-keys). + description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). in: header name: Authorization type: apiKey -security: - - apiKeyAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - name: Message Signing Service - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - ## Lists requirements + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index e100dc14b09fa..a79f97b1c52af 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -2,68 +2,38 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > - The Kibana REST APIs enable you to manage resources such as connectors, data - views, and saved objects. - + description: | + The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. - - Each request that you make happens in isolation from other calls and must - include all of the necessary information for Kibana to fulfill the - + Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. - - API requests return JSON output, which is a format that is machine-readable - and works well for automation. - + API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - PATCH: Applies partial modifications to the existing information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. - + You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` + For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - For more information about the console, refer to [Run API - requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - - - NOTE: Access to internal Kibana API endpoints will be restricted in Kibana - version 9.0. Please move any integrations to publicly documented APIs. - + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - - - This documentation contains work-in-progress information for future Elastic - Stack releases. + This documentation contains work-in-progress information for future Elastic Stack releases. title: Kibana APIs version: '' x-doc-license: @@ -71,948 +41,1821 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: http://localhost:5622 - - url: / - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + **Elastic Agent Builder requires an Enterprise subscription.** + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: | + Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. + For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. + name: APM sourcemaps + - description: | + Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. + name: cases + externalDocs: + description: Cases documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases + x-displayName: Cases + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Dashboards + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + externalDocs: + description: Dashboards documentation + url: https://www.elastic.co/docs/explore-analyze/dashboards + x-displayName: Dashboards + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet remote synced integrations + description: | + Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: + * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. + * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. + externalDocs: + description: Automatic integrations synchronization documentation + url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + description: | + Enables you to create tokens for Fleet service authentication and authorization. + x-displayName: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - description: | + Programmatically integrate with Logstash configuration management. + > warn + > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management + name: logstash + x-displayName: Logstash configuration management + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + * [Data views](../group/endpoint-data-views) + * [Spaces](../group/endpoint-spaces) + * [Short URLs](../group/endpoint-short-url) + + Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: synthetics + x-displayName: Synthetics + description: Synthetics APIs enable you to check the status of your services and applications. + externalDocs: + description: Synthetic monitoring + url: https://www.elastic.co/docs/solutions/observability/synthetics + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - description: | + The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release. + > warn + > This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL: + > * Self-managed URL pattern: `https://localhost:5601` + > * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` + name: upgrade + x-displayName: Upgrade assistant + - description: Uptime APIs enable you to view and update uptime monitoring settings. + externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/docs/solutions/observability/uptime + name: uptime + x-displayName: Uptime + - name: user session + x-displayName: User session management + description: | + Enables you to invalidate user sessions for security and session management purposes. + - name: Visualizations + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + externalDocs: + description: Visualizations documentation + url: https://www.elastic.co/docs/explore-analyze/visualize/lens + x-displayName: Visualizations + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/alerting/_health: - get: - description: > - You must have `read` privileges for the **Management > Stack Rules** - feature or for at least one of the **Analytics > Discover**, **Analytics - > Machine Learning**, **Observability**, or **Security** features. - operationId: getAlertingHealth - responses: - '200': - content: - application/json: - examples: - getAlertingHealthResponse: - $ref: '#/components/examples/Alerting_get_health_response' - schema: - type: object - properties: - alerting_framework_health: - description: > - Three substates identify the health of the alerting - framework: `decryption_health`, `execution_health`, and - `read_health`. - type: object - properties: - decryption_health: - description: The timestamp and status of the rule decryption. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - execution_health: - description: The timestamp and status of the rule run. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - read_health: - description: The timestamp and status of the rule reading events. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - has_permanent_encryption_key: - description: >- - If `false`, the encrypted saved object plugin does not - have a permanent encryption key. - example: true - type: boolean - is_sufficiently_secure: - description: If `false`, security is enabled but TLS is not. - example: true - type: boolean - description: Indicates a successful call. - '401': - content: - application/json: - examples: - healthUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_health_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the alerting framework health - tags: - - alerting - /api/alerting/rule_types: + /api/actions/connector_types: get: - description: > - If you have `read` privileges for one or more Kibana features, the API - response contains information about the appropriate rule types. For - example, there are rule types associated with the **Management > Stack - Rules** feature, **Analytics > Discover** and **Machine Learning** - features, **Observability** features, and **Security** features. To get - rule types associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. - operationId: getRuleTypes + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types + parameters: + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': content: application/json: - examples: - getRuleTypesResponse: - $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: + additionalProperties: false type: object properties: - action_groups: - description: > - An explicit list of groups for which the rule type can - schedule actions, each with the action group's unique ID - and human readable name. Rule actions validation uses - this configuration to ensure that groups are valid. - items: - type: object - properties: - id: - type: string - name: - type: string - type: array - action_variables: - description: > - A list of action variables that the rule type makes - available via context and state in action parameter - templates, and a short human readable description. When - you create a rule in Kibana, it uses this information to - prompt you for these variables in action parameter - editors. - type: object - properties: - context: - items: - type: object - properties: - description: - type: string - name: - type: string - useWithTripleBracesInTemplates: - type: boolean - type: array - params: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - state: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - alerts: - description: > - Details for writing alerts as data documents for this - rule type. - type: object - properties: - context: - description: | - The namespace for this rule type. - enum: - - ml.anomaly-detection - - observability.apm - - observability.logs - - observability.metrics - - observability.slo - - observability.threshold - - observability.uptime - - security - - stack - type: string - dynamic: - description: Indicates whether new fields are added dynamically. - enum: - - 'false' - - runtime - - strict - - 'true' - type: string - isSpaceAware: - description: > - Indicates whether the alerts are space-aware. If - true, space-specific alert indices are used. - type: boolean - mappings: - type: object - properties: - fieldMap: - additionalProperties: - $ref: >- - #/components/schemas/Alerting_fieldmap_properties - description: > - Mapping information for each field supported in - alerts as data documents for this rule type. For - more information about mapping parameters, refer - to the Elasticsearch documentation. - type: object - secondaryAlias: - description: > - A secondary alias. It is typically used to support - the signals alias for detection rules. - type: string - shouldWrite: - description: > - Indicates whether the rule should write out alerts - as data. - type: boolean - useEcs: - description: > - Indicates whether to include the ECS component - template for the alerts. - type: boolean - useLegacyAlerts: - default: false - description: > - Indicates whether to include the legacy component - template for the alerts. - type: boolean - authorized_consumers: - description: >- - The list of the plugins IDs that have access to the rule - type. - type: object - properties: - alerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - apm: - type: object - properties: - all: - type: boolean - read: - type: boolean - discover: - type: object - properties: - all: - type: boolean - read: - type: boolean - infrastructure: - type: object - properties: - all: - type: boolean - read: - type: boolean - logs: - type: object - properties: - all: - type: boolean - read: - type: boolean - ml: - type: object - properties: - all: - type: boolean - read: - type: boolean - monitoring: - type: object - properties: - all: - type: boolean - read: - type: boolean - siem: - type: object - properties: - all: - type: boolean - read: - type: boolean - slo: - type: object - properties: - all: - type: boolean - read: - type: boolean - stackAlerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - uptime: - type: object - properties: - all: - type: boolean - read: - type: boolean - category: - description: >- - The rule category, which is used by features such as - category-specific maintenance windows. - enum: - - management - - observability - - securitySolution - type: string - default_action_group_id: - description: The default identifier for the rule type group. - type: string - does_set_recovery_context: - description: >- - Indicates whether the rule passes context variables to - its recovery action. + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. type: boolean - enabled_in_license: - description: >- - Indicates whether the rule type is enabled or disabled - based on the subscription. + description: + description: Description of the connector type. + type: string + enabled: + description: Indicates whether the connector is enabled. type: boolean - has_alerts_mappings: - description: >- - Indicates whether the rule type has custom mappings for - the alert data. + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. type: boolean - has_fields_for_a_a_d: + enabled_in_license: + description: Indicates whether the connector is enabled through the license. type: boolean id: - description: The unique identifier for the rule type. + description: The identifier for the connector. type: string - is_exportable: - description: >- - Indicates whether the rule type is exportable in **Stack - Management > Saved Objects**. + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_experimental: + description: Indicates whether the connector type is in technical preview. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. type: boolean minimum_license_required: - description: The subscriptions required to use the rule type. - example: basic + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial type: string name: - description: The descriptive name of the rule type. + description: The name of the connector type. type: string - producer: - description: >- - An identifier for the application that produces this - rule type. - example: stackAlerts + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack type: string - recovery_action_group: - description: >- - An action group to use when an alert goes from an active - state to an inactive one. - type: object - properties: - id: - type: string - name: - type: string - rule_task_timeout: - example: 5m + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source type: array - description: Indicates a successful call. - '401': - content: - application/json: examples: - ruleTypesUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_rule_types_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the rule types + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types tags: - - alerting - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector/_oauth_callback
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string responses: '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: - examples: - saveApmServerSchemaRequest: - description: >- - An example request payload for `POST - /api/apm/fleet/apm_server_schema`. - value: - schema: - foo: bar schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Create a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Run a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connectors: + get: + operationId: get-actions-connectors + parameters: [] + responses: + '200': content: application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Get all connectors + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead. + To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid + parameters: + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} + responses: + '200': content: application/json: examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery. To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service + - description: The unique identifier of the agent to get A2A metadata for. in: path - name: serviceName + name: agentId required: true schema: type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false - schema: - format: date-time - type: string responses: '200': content: application/json: examples: - getAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_search_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] + responses: + '200': content: application/json: examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true - responses: - '200': - content: - application/json: - examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration - tags: - - APM agent configuration - get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent tags: - - APM agent configuration - put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege. To learn more about monitoring agent token usage, refer to the [monitor usage documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/monitor-usage).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id + required: true + schema: + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: - get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to delete. + in: path + name: id required: true schema: type: string @@ -1021,58 +1864,43 @@ paths: content: application/json: examples: - getAgentNameForServiceResponse1: - $ref: >- - #/components/examples/APM_UI_service_agent_name_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName + - description: The unique identifier of the agent to retrieve. + in: path + name: id + required: true schema: type: string responses: @@ -1080,127 +1908,270 @@ paths: content: application/json: examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: - post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to update. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string responses: '200': content: application/json: examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations: get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node + - description: Optional agent ID to filter conversations by a specific agent. in: query - name: name - schema: - type: string - - description: Service environment - example: prod - in: query - name: environment + name: agent_id + required: false schema: type: string responses: @@ -1208,6346 +2179,13619 @@ paths: content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations tags: - - APM agent configuration - /api/apm/sourcemaps: - get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: Number of records per page - in: query - name: perPage + example: 'true' + type: string + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id + required: true schema: - type: number + type: string responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - examples: - uploadSourceMapRequest: - $ref: '#/components/examples/APM_UI_source_maps_upload_request1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id + required: true + schema: + type: string responses: '200': content: application/json: examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ - - -H 'kbn-xsrf: true' \ - - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - - -F 'service_name="foo"' \ + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: + get: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: The unique identifier of the conversation. in: path - name: id + name: conversation_id required: true schema: type: string + - description: Whether to include deleted attachments in the list. + in: query + name: include_deleted + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments + tags: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment + value: + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text + schema: + additionalProperties: false + type: object + properties: + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string + required: + - type + - data + responses: + '200': content: application/json: examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + createAttachmentResponseExample: + description: Example response returning the created attachment + value: + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. + type: string + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true + schema: + type: string + - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query - name: refresh + name: permanent required: false schema: - enum: - - wait_for - type: string + type: boolean responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment tags: - - Security Entity Analytics API - get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + renameAttachmentExample: + description: Example request for renaming an attachment + value: + description: Updated attachment name + schema: + additionalProperties: false + type: object + properties: + description: + description: The new description/name for the attachment. + type: string + required: + - description responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record + examples: + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) + value: + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment tags: - - Security Entity Analytics API - post: - description: > - Create or update an asset criticality record for a specific entity. + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
- If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record + examples: + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version + value: + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: post: - description: > - Bulk upsert up to 1000 asset criticality records. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
- If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + restoreAttachmentResponseExample: + description: Example response returning the restored attachment + value: + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment + tags: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: + examples: + updateOriginExample: + description: Example request for linking an attachment to a saved visualization + value: + origin: abc123 schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string required: - - records + - origin responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + updateOriginResponseExample: + description: Example response returning the attachment with updated origin + value: + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin tags: - - Security Entity Analytics API - /api/asset_criticality/list: + - agent builder + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: type: string responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: + - agent builder + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse: post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more about agent chat, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryBulkRequestBodyExample: - summary: Acknowledge two Attack discoveries in bulk. + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation value: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. type: object properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. items: - type: string + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids - required: - - update - description: Bulk update parameters for Attack discoveries - required: true + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object responses: '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse200Example: - summary: >- - A successful bulk update response containing the modified - Attack discoveries. - value: - data: - - alert_ids: - - alert-abc-1 - alert_workflow_status: acknowledged - connector_id: gen-ai-connector - connector_name: OpenAI GPT-4 - details_markdown: >- - - **Host** `workstation-01` showed credential access - patterns consistent with mimikatz. - generation_uuid: 550e8400-e29b-41d4-a716-446655440000 - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - summary_markdown: >- - A user account was compromised using mimikatz to dump - credentials. - timestamp: '2024-01-15T10:00:00.000Z' - title: Credential theft via mimikatz - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PostAttackDiscoveryBulkResponse400Example: - summary: >- - Bad Request error returned when the bulk update payload is - invalid. + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: - get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind - parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false - schema: - type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + text/event-stream: + examples: + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent + value: + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more about the Agent Builder MCP server, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. in: query - name: sort_order + name: namespace required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': + content: + application/json: + examples: + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins). To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. in: query - name: with_replacements + name: force required: false schema: - default: true + default: false type: boolean responses: '200': content: application/json: examples: - AttackDiscoveryFindResponse200Example: - summary: >- - Paginated list of Attack discoveries matching the search - criteria. + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful value: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - AttackDiscoveryFindResponse400Example: - summary: >- - Bad Request error returned when find query parameters are - invalid. + getPluginByIdResponseExample: + description: Example response returning a single installed plugin value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/install: post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryGenerateRequestBodyExample: - summary: Generate Attack discoveries from alerts in the last 24 hours. + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL value: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerateResponse200Example: - summary: >- - Generation started; use the returned execution UUID to track - progress. - value: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PostAttackDiscoveryGenerateResponse400Example: - summary: >- - Bad Request error returned when the generate payload is - invalid. + installPluginResponseExample: + description: Example response returning the definition of the installed plugin value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created). To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills + parameters: + - description: Set to true to include skills from plugins. + in: query + name: include_plugins + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + listSkillsResponseExample: + description: Example response returning a list of skills + value: + results: + - description: A built-in skill provided by the platform. + experimental: false + id: built-in-skill-id + name: Built-in Skill + readonly: true + referenced_content_count: 0 + - description: A user-created skill for data analysis. + experimental: false + id: custom-skill-id + name: Custom Skill + readonly: false + referenced_content_count: 1 + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: List skills + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createSkillRequestExample: + description: Example request to create a user-defined skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + id: my-custom-skill + name: Custom Analysis Skill + tool_ids: + - platform.core.search + schema: + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: + '200': + content: + application/json: + examples: + createSkillResponseExample: + description: Example response returning the created skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Create a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/skills + { + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: + '200': + content: + application/json: + examples: + getSkillResponseExample: + description: Example response returning a skill by ID + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Get a skill by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + requestBody: + content: + application/json: + examples: + updateSkillRequestExample: + description: Example request to update a user-defined skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + name: Updated Skill Name + tool_ids: + - platform.core.search + - platform.core.execute_esql + schema: + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array + responses: + '200': + content: + application/json: + examples: + updateSkillResponseExample: + description: Example response returning the updated skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + experimental: false + id: my-custom-skill + name: Updated Skill Name + readonly: false + tool_ids: + - platform.core.search + - platform.core.execute_esql + description: Indicates a successful response + summary: Update a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Updated Skill Name", + "description": "Updated description for the skill." + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/skills/{skillId} + { + "name": "Updated Skill Name", + "description": "Updated description for the skill." + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] + responses: + '200': + content: + application/json: + examples: + listToolsResponseExample: + description: Example response returning a list of existing tools + value: + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration + responses: + '200': + content: + application/json: + examples: + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "h6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "i6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jKiJW5gB4U27o8XO8oLg" + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool + value: + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 + schema: + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + responses: + '200': + content: + application/json: + examples: + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool + value: + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool + value: + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true + schema: + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: toolId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool + value: + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateEsqlToolExample: + description: Example response showing the updated ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.severity", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "j6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.workflow_status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "message", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "network.protocol", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.bytes_compressed_present", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.all_names", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "naiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.matches", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.signature.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "n6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.token.integrity_level_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "k6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.signing_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "laiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "l6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "maiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.exit_code", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "m6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.md5", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha1", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "o6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "paiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args_count", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "p6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "q6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "raiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pe.original_file_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pid", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "r6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.working_directory", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "u6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "source.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "v6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "waiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "w6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "x6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.domain", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "yaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "y6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" + "limit": { + "type": "integer", + "description": "Maximum number of results to return" } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" - }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/_health: get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations - parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false - schema: - type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size - required: false - schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false - schema: - type: string + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/_health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse200Example: - summary: >- - Latest Attack Discovery generation metadata for the current - user. - value: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours - to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded + getAlertingHealthResponse: + $ref: '#/components/examples/Alerting_get_health_response' schema: type: object properties: - generations: - description: List of Attack Discovery generations - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - type: array - required: - - generations + alerting_framework_health: + description: | + Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. + type: object + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + execution_health: + description: The timestamp and status of the rule run. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + read_health: + description: The timestamp and status of the rule reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + has_permanent_encryption_key: + description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + example: true + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean description: Indicates a successful call. - '400': + '401': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse400Example: - summary: >- - Bad Request error returned when the size parameter is - invalid. - value: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 + healthUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_health_response' schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule_types: get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration - parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. + operationId: getRuleTypes responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationResponse200Example: - summary: >- - Single Attack Discovery generation with its discoveries and - metadata. - value: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded + getRuleTypesResponse: + $ref: '#/components/examples/Alerting_get_rule_types_response' schema: - type: object - properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. - required: - - data + items: + type: object + properties: + action_groups: + description: | + An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + action_variables: + description: | + A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + alerts: + description: | + Details for writing alerts as data documents for this rule type. + type: object + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - 'false' + - runtime + - strict + - 'true' + type: string + isSpaceAware: + description: | + Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. + type: boolean + mappings: + type: object + properties: + fieldMap: + additionalProperties: + $ref: '#/components/schemas/Alerting_fieldmap_properties' + description: | + Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. + type: object + secondaryAlias: + description: | + A secondary alias. It is typically used to support the signals alias for detection rules. + type: string + shouldWrite: + description: | + Indicates whether the rule should write out alerts as data. + type: boolean + useEcs: + description: | + Indicates whether to include the ECS component template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: | + Indicates whether to include the legacy component template for the alerts. + type: boolean + authorized_consumers: + description: The list of the plugins IDs that have access to the rule type. + type: object + properties: + alerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + apm: + type: object + properties: + all: + type: boolean + read: + type: boolean + discover: + type: object + properties: + all: + type: boolean + read: + type: boolean + infrastructure: + type: object + properties: + all: + type: boolean + read: + type: boolean + logs: + type: object + properties: + all: + type: boolean + read: + type: boolean + ml: + type: object + properties: + all: + type: boolean + read: + type: boolean + monitoring: + type: object + properties: + all: + type: boolean + read: + type: boolean + siem: + type: object + properties: + all: + type: boolean + read: + type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean + stackAlerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + uptime: + type: object + properties: + all: + type: boolean + read: + type: boolean + category: + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: Indicates whether the rule passes context variables to its recovery action. + type: boolean + enabled_in_license: + description: Indicates whether the rule type is enabled or disabled based on the subscription. + type: boolean + has_alerts_mappings: + description: Indicates whether the rule type has custom mappings for the alert data. + type: boolean + has_fields_for_a_a_d: + type: boolean + id: + description: The unique identifier for the rule type. + type: string + is_exportable: + description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. + type: boolean + minimum_license_required: + description: The subscriptions required to use the rule type. + example: basic + type: string + name: + description: The descriptive name of the rule type. + type: string + producer: + description: An identifier for the application that produces this rule type. + example: stackAlerts + type: string + recovery_action_group: + description: An action group to use when an alert goes from an active state to an inactive one. + type: object + properties: + id: + type: string + name: + type: string + rule_task_timeout: + example: 5m + type: string + type: array description: Indicates a successful call. - '400': + '401': content: application/json: examples: - GetAttackDiscoveryGenerationResponse400Example: - summary: >- - Bad Request error returned when the get-generation request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + ruleTypesUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_rule_types_response' schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. in: path - name: execution_uuid + name: id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerationsDismissResponse200Example: - summary: Successfully dismissed an Attack Discovery generation. + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule value: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic schema: - type: object - properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 - type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 - type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string - required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' description: Indicates a successful call. '400': - content: - application/json: - examples: - PostAttackDiscoveryGenerationsDismissResponse400Example: - summary: >- - Bad Request error returned when the dismiss request is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules + operationId: post-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - CreateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Create a daily Attack Discovery schedule that runs every 24 - hours. + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) value: - actions: [] - enabled: true - name: Daily Security Analysis + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource size: 100 - start: now-24h + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query schedule: - interval: 24h + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + anyOf: + - discriminator: + mapping: + .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule' responses: '200': content: application/json: examples: - CreateAttackDiscoverySchedulesResponse200Example: - summary: A newly created Attack Discovery schedule. + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) value: actions: [] - created_at: '2023-10-31T10:00:00.000Z' + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' created_by: elastic enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource size: 100 - start: now-24h + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - examples: - CreateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the create schedule payload - is invalid. + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_bulk_delete: - post: - description: Deletes multiple Attack Discovery schedules by ID. - operationId: BulkDeleteAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesRequestBodyExample: - summary: Delete two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesResponse200Example: - summary: Bulk delete response for two successfully deleted schedules. + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk delete request. - '400': - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk delete payload is - invalid. + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk delete Attack Discovery schedules + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_disable: - post: - description: Disables multiple Attack Discovery schedules by ID. - operationId: BulkDisableAttackDiscoverySchedules + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - BulkDisableAttackDiscoverySchedulesRequestBodyExample: - summary: Disable two Attack Discovery schedules. + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule' responses: '200': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Bulk disable response for two successfully disabled - schedules. + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk disable request. + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. '400': - content: - application/json: - examples: - BulkDisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk disable payload is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk disable Attack Discovery schedules + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_enable: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: post: - description: Enables multiple Attack Discovery schedules by ID. - operationId: BulkEnableAttackDiscoverySchedules + operationId: post-alerting-rule-id-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - BulkEnableAttackDiscoverySchedulesRequestBodyExample: - summary: Enable two Attack Discovery schedules. + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 + untrack: true schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean responses: - '200': - content: - application/json: - examples: - BulkEnableAttackDiscoverySchedulesResponse200Example: - summary: Bulk enable response for two successfully enabled schedules. - value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk enable request. + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - BulkEnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk enable payload is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk enable Attack Discovery schedules + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_find: - get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true schema: - type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field - required: false + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc - in: query - name: sort_direction - required: false + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true schema: - enum: - - asc - - desc type: string responses: - '200': - content: - application/json: - examples: - FindAttackDiscoverySchedulesResponse200Example: - summary: >- - Paginated list of Attack Discovery schedules matching the - search criteria. - value: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). - type: number - required: - - page - - per_page - - total - - data + '204': description: Indicates a successful call. '400': - content: - application/json: - examples: - FindAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when find-schedules query - parameters are invalid. - value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string responses: - '200': - content: - application/json: - examples: - DeleteAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after deleting an Attack Discovery - schedule. - value: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule - required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - DeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the delete schedule request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts tags: - - Security Attack discovery API - x-codeSamples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/query_inspector: get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}/query_inspector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the Elasticsearch query that a rule executes, and optionally its response. + operationId: get-alerting-rule-id-query-inspector parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: The identifier for the rule. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string + - description: The inspection mode. Use "build" to return only the query, or "execute" to run the query and include the response. + in: query + name: mode + required: false + schema: + default: build + enum: + - build + - execute + type: string + - description: The alert document ID. When provided, the query inspector uses the evaluation time range from the alert instead of the current time. + in: query + name: alert_id + required: false + schema: + type: string responses: '200': content: application/json: examples: - GetAttackDiscoverySchedulesResponse200Example: - summary: >- - An Attack Discovery schedule retrieved by ID, including last - execution metadata. + getRuleQueryInspectorResponse: + summary: A query inspector response for a custom threshold rule value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + queries: + - index: metrics-* + request: + aggs: + groupings: + composite: + size: 500 + sources: [] + query: + bool: + filter: + - range: + '@timestamp': + gte: '2026-01-01T00:00:00.000Z' + lte: '2026-01-01T00:05:00.000Z' + size: 0 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata + additionalProperties: false + type: object + properties: + queries: + items: + additionalProperties: false + type: object + properties: + index: + type: string + label: + type: string + request: + additionalProperties: + nullable: true + type: object + response: + additionalProperties: + nullable: true + type: object + required: + - index + - request + maxItems: 1000 + type: array + required: + - queries + description: Indicates a successful call. '400': - content: - application/json: - examples: - GetAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the get-schedule request is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID + description: Indicates the rule type is not supported or the request parameters are invalid. + '404': + description: Indicates a rule with the specified rule ID does not exist. + summary: Get the Elasticsearch query for a rule tags: - - Security Attack discovery API - x-codeSamples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string requestBody: content: application/json: examples: - UpdateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Update an Attack Discovery schedule to run every 12 hours over - a 48-hour window. + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule value: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h schedule: - interval: 12h + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. - required: true + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + required: + - schedule responses: '200': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse200Example: - summary: An Attack Discovery schedule after being updated. + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body + description: Indicates a successful call. '400': - content: - application/json: - examples: - UpdateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the update schedule payload - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule tags: - - Security Attack discovery API - x-codeSamples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules + operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. in: path - name: id + name: rule_id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean responses: - '200': - content: - application/json: - examples: - DisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after disabling an Attack Discovery - schedule. - value: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule - required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - DisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the disable schedule request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert tags: - - Security Attack discovery API - x-codeSamples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. in: path - name: id + name: rule_id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string responses: - '200': - content: - application/json: - examples: - EnableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after enabling an Attack Discovery - schedule. - value: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule - required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - EnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the enable schedule request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert tags: - - Security Attack discovery API - x-codeSamples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/cases: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: delete: - description: > - You must have `read` or `all` privileges and the `delete` sub-feature - privilege for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseDefaultSpace + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_ids' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string responses: '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete cases + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - updating. - operationId: updateCaseDefaultSpace + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - updateCaseRequest: - $ref: '#/components/examples/Cases_update_case_request' - schema: - $ref: '#/components/schemas/Cases_update_case_request' + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array responses: '200': content: application/json: examples: - updateCaseResponse: - $ref: '#/components/examples/Cases_update_case_response' + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 schema: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' description: Indicates a successful call. - '401': + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update cases + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules tags: - - cases + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - creating. - operationId: createCaseDefaultSpace + operationId: post-alerting-rules-backfill-schedule parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createCaseRequest: - $ref: '#/components/examples/Cases_create_case_request' + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef schema: - $ref: '#/components/schemas/Cases_create_case_request' - required: true + items: + additionalProperties: false + type: object + properties: + ranges: + items: + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end + type: array + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array responses: '200': content: application/json: examples: - createCaseResponse: - $ref: '#/components/examples/Cases_create_case_response' + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending schema: - $ref: '#/components/schemas/Cases_case_response_properties' + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_error_response' + type: array description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Create a case + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules tags: - - cases - /api/cases/_find: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: findCasesDefaultSpace + operationId: get-alerting-rules-backfill-id parameters: - - $ref: '#/components/parameters/Cases_assignees_filter' - - $ref: '#/components/parameters/Cases_category' - - $ref: '#/components/parameters/Cases_defaultSearchOperator' - - $ref: '#/components/parameters/Cases_from' - - $ref: '#/components/parameters/Cases_owner_filter' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_reporters' - - $ref: '#/components/parameters/Cases_search' - - $ref: '#/components/parameters/Cases_searchFields' - - $ref: '#/components/parameters/Cases_severity' - - $ref: '#/components/parameters/Cases_sortField' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_status' - - $ref: '#/components/parameters/Cases_tags' - - $ref: '#/components/parameters/Cases_to' + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - findCaseResponse: - $ref: '#/components/examples/Cases_find_case_response' - schema: - type: object - properties: - cases: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - maxItems: 10000 - type: array - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer - page: - type: integer - per_page: - type: integer - total: - type: integer + getBackfillResponse: + summary: Get a backfill for an index threshold rule + value: + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Search cases + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID tags: - - cases - /api/cases/{caseId}: - get: - description: > - Returns case details. The response does not include a comments - property; use the find case comments API to retrieve comments. The - totalComment field reflects the actual number of user comments on the - case. You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're seeking. - operationId: getCaseDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey parameters: - - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true responses: '200': content: application/json: examples: - getDefaultCaseResponse: - $ref: '#/components/examples/Cases_get_case_response' - getDefaultObservabilityCaseResponse: - $ref: '#/components/examples/Cases_get_case_observability_response' + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' schema: - $ref: '#/components/schemas/Cases_case_response_get_case' - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case information - tags: - - cases - /api/cases/{caseId}/alerts: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCaseAlertsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - getCaseAlertsResponse: - $ref: '#/components/examples/Cases_get_case_alerts_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - items: - $ref: '#/components/schemas/Cases_alert_response_properties' - type: array - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get all alerts for a case - tags: - - cases - x-state: Technical preview - /api/cases/{caseId}/comments: - delete: - description: > - Deletes all comments and alerts from a case. You must have `all` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - responses: - '204': - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete all case comments and alerts + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're updating. - NOTE: You cannot change the comment type or the owner of a comment. - operationId: updateCaseCommentDefaultSpace + - APM agent keys + x-metaTags: + - content: Kibana + name: product_name + /api/apm/fleet/apm_server_schema: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - updateCaseCommentRequest: - $ref: '#/components/examples/Cases_update_comment_request' + saveApmServerSchemaRequest: + description: An example request payload for `POST /api/apm/fleet/apm_server_schema`. + value: + schema: + foo: bar schema: - $ref: '#/components/schemas/Cases_update_case_comment_request' - required: true - responses: + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true + responses: '200': content: application/json: examples: - updateCaseCommentResponse: - $ref: '#/components/examples/Cases_update_comment_response' + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update a case comment or alert + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema tags: - - cases + - APM server schema + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation: post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're creating. - NOTE: Each case can have a maximum of 1,000 alerts. - operationId: addCaseCommentDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string requestBody: content: application/json: examples: - createCaseCommentRequest: - $ref: '#/components/examples/Cases_add_comment_request' + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/Cases_add_case_comment_request' + $ref: '#/components/schemas/APM_UI_create_annotation_object' required: true responses: '200': content: application/json: examples: - createCaseCommentResponse: - $ref: '#/components/examples/Cases_add_comment_response' + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add a case comment or alert - tags: - - cases - /api/cases/{caseId}/comments/_find: - get: - description: > - Retrieves a paginated list of comments for a case. You must have `read` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases with the comments you're - seeking. - operationId: findCaseCommentsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - findCaseCommentsResponse: - $ref: '#/components/examples/Cases_find_case_comments_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_find_comments_response' - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case comments - tags: - - cases - /api/cases/{caseId}/comments/{commentId}: - delete: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' - responses: - '204': - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete a case comment or alert + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation tags: - - cases + - APM annotations x-codeSamples: - - label: curl - lang: curl + - lang: Curl source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation/search: get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases with the - comments you're seeking. - operationId: getCaseCommentDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string responses: '200': content: application/json: examples: - getCaseCommentResponse: - $ref: '#/components/examples/Cases_get_comment_response' + getAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_search_get_200_response1' schema: - oneOf: - - $ref: >- - #/components/schemas/Cases_alert_comment_response_properties - - $ref: >- - #/components/schemas/Cases_user_comment_response_properties - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get a case comment or alert - tags: - - cases - /api/cases/{caseId}/connector/{connectorId}/_push: - post: - description: > - You must have `all` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - You must also have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're pushing. - operationId: pushCaseDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_connector_id' - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - pushCaseRequest: - summary: >- - Push a case to an external service. No request body is - required. - value: null - schema: - nullable: true - type: object - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - pushCaseResponse: - $ref: '#/components/examples/Cases_push_case_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Push a case to an external service + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations tags: - - cases - /api/cases/{caseId}/files: - post: - description: > - Attach a file to a case. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on the - owner of the case you're updating. The request must include: + - APM annotations + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** - - The `Content-Type: multipart/form-data` HTTP header. +
delete /s/{space_id}/api/apm/settings/agent-configuration
- - The location of the file that is being uploaded. - operationId: addCaseFileDefaultSpace + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: - multipart/form-data: + application/json: examples: - addCaseFileRequest: - summary: Attach a plain text file named "my_attachment". - value: - filename: my_attachment + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' schema: - $ref: '#/components/schemas/Cases_add_case_file_request' + $ref: '#/components/schemas/APM_UI_delete_service_object' required: true responses: '200': content: application/json: examples: - addCaseFileResponse: - $ref: '#/components/examples/Cases_add_comment_response' + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Attach a file to a case + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" \ - --form "file=@/path/to/my_attachment.txt" \ - --form "filename=my_attachment" - /api/cases/{caseId}/user_actions/_find: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieves a paginated list of user activity for a case. You must have - `read` privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the case you're seeking. - operationId: findCaseActivityDefaultSpace + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_user_action_types' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: - findCaseActivityResponse: - $ref: '#/components/examples/Cases_find_case_activity_response' + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' schema: - type: object - properties: - page: - type: integer - perPage: - type: integer - total: - type: integer - userActions: - items: - $ref: >- - #/components/schemas/Cases_user_actions_find_response_properties - maxItems: 10000 - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case activity + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations tags: - - cases - /api/cases/alerts/{alertId}: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCasesByAlertDefaultSpace + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration parameters: - - $ref: '#/components/parameters/Cases_alert_id' - - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + examples: + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true responses: '200': content: application/json: examples: - getCasesByAlertResponse: - summary: Cases associated with a given alert. - value: - - createdAt: '2020-02-19T23:06:33.798Z' - description: Investigating suspicious activity - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 - status: open - title: security_case - totals: - alerts: 1 - events: 0 - userComments: 0 + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' schema: - items: - $ref: '#/components/schemas/Cases_related_case' - maxItems: 10000 - type: array - description: Indicates a successful call. + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get cases for an alert - tags: - - cases - x-state: Technical preview - /api/cases/configure: - get: - description: > - Get setting details such as the closure type, custom fields, templates, - and the default connector for cases. You must have `read` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the cases were created. - operationId: getCaseConfigurationDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - getConfigurationResponse: - $ref: '#/components/examples/Cases_get_case_configuration_response' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - items: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are - not used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want - a default connector, use `none`. To retrieve - connector IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the - `type` is `text`, the default value must be a - string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If - `false`, the custom field can be set to null or - omitted when a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentNameForServiceResponse1: + $ref: '#/components/examples/APM_UI_service_agent_name_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case settings + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service tags: - - cases + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/search: post: - description: > - Case settings include external connection details, custom fields, and - templates. Connectors are used to interface with external systems. You - must create a connector before you can use it in your cases. If you set - a default connector, it is automatically selected when you create cases - in Kibana. If you use the create case API, however, you must still - specify all of the connector details. You must have `all` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where you are creating cases. - operationId: setCaseConfigurationDefaultSpace + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - setCaseConfigRequest: - $ref: '#/components/examples/Cases_set_case_configuration_request' + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' schema: - $ref: '#/components/schemas/Cases_set_case_configuration_request' + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true responses: '200': content: application/json: examples: - setCaseConfigResponse: - $ref: '#/components/examples/Cases_set_case_configuration_response' + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' schema: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add case settings + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration tags: - - cases - /api/cases/configure/{configurationId}: - patch: - description: > - Updates setting details such as the closure type, custom fields, - templates, and the default connector for cases. Connectors are used to - interface with external systems. You must create a connector before you - can use it in your cases. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the case was created. - operationId: updateCaseConfigurationDefaultSpace + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_configuration_id' - requestBody: - content: - application/json: - examples: - updateCaseConfigurationRequest: - $ref: '#/components/examples/Cases_update_case_configuration_request' - schema: - $ref: '#/components/schemas/Cases_update_case_configuration_request' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string responses: '200': content: application/json: examples: - updateCaseConfigurationResponse: - $ref: >- - #/components/examples/Cases_update_case_configuration_response + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' schema: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update case settings - tags: - - cases - /api/cases/configure/connectors/_find: - get: - description: > - Get information about connectors that are supported for use in cases. - You must have `read` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - operationId: findCaseConnectorsDefaultSpace - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - findConnectorResponse: - $ref: '#/components/examples/Cases_find_connector_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - items: - type: object - properties: - actionTypeId: - $ref: '#/components/schemas/Cases_connector_types' - config: - additionalProperties: true - type: object - properties: - apiUrl: - type: string - projectKey: - type: string - id: - type: string - isDeprecated: - type: boolean - isMissingSecrets: - type: boolean - isPreconfigured: - type: boolean - name: - type: string - referencedByCount: - type: integer - maxItems: 1000 - type: array - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case connectors + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration tags: - - cases - /api/cases/reporters: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps: get: - description: > - Returns information about the users who opened cases. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases. The API returns - information about the users as they existed at the time of the case - creation, including their name, full name, and email address. If any of - those details change thereafter or if a user is deleted, the information - returned by this API is unchanged. - operationId: getCaseReportersDefaultSpace + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. + operationId: getSourceMaps parameters: - - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page + schema: + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number responses: '200': content: application/json: examples: - getReportersResponse: - $ref: '#/components/examples/Cases_get_reporters_response' - schema: - items: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case creators - tags: - - cases - /api/cases/tags: - get: - description: > - Aggregates and returns a list of case tags. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're seeking. - operationId: getCaseTagsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + '400': content: application/json: examples: - getTagsResponse: - $ref: '#/components/examples/Cases_get_tags_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - items: - type: string - maxItems: 10000 - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case tags - tags: - - cases - /api/data_views: - get: - description: > - Retrieve a list of all data views. Use this endpoint to identify - available data views in the current Kibana space. - operationId: getAllDataViewsDefault - responses: - '200': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': content: application/json: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': content: application/json: examples: - getAllDataViewsBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps tags: - - data views + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console + - lang: Curl source: | - GET kbn://api/data_views - /api/data_views/data_view: + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Create a data view. Data views identify the Elasticsearch data you want - to explore and visualize. They can point to one or more data streams, - indices, or index aliases, and use optional runtime fields to compute - values at query time. Note that data views are not required for - ES|QL-based visualizations. To learn more, refer to the [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: createDataViewDefaultw + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. + The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: - application/json: + multipart/form-data: examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' + uploadSourceMapRequest: + $ref: '#/components/examples/APM_UI_source_maps_upload_request1' schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' + $ref: '#/components/schemas/APM_UI_upload_source_map_object' required: true responses: '200': content: application/json: examples: - createDataViewResponse: - $ref: '#/components/examples/Data_views_create_data_view_response' + uploadSourceMapResponse1: + $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response '400': content: application/json: examples: - createDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view - {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} - /api/data_views/data_view/{viewId}: - delete: - description: > - Delete a data view by its identifier. WARNING: When you delete a data - view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - deleteDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/data_views/data_view/{viewId} - get: - description: > - Retrieve a single data view by its identifier. Data views identify the - Elasticsearch data you want to explore and visualize. They can point to - one or more data streams, indices, or index aliases, and use optional - runtime fields to compute values at query time. Note that data views are - not required for ES|QL-based visualizations. To learn more, refer to the - [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': content: application/json: examples: - getDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + examples: + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map tags: - - data views + - APM sourcemaps x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console + - lang: Curl source: | - GET kbn://api/data_views/data_view/{viewId} - post: - description: > - Update an existing data view. Only the fields provided in the request - body are updated. - operationId: updateDataViewDefault + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: multipart/form-data' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + -F 'service_name="foo"' \ + -F 'service_version="1.0.0"' \ + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/sourcemaps/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. + operationId: deleteSourceMap parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - updateDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + deleteSourceMapResponseExample1: + $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response '400': content: application/json: examples: - updateDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"name":"Updated data view name"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId} - {"data_view":{"name":"Updated data view name"}} - /api/data_views/data_view/{viewId}/fields: - post: - description: > - Update field metadata for a data view. Use this endpoint to set custom - labels, custom descriptions, and format overrides for individual fields. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - updateFieldsMetadataResponse: - $ref: >- - #/components/examples/Data_views_update_field_metadata_response + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - updateFieldsMetadataBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update field metadata - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId}/fields - {"fields":{"field_name":{"customLabel":"My custom label"}}} - /api/data_views/data_view/{viewId}/runtime_field: - post: - description: > - Create a runtime field for a data view. Runtime fields are computed at - query time using a [Painless - script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) - and do not require reindexing. If no `script` is provided, the runtime - field returns the corresponding value from the document `_source`. - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': content: application/json: examples: - createRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + examples: + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map tags: - - data views + - APM sourcemaps x-codeSamples: - - lang: curl + - lang: Curl source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST kbn://api/data_views/data_view/{viewId}/runtime_field + curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality: + delete: + description: |- + **Spaces method and path for this operation:** - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - put: - description: > - Create or update a runtime field for a data view. If the runtime field - already exists, it is replaced with the new definition. - operationId: createUpdateRuntimeFieldDefault +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId + - description: The ID value of the asset. + example: my_host + in: query + name: id_value required: true schema: type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string responses: '200': content: application/json: - examples: - createUpdateRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response schema: type: object properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response '400': - content: - application/json: - examples: - createUpdateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - PUT kbn://api/data_views/data_view/{viewId}/runtime_field - - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - description: | - Delete a runtime field from a data view. - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json: - examples: - deleteRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field + description: Invalid request + summary: Delete an asset criticality record tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: > - DELETE - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name get: - description: | - Retrieve a single runtime field by name from a data view. - operationId: getRuntimeFieldDefault + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request '404': - content: - application/json: - examples: - getRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field + description: Criticality record not found + summary: Get an asset criticality record tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: > - GET - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Update an existing runtime field in a data view. Only the fields - provided in the request body are updated. - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord requestBody: content: application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host required: true - responses: - '200': - description: Indicates a successful call. - '400': - content: - application/json: - examples: - updateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - - {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/default: - get: - description: > - Retrieve the identifier of the default data view for the current Kibana - space. - operationId: getDefaultDataViewDefault responses: '200': content: application/json: - examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response '400': - content: - application/json: - examples: - getDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view + description: Invalid request + summary: Upsert an asset criticality record tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/default + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/bulk: post: - description: > - Set the default data view for the current Kibana space. The default data - view is used as a fallback when no specific data view is selected. - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 type: object properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array required: - - data_view_id - required: true + - records responses: '200': content: application/json: - examples: - setDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_set_default_data_view_response schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 type: object properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json: - examples: - setDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' - - lang: Console - source: | - POST kbn://api/data_views/default - {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} - /api/data_views/swap_references: - post: - description: > - Swap saved object references from one data view to another. Use this - endpoint to update dashboards, visualizations, and other saved objects - that reference a data view. WARNING: Misuse can break large numbers of - saved objects! Use the - [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) - endpoint to see which saved objects would be affected before making - changes. - operationId: swapDataViewsDefault + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string responses: '200': content: application/json: - examples: - swapDataViewResponse: - $ref: '#/components/examples/Data_views_swap_data_view_response' schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 type: object properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' type: array - description: Indicates a successful call. - summary: Swap saved object references + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references - {"fromId":"abcd-efg","toId":"xyz-123","delete":true} - /api/data_views/swap_references/_preview: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_bulk: post: - description: > - Preview the effect of swapping saved object references from one data - view to another. Returns the list of affected saved objects without - making any changes. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk requestBody: content: application/json: examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request + PostAttackDiscoveryBulkRequestBodyExample: + summary: Acknowledge two Attack discoveries in bulk. + value: + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries required: true responses: '200': content: application/json: examples: - previewSwapDataViewResponse: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_response + PostAttackDiscoveryBulkResponse200Example: + summary: A successful bulk update response containing the modified Attack discoveries. + value: + data: + - alert_ids: + - alert-abc-1 + alert_workflow_status: acknowledged + connector_id: gen-ai-connector + connector_name: OpenAI GPT-4 + details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.' + generation_uuid: 550e8400-e29b-41d4-a716-446655440000 + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + summary_markdown: A user account was compromised using mimikatz to dump credentials. + timestamp: '2024-01-15T10:00:00.000Z' + title: Credential theft via mimikatz schema: type: object properties: - result: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' type: array + required: + - data description: Indicates a successful call. - summary: Preview swap references - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123"}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references/_preview - {"fromId":"abcd-efg","toId":"xyz-123"} - /api/detection_engine/index: - delete: - description: > - Permanently deletes the Elastic Security alerts backing index in the - current space, including the alerts - - stored in it. Use with caution; prefer lifecycle policies or the UI when - available. - - Call `GET /api/detection_engine/index` first to confirm the index that - will be removed. - operationId: DeleteAlertsIndex - responses: - '200': + '400': content: application/json: examples: - acknowledged: + PostAttackDiscoveryBulkResponse400Example: + summary: Bad Request error returned when the bulk update payload is invalid. value: - acknowledged: true + error: Bad Request + message: Invalid request parameters. + status_code: 400 schema: type: object properties: - acknowledged: - type: boolean + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number required: - - acknowledged - description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: >- - API [DELETE /api/detection_engine/index] is unauthorized - for the current user. The user needs alerts management - permissions for the space. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: The Elastic Security alerts index to delete was not found. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Index does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an alerts index + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries tags: - - Security Detections API - - Alert index API + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_find: get: - description: > - Returns the backing Elasticsearch index for Elastic Security detection - alerts in the current space, and + description: |- + **Spaces method and path for this operation:** - whether its mapping is outdated. Use this to verify that an alert index - is provisioned before creating +
get /s/{space_id}/api/attack_discovery/_find
- or running rules that write alerts to it. - operationId: ReadAlertsIndex + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean responses: '200': content: application/json: examples: - success: + AttackDiscoveryFindResponse200Example: + summary: Paginated list of Attack discoveries matching the search criteria. value: - index_mapping_outdated: false - name: .alerts-security.alerts-default + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 schema: type: object properties: - index_mapping_outdated: - nullable: true - type: boolean - name: - type: string + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer required: - - name - - index_mapping_outdated - description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: + AttackDiscoveryFindResponse400Example: + summary: Bad Request error returned when find query parameters are invalid. value: - message: >- - API [GET /api/detection_engine/index] is unauthorized for - the current user. Check Security and Kibana feature - privileges (detection engine / alerts) for the space. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - Elastic Security alert index is not found for the current - space. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Reads the alert index name if it exists - tags: - - Security Detections API - - Alert index API - post: - description: | - Creates an index for Elastic Security alerts. Calling this API is not - required for the detection engine to function properly. You can create - rules and alerts without calling this API. - operationId: CreateAlertsIndex - responses: - '200': - content: - application/json: - examples: - acknowledged: - value: - acknowledged: true + error: Bad Request + message: Invalid request payload. + status_code: 400 schema: type: object properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: >- - API [POST /api/detection_engine/index] is unauthorized for - the current user. The user must be able to create indices - for the Elastic Security solution. - status_code: 403 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - A prerequisite resource required to create the alerts - index was not found. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Create an alerts index + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria tags: - - Security Detections API - - Alert index API - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
post /s/{space_id}/api/attack_discovery/_generate
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + examples: + PostAttackDiscoveryGenerateRequestBodyExample: + summary: Generate Attack discoveries from alerts in the last 24 hours. + value: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true responses: '200': content: application/json: examples: - success: + PostAttackDiscoveryGenerateResponse200Example: + summary: Generation started; use the returned execution UUID to track progress. value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 schema: type: object properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 required: - - is_authenticated - - has_encryption_key - description: Successful response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: - delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `DELETE /api/detection_engine/rules?id=` - - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json: - examples: - deletedRule: - summary: Response shape after a rule is deleted - value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low - tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + - execution_uuid description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `GET /api/detection_engine/rules?id=` - - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': + '400': content: application/json: examples: - example1: - summary: Example response for a retrieved rule + PostAttackDiscoveryGenerateResponse400Example: + summary: Bad Request error returned when the generate payload is invalid. value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 + error: Bad Request + message: Invalid request parameters. + status_code: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts tags: - - Security Detections API - - Rules API + - Security Attack discovery API x-codeSamples: - - lang: cURL + - label: Example request + lang: curl source: | curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule - requestBody: - content: - application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) - - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "naiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.matches", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.signature.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "n6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.token.integrity_level_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "k6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.signing_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "laiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "l6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "maiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.exit_code", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "m6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.md5", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha1", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "o6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "paiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args_count", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "p6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "q6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "raiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pe.original_file_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pid", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "r6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.working_directory", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "u6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "source.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "v6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "waiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "w6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "x6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.domain", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "yaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "y6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse200Example: + summary: Latest Attack Discovery generation metadata for the current user. + value: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse400Example: + summary: Bad Request error returned when the size parameter is invalid. + value: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse200Example: + summary: Single Attack Discovery generation with its discoveries and metadata. + value: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse400Example: + summary: Bad Request error returned when the get-generation request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse200Example: + summary: Successfully dismissed an Attack Discovery generation. + value: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse400Example: + summary: Bad Request error returned when the dismiss request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + CreateAttackDiscoverySchedulesRequestBodyExample: + summary: Create a daily Attack Discovery schedule that runs every 24 hours. + value: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse200Example: + summary: A newly created Attack Discovery schedule. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the create schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes multiple Attack Discovery schedules by ID. + operationId: BulkDeleteAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesRequestBodyExample: + summary: Delete two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse200Example: + summary: Bulk delete response for two successfully deleted schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk delete request. + '400': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk delete payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk delete Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables multiple Attack Discovery schedules by ID. + operationId: BulkDisableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesRequestBodyExample: + summary: Disable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse200Example: + summary: Bulk disable response for two successfully disabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk disable request. + '400': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk disable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk disable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables multiple Attack Discovery schedules by ID. + operationId: BulkEnableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesRequestBodyExample: + summary: Enable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse200Example: + summary: Bulk enable response for two successfully enabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk enable request. + '400': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk enable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk enable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse200Example: + summary: Paginated list of Attack Discovery schedules matching the search criteria. + value: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when find-schedules query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after deleting an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the delete schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule retrieved by ID, including last execution metadata. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the get-schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-codeSamples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesRequestBodyExample: + summary: Update an Attack Discovery schedule to run every 12 hours over a 48-hour window. + value: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule after being updated. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the update schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after disabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the disable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after enabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the enable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/cases: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_ids' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. + operationId: updateCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + updateCaseRequest: + $ref: '#/components/examples/Cases_update_case_request' + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + '200': + content: + application/json: + examples: + updateCaseResponse: + $ref: '#/components/examples/Cases_update_case_response' + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. + operationId: createCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createCaseRequest: + $ref: '#/components/examples/Cases_create_case_request' + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseResponse: + $ref: '#/components/examples/Cases_create_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees_filter' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + '200': + content: + application/json: + examples: + findCaseResponse: + $ref: '#/components/examples/Cases_find_case_response' + schema: + type: object + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getDefaultCaseResponse: + $ref: '#/components/examples/Cases_get_case_response' + getDefaultObservabilityCaseResponse: + $ref: '#/components/examples/Cases_get_case_observability_response' + schema: + $ref: '#/components/schemas/Cases_case_response_get_case' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/alerts: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/alerts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getCaseAlertsResponse: + $ref: '#/components/examples/Cases_get_case_alerts_response' + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + updateCaseCommentRequest: + $ref: '#/components/examples/Cases_update_comment_request' + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateCaseCommentResponse: + $ref: '#/components/examples/Cases_update_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + createCaseCommentRequest: + $ref: '#/components/examples/Cases_add_comment_request' + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseCommentResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + '200': + content: + application/json: + examples: + findCaseCommentsResponse: + $ref: '#/components/examples/Cases_find_case_comments_response' + schema: + $ref: '#/components/schemas/Cases_find_comments_response' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case comments + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/{commentId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '200': + content: + application/json: + examples: + getCaseCommentResponse: + $ref: '#/components/examples/Cases_get_comment_response' + schema: + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + pushCaseRequest: + summary: Push a case to an external service. No request body is required. + value: null + schema: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + pushCaseResponse: + $ref: '#/components/examples/Cases_push_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/files: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/files
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - The location of the file that is being uploaded. + operationId: addCaseFileDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + multipart/form-data: + examples: + addCaseFileRequest: + summary: Attach a plain text file named "my_attachment". + value: + filename: my_attachment + schema: + $ref: '#/components/schemas/Cases_add_case_file_request' + required: true + responses: + '200': + content: + application/json: + examples: + addCaseFileResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Attach a file to a case + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" \ + --form "file=@/path/to/my_attachment.txt" \ + --form "filename=my_attachment" + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/user_actions/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + '200': + content: + application/json: + examples: + findCaseActivityResponse: + $ref: '#/components/examples/Cases_find_case_activity_response' + schema: + type: object + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: '#/components/schemas/Cases_user_actions_find_response_properties' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/alerts/{alertId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/alerts/{alertId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getCasesByAlertResponse: + summary: Cases associated with a given alert. + value: + - createdAt: '2020-02-19T23:06:33.798Z' + description: Investigating suspicious activity + id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + status: open + title: security_case + totals: + alerts: 1 + events: 0 + userComments: 0 + schema: + items: + $ref: '#/components/schemas/Cases_related_case' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getConfigurationResponse: + $ref: '#/components/examples/Cases_get_case_configuration_response' + schema: + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setCaseConfigRequest: + $ref: '#/components/examples/Cases_set_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + setCaseConfigResponse: + $ref: '#/components/examples/Cases_set_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/{configurationId}: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/configure/{configurationId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json: + examples: + updateCaseConfigurationRequest: + $ref: '#/components/examples/Cases_update_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + updateCaseConfigurationResponse: + $ref: '#/components/examples/Cases_update_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/connectors/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure/connectors/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + '200': + content: + application/json: + examples: + findConnectorResponse: + $ref: '#/components/examples/Cases_find_connector_response' + schema: + items: + type: object + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + type: object + properties: + apiUrl: + type: string + projectKey: + type: string + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + maxItems: 1000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/reporters: + get: + description: | + Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getReportersResponse: + $ref: '#/components/examples/Cases_get_reporters_response' + schema: + items: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/tags: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getTagsResponse: + $ref: '#/components/examples/Cases_get_tags_response' + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/dashboards: + get: + tags: + - Dashboards + summary: Get dashboards + operationId: get-dashboards-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + post: + tags: + - Dashboards + summary: Create a dashboard + operationId: create-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/dashboards/{id}: + get: + tags: + - Dashboards + summary: Get a dashboard + operationId: get-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + put: + tags: + - Dashboards + summary: Update a dashboard + operationId: update-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + delete: + tags: + - Dashboards + summary: Delete a dashboard + operationId: delete-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/data_views: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space. + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getAllDataViewsBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + createDataViewResponse: + $ref: '#/components/examples/Data_views_create_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view + {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing data view. Only the fields provided in the request body are updated. + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + updateDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"name":"Updated data view name"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId} + {"data_view":{"name":"Updated data view name"}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + examples: + updateFieldsMetadataResponse: + $ref: '#/components/examples/Data_views_update_field_metadata_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateFieldsMetadataBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update field metadata + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/fields + {"fields":{"field_name":{"customLabel":"My custom label"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition. + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createUpdateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + PUT kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a runtime field from a data view. + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single runtime field by name from a data view. + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing runtime field in a data view. Only the fields provided in the request body are updated. + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/default: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the identifier of the default data view for the current Kibana space. + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/default + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected. + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + examples: + setDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_set_default_data_view_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + setDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' + - lang: Console + source: | + POST kbn://api/data_views/default + {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + swapDataViewResponse: + $ref: '#/components/examples/Data_views_swap_data_view_response' + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references + {"fromId":"abcd-efg","toId":"xyz-123","delete":true} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + previewSwapDataViewResponse: + $ref: '#/components/examples/Data_views_preview_swap_data_view_response' + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview swap references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123"}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references/_preview + {"fromId":"abcd-efg","toId":"xyz-123"} + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/index: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts + stored in it. Use with caution; prefer lifecycle policies or the UI when available. + Call `GET /api/detection_engine/index` first to confirm the index that will be removed. + operationId: DeleteAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [DELETE /api/detection_engine/index] is unauthorized for the current user. The user needs alerts management permissions for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: The Elastic Security alerts index to delete was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Index does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and + whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating + or running rules that write alerts to it. + operationId: ReadAlertsIndex + responses: + '200': + content: + application/json: + examples: + success: + value: + index_mapping_outdated: false + name: .alerts-security.alerts-default + schema: + type: object + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [GET /api/detection_engine/index] is unauthorized for the current user. Check Security and Kibana feature privileges (detection engine / alerts) for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: Elastic Security alert index is not found for the current space. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates an index for Elastic Security alerts. Calling this API is not + required for the detection engine to function properly. You can create + rules and alerts without calling this API. + operationId: CreateAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [POST /api/detection_engine/index] is unauthorized for the current user. The user must be able to create indices for the Elastic Security solution. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: A prerequisite resource required to create the alerts index was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h language: kuery max_signals: 100 name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 @@ -7558,2985 +15802,8842 @@ paths: setup: '' severity: low tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules/prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install and update all Elastic prebuilt detection rules and Timelines. + + This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. + When you call this endpoint, it will: + - Install any new prebuilt detection rules that are not currently installed in your system. + - Update any existing prebuilt detection rules that have been modified or improved by Elastic. + - Install any new prebuilt Timelines that are not currently installed in your system. + - Update any existing prebuilt Timelines that have been modified or improved by Elastic. + + This ensures that your detection engine is always up-to-date with the latest rules and Timelines, + providing you with the most current and effective threat detection capabilities. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_installed: 112 + rules_updated: 0 + timelines_installed: 5 + timelines_updated: 2 + schema: + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged/_status: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the status of all Elastic prebuilt detection rules and Timelines. + + This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_custom_installed: 0 + rules_installed: 0 + rules_not_installed: 112 + rules_not_updated: 0 + timelines_installed: 0 + timelines_not_installed: 0 + timelines_not_updated: 0 + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: The total number of available prebuilt rules that are not installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: The total number of available prebuilt timelines that are not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: | + Indicates a successful call. The body matches an Elasticsearch update-by-query response + (for example `took`, `updated`, `failures`). + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/finalize_migration: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/finalize_migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. + **WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the + successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration + finishes and then call this operation once. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json: + examples: + oneMigration: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to finalize. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - completed: true + destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to finalize' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration: + delete: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. + **WARNING:** This schedules deletions; ensure no production reads still point at the source index. + + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration can leave both the old and new indices present, so the old + index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy + to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json: + examples: + cleanupMigrations: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to cleanup. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to run cleanup' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new + integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. + **WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + + Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive + and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json: + examples: + singleIndex: + value: + index: + - .siem-signals-default-000001 + schema: + allOf: + - type: object + properties: + index: + description: Array of index names to migrate. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + required: + - index + - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' + description: Alerts migration parameters + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000001, + migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d + migration_index: .siem-signals-default-000001-r000016 + schema: + type: object + properties: + indices: + items: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' + - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].index: at least one index name is required to start a migration' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration_status: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/signals/migration_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use + for new automations; there is no supported replacement in this public API. + **WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + + Retrieves indices that contain detection alerts of a particular age, along with migration information for + each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: | + Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes + before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + example: now-30d + format: date-math + type: string + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000002 + is_outdated: true + migrations: + - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + status: pending + updated: '2021-01-06T20:41:37.173Z' + version: 16 + signal_versions: + - count: 100 + version: 15 + - count: 87 + version: 16 + version: 15 + - index: .siem-signals-default-000003 + is_outdated: false + migrations: [] + signal_versions: + - count: 54 + version: 16 + version: 16 + schema: + type: object + properties: + indices: + items: + $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query].from: expected date-math, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/encrypted_saved_objects/_rotate_key: + post: + description: | + Superuser role required. + + If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: rotateEncryptionKey + parameters: + - description: | + Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: | + Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. + in: query + name: type + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: | + Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. + type: number + successful: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + + NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. + type: number + total: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + type: number + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': + content: + application/json: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: expected value of type [object] but got [undefined]' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Either "item_id" or "id" needs to be defined in the request + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' updated_by: elastic - version: 2 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: id or item_id required + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: "block-malicious-file" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item item_id: "block-malicious-file" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received string' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items/_find] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "endpoint_list" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of response actions to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A list of response action command names to filter by. + in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - description: A list of Elastic Agent IDs to filter the response actions by. + in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - description: A list of user IDs that submitted the response actions. + in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - description: A start date in ISO 8601 format or Date Math format (for example, `now-24h`). + in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - description: An end date in ISO 8601 format or Date Math format (for example, `now`). + in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - description: The agent type to filter response actions by. Defaults to `endpoint`. + in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - description: A list of response action IDs whose outputs should be included in the response. + in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - description: A list of response action types to filter by (`automated`, `manual`). + in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + examples: + actionsList: + summary: A list of response actions + value: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + examples: + actionStatus: + summary: Pending response actions per agent + value: + data: + - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + pending_actions: + execute: 0 + get-file: 0 + isolate: 0 + kill-process: 1 + running-processes: 0 + scan: 0 + unisolate: 0 + upload: 0 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - description: The ID of the response action to retrieve. + in: path + name: action_id + required: true + schema: + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + actionDetails: + summary: Details of an isolate response action + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + fileInfo: + summary: File information for a response action upload + value: + data: + actionId: 233db9ea-6733-4849-9226-5a7039c7161d + agentId: ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + created: '2025-02-26T13:37:30.452Z' + id: 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 + mimeType: application/zip + name: memory_dump.zip + size: 1048576 + status: READY + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + examples: + fileDownload: + summary: Password-protected ZIP archive containing the response action file + value: binary file content (password-protected .zip) + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + Elastic Defend: + description: Endpoint runscript to collect logs + summary: Run a script against an Elastic Defend agent + value: + agent_type: endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--path= /usr/log/exec.log' + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + examples: + actionsState: + summary: Response actions state with encryption enabled + value: + data: + canEncrypt: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + examples: + uploadFile: + summary: Upload a script file to a specific endpoint + value: + comment: Pushing remediation script to host + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: + overwrite: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of endpoints to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A KQL string to filter the endpoint metadata results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - description: A set of host statuses to filter the results by (for example, `healthy`, `updating`). + in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - description: The field used to sort the results. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - description: The sort order, either `asc` or `desc`. + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + examples: + metadataList: + summary: A list of endpoint host metadata + value: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + examples: + endpointMetadata: + summary: Host metadata for a specific endpoint + value: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + examples: + policyResponse: + summary: The most recent policy response for an endpoint + value: + policy_response: + '@timestamp': '2023-07-04T15:48:57.360Z' + agent: + id: ed518850-681a-4d60-bb98-e22640cae2a8 + version: 7.16.0 + Endpoint: + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: My endpoint policy + status: success + version: '3' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + protectionUpdatesNote: + summary: The protection updates note for a package policy + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + setNote: + summary: Set a new protection updates note + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + examples: + noteSaved: + summary: Protection updates note saved + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of scripts + operationId: EndpointScriptLibraryListScripts + parameters: + - description: Page number of the results to return. Defaults to 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: Number of results to return per page. Defaults to 10. Max value is 1000. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + - description: The field to sort the results by. Defaults to name. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + - description: The direction to sort the results by. Defaults to asc (ascending). + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + - description: | + A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. + in: query + name: kuery + required: false + schema: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - example: platform:windows + responses: + '200': + content: + application/json: + examples: + response: + summary: List of scripts response example + value: + data: [] + page: 1 + pageSize: 10 + sortDirection: asc + sortField: name + total: 100 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' + type: array + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + sortDirection: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + sortField: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + total: + description: The total number of scripts matching the query + type: integer + description: List of scripts response + summary: Get a list of scripts + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new script entry by uploading a script file + operationId: EndpointScriptLibraryCreateScript + requestBody: + content: + multipart/form-data: + examples: + CreateArchiveScriptEntry: + summary: Create an archive script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.zip + fileType: archive + instructions: Collects host data for investigation + name: Collect host data + pathToExecutable: ./bin/collect_host_data.sh + platform: + - linux + - macos + requiresInput: false + CreateScriptEntry: + summary: Create a script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.sh + fileType: script + instructions: Collects host data for investigation + name: Collect host data + platform: + - linux + - macos + requiresInput: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CreateScriptEntrySuccess: + summary: Create a script entry + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully created + summary: Create script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library/{script_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a script + operationId: EndpointScriptLibraryDeleteScript + parameters: + - description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + response: + summary: Delete script response example. + value: {} + schema: + type: object + description: Delete script response. + summary: Delete a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a script + operationId: EndpointScriptLibraryGetOneScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Get one script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Get script response + summary: Get script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update (full or partial) a script entry + operationId: EndpointScriptLibraryPatchUpdateScript + parameters: + - description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + requestBody: + content: + multipart/form-data: + examples: + PatchUpdateScriptEntry: + summary: Update script entry instructions + value: + instructions: ./collect_host_data.sh --help + PatchUpdateScriptEntryFromArchiveToScript: + summary: Update script entry from an archive to a script + value: + fileType: script + PatchUpdateScriptEntryToArchive: + summary: Update script entry to be an archive + value: + fileType: archive + pathToExecutable: ./bin/collect_host_data.sh + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Update script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully updated + summary: Update script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library/{script_id}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a script file + operationId: EndpointScriptLibraryDownloadScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/octet-stream: + examples: + response: + summary: Download script file response example. + value: null + schema: + description: A download stream is returned. + format: binary + type: string + description: Download script file response. + summary: Download a script file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + examples: + InitMonitoringEngineError: + summary: Internal server error during engine initialization + value: + error: + message: Failed to initialize monitoring engine + status: error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + examples: + ScheduleMonitoringEngineConflict: + summary: Engine is already running + value: + message: Monitoring engine is already running + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + examples: + PrivMonPrivilegesResponse: + summary: Privileges check response + value: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + examples: + PrivmonBulkUploadUsersCSVRequest: + summary: CSV file with privileged users + value: + file: | + username,is_privileged + john.doe,true + jane.smith,true + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + examples: + PrivmonBulkUploadUsersCSVResponse: + summary: Bulk upload response with mixed results + value: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 2 + schema: + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - description: The document ID of the monitored user to delete + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - description: The document ID of the monitored user to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist tags: - - Security Detections API - - Rules API + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: post: - description: > - Create a new detection rule. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", + description: | + **Spaces method and path for this operation:** - "job_type": "anomaly_detector", +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
- "job_version": "7.7.0", + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - "groups": [ - "auditbeat", - "process", - "siem" - ], + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. - ... + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** - ``` +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/list: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/entity_analytics/watchlists/list
- * Slack + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * Email + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** - * PagerDuty +
post /s/{space_id}/api/entity_store/enable
- * Webhook + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * Microsoft Teams + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** - * IBM Resilient +
delete /s/{space_id}/api/entity_store/engines
- * Jira + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** - * ServiceNow ITSM +
get /s/{space_id}/api/entity_store/engines
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/entity_store/engines/{entityType}
- To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/entity_store/engines/{entityType}
- For detailed information on Kibana actions and alerting, and additional - API calls, see: + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
- * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: - examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 - value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true - responses: - '200': - content: - application/json: - examples: - example1: - description: Example response for a query rule - summary: Query rule response - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response - value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response - value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response - value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + stopped: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
- The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > warn + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: + type: object + properties: + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. + type: string + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: - examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ +
put /s/{space_id}/api/entity_store/entities/{entityType}
- | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info - - > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity required: true responses: '200': content: application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. - - > warn + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
put /s/{space_id}/api/entity_store/entities/bulk
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - - - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. - - > info - - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. + - description: When true, allows updating protected fields. in: query - name: dry_run + name: force required: false schema: + default: false type: boolean requestBody: content: application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components + schema: + type: boolean responses: '200': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' + created_by: elastic + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: > - File name for saving the exported rules. +
put /s/{space_id}/api/exception_lists
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList requestBody: content: application/json: examples: - exportByRuleIds: - summary: Request body to export a subset of rules + fullReplace: value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: - nullable: true + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection type: object properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - - objects - required: false + - name + - description + - type + description: Exception list's properties + required: true responses: '200': content: - application/ndjson: + application/json: examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} + simpleList: + value: + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: - get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled - - - tags - - - createdBy - - - interval + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_duplicate: + post: + description: |- + **Spaces method and path for this operation:** - - updatedBy +
post /s/{space_id}/api/exception_lists/_duplicate
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start - required: false - schema: - type: string - - description: Gaps range end + Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: The `list_id` of the existing exception list to copy (source list). in: query - name: gaps_range_end - required: false + name: list_id + required: true schema: - type: string - - description: Gap fill statuses + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single in: query - name: gap_fill_statuses - required: false + name: namespace_type + required: true schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. in: query - name: gap_auto_fill_scheduler_id - required: false + name: include_expired_exceptions + required: true schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true type: string responses: '200': content: application/json: examples: - example1: + detectionExceptionList: value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - required: - - page - - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': + content: + application/json: + examples: + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_export: post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. + description: |- + **Spaces method and path for this operation:** - > info - - > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. - - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. +
post /s/{space_id}/api/exception_lists/_export
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. in: query - name: overwrite - required: false + name: id + required: true schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. in: query - name: overwrite_exceptions - required: false + name: list_id + required: true schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single in: query - name: overwrite_action_connectors - required: false + name: namespace_type + required: true schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - rulesFile: - summary: Multipart part containing a rule export - value: - file: rules_import.ndjson - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Import rules with success - value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: - post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id + name: include_expired_exceptions required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' - requestBody: - content: - application/json: - examples: - addItems: - value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception items. - required: true + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': content: - application/json: + application/ndjson: examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string description: Successful response '400': content: application/json: examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 badRequest: value: error: Bad Request - message: '[request params]: id: Invalid uuid' + message: '[request query]: list_id: Required, namespace_type: Required' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -10545,16 +24646,10 @@ paths: unauthorized: value: error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: @@ -10562,12 +24657,23 @@ paths: examples: forbidden: value: - message: Unable to create exception-list - status_code: 403 + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -10579,281 +24685,302 @@ paths: schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Create rule exception items + summary: Export an exception list tags: - Security Exceptions API - /api/detection_engine/rules/prepackaged: - put: - description: > - Install and update all Elastic prebuilt detection rules and Timelines. - - - This endpoint allows you to install and update prebuilt detection rules - and Timelines provided by Elastic. - - When you call this endpoint, it will: - - - Install any new prebuilt detection rules that are not currently - installed in your system. - - - Update any existing prebuilt detection rules that have been modified - or improved by Elastic. + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** - - Install any new prebuilt Timelines that are not currently installed in - your system. +
get /s/{space_id}/api/exception_lists/_find
- - Update any existing prebuilt Timelines that have been modified or - improved by Elastic. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. - This ensures that your detection engine is always up-to-date with the - latest rules and Timelines, + Uses the `so type.field name:field` value syntax, where `so type` can be: - providing you with the most current and effective threat detection - capabilities. - operationId: InstallPrebuiltRulesAndTimelines + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string responses: '200': content: application/json: examples: - example1: + simpleLists: value: - rules_installed: 112 - rules_updated: 0 - timelines_installed: 5 - timelines_updated: 2 + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false type: object properties: - rules_installed: - description: The number of rules installed - minimum: 0 - type: integer - rules_updated: - description: The number of rules updated - minimum: 0 + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 type: integer - timelines_installed: - description: The number of timelines installed - minimum: 0 + per_page: + minimum: 1 type: integer - timelines_updated: - description: The number of timelines updated + total: minimum: 0 type: integer required: - - rules_installed - - rules_updated - - timelines_installed - - timelines_updated - description: Indicates a successful call - summary: Install prebuilt detection rules and Timelines - tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/prepackaged/_status: - get: - description: > - Retrieve the status of all Elastic prebuilt detection rules and - Timelines. - - - This endpoint provides detailed information about the number of custom - rules, installed prebuilt rules, available prebuilt rules that are not - installed, outdated prebuilt rules, installed prebuilt timelines, - available prebuilt timelines that are not installed, and outdated - prebuilt timelines. - operationId: ReadPrebuiltRulesAndTimelinesStatus - responses: - '200': + - data + - page + - per_page + - total + description: Successful response + '400': content: application/json: examples: - example1: + badRequest: value: - rules_custom_installed: 0 - rules_installed: 0 - rules_not_installed: 112 - rules_not_updated: 0 - timelines_installed: 0 - timelines_not_installed: 0 - timelines_not_updated: 0 + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - additionalProperties: false - type: object - properties: - rules_custom_installed: - description: The total number of custom rules - minimum: 0 - type: integer - rules_installed: - description: The total number of installed prebuilt rules - minimum: 0 - type: integer - rules_not_installed: - description: >- - The total number of available prebuilt rules that are not - installed - minimum: 0 - type: integer - rules_not_updated: - description: The total number of outdated prebuilt rules - minimum: 0 - type: integer - timelines_installed: - description: The total number of installed prebuilt timelines - minimum: 0 - type: integer - timelines_not_installed: - description: >- - The total number of available prebuilt timelines that are - not installed - minimum: 0 - type: integer - timelines_not_updated: - description: The total number of outdated prebuilt timelines - minimum: 0 - type: integer - required: - - rules_custom_installed - - rules_installed - - rules_not_installed - - rules_not_updated - - timelines_installed - - timelines_not_installed - - timelines_not_updated - description: Indicates a successful call - summary: Retrieve the status of prebuilt detection rules and Timelines + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/preview: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_import: post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short + description: |- + **Spaces method and path for this operation:** - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample +
post /s/{space_id}/api/exception_lists/_import
- matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. in: query - name: enable_logged_requests + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list required: false schema: + default: false + example: false type: boolean requestBody: content: - application/json: + multipart/form-data: examples: - queryRule: + ndjsonUpload: value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query + file: exception_lists.ndjson schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string required: true responses: '200': content: application/json: examples: - success: + withErrors: value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, schema: type: object properties: - isAborted: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString required: - - logs + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items description: Successful response '400': content: @@ -10862,16 +24989,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null + message: Multipart part `file` is required and must contain a valid .ndjson exception list export statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -10880,12 +25003,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -10895,65 +25029,89 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Preview rule alerts generated on specified time range + summary: Import an exception list tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: - post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove - schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. - required: true + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Exception item's identifier. Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - add: + simpleExceptionItem: value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: > - Indicates a successful call. The body matches an Elasticsearch - update-by-query response - - (for example `took`, `updated`, `failures`). + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': content: application/json: @@ -10961,16 +25119,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -10979,11 +25133,10 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: @@ -10992,16 +25145,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -11011,75 +25170,88 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Assign and unassign users from detection alerts + summary: Delete an exception list item tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/finalize_migration: - post: - deprecated: true - description: > - **DEPRECATED.** Completes a legacy alert index migration. Do not - automate against this in new code. - - **WARNING:** Finalizing swaps read aliases; confirm the migration has - finished successfully before calling. - + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - Finalize successful migrations of detection alerts. This replaces the - original index's alias with the +
get /s/{space_id}/api/exception_lists/items
- successfully migrated index's alias. The endpoint is idempotent, so you - can poll until a migration + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - finishes and then call this operation once. - operationId: FinalizeAlertsMigration - requestBody: - content: - application/json: - examples: - oneMigration: - value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to finalize. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to finalize - required: true + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem + parameters: + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - success: + simpleListItem: value: - migrations: - - completed: true - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: '2021-01-06T22:05:56.859Z' - version: 16 + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic schema: - items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationFinalizationResult - type: array + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11088,16 +25260,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to finalize + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11106,12 +25274,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -11121,78 +25311,251 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Finalize detection alert migrations + summary: Get an exception list item tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration: - delete: - deprecated: true - description: > - **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new - call sites. - - **WARNING:** This schedules deletions; ensure no production reads still - point at the source index. - - - Migrations favor data integrity over shard size. Consequently, unused or - orphaned indices are artifacts of + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** - the migration process. A successful migration can leave both the old and - new indices present, so the old +
post /s/{space_id}/api/exception_lists/items
- index may be deleted. While you can delete these indices manually, the - endpoint applies a deletion policy + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - to the relevant index, causing it to be deleted after 30 days, and - removes other migration-specific artifacts. - operationId: AlertsMigrationCleanup + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json: examples: - cleanupMigrations: + simpleItem: value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to cleanup. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to cleanup + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties required: true responses: '200': content: application/json: examples: - success: + autogeneratedItemId: + value: + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' + created_by: elastic + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: value: - migrations: - - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: 2021-01-06T22:05:56.859Z - version: 16 + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic schema: - items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationCleanupResult - type: array + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11200,17 +25563,13 @@ paths: examples: badRequest: value: - error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to run cleanup - statusCode: 400 + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11219,130 +25578,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Clean up detection alert migrations - tags: - - Security Detections API - - Alerts migration API - post: - deprecated: true - description: > - **DEPRECATED.** Legacy API for on-demand reindexing of old - `.siem-signals-*` alert indices. Do not build new - - integrations; upgrade the Elastic Stack and rely on product-managed data - lifecycle instead. - - **WARNING:** Migrations can be resource intensive and should be planned - during a maintenance window. - - - Initiate a migration of detection alerts. Migrations are initiated per - index. The process is not destructive - - and should not remove existing data, but it can consume significant - cluster resources. Plan capacity accordingly. - operationId: CreateAlertsMigration - requestBody: - content: - application/json: - examples: - singleIndex: - value: - index: - - .siem-signals-default-000001 - schema: - allOf: - - type: object - properties: - index: - description: Array of index names to migrate. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - required: - - index - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsReindexOptions - description: Alerts migration parameters - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - indices: - - index: .siem-signals-default-000001, - migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d - migration_index: .siem-signals-default-000001-r000016 - schema: - type: object - properties: - indices: - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationError - - $ref: >- - #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration - type: array - required: - - indices - description: Successful response - '400': + '403': content: application/json: examples: - badRequest: + forbidden: value: - error: Bad Request - message: >- - [request body].index: at least one index name is required - to start a migration - statusCode: 400 + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - unauthorized: + alreadyExists: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response '500': content: application/json: @@ -11352,84 +25615,82 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Initiate a detection alert migration + summary: Create an exception list item tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration_status: - get: - deprecated: true - description: > - **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` - index migration workflows. Do not use - - for new automations; there is no supported replacement in this public - API. - - **WARNING:** Prefer upgrading through supported Elastic stack upgrades - rather than ad-hoc index migrations. - + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - Retrieves indices that contain detection alerts of a particular age, - along with migration information for +
put /s/{space_id}/api/exception_lists/items
- each of those indices. - operationId: ReadAlertsMigrationStatus - parameters: - - description: Maximum age of qualifying detection alerts - in: query - name: from - required: true - schema: - description: > - Time from which data is analyzed. For example, now-4200s means the - rule analyzes data from 70 minutes + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - example: now-30d - format: date-math - type: string + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true responses: '200': content: application/json: examples: - success: + simpleListItem: value: - indices: - - index: .siem-signals-default-000002 - is_outdated: true - migrations: - - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - status: pending - updated: 2021-01-06T20:41:37.173Z - version: 16 - signal_versions: - - count: 100 - version: 15 - - count: 87 - version: 16 - version: 15 - - index: .siem-signals-default-000003 - is_outdated: false - migrations: [] - signal_versions: - - count: 54 - version: 16 - version: 16 + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' + updated_by: elastic schema: - type: object - properties: - indices: - items: - $ref: >- - #/components/schemas/Security_Detections_API_IndexMigrationStatus - type: array - required: - - indices + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11438,14 +25699,12 @@ paths: badRequest: value: error: Bad Request - message: '[request query].from: expected date-math, received null' + message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11454,134 +25713,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieve the status of detection alert migrations - tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 - schema: - additionalProperties: true - description: Elasticsearch search response - type: object - description: Successful response - '400': + '403': content: application/json: examples: - badRequest: + forbidden: value: - error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter - statusCode: 400 + error: Forbidden + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - unauthorized: + notFound: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -11591,110 +25750,168 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Find and/or aggregate detection alerts + summary: Update an exception list item tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: - post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json: - examples: - byId: - value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: - value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string responses: '200': content: application/json: - examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: + examples: + simpleListItems: value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: true - description: Elasticsearch update by query response type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total description: Successful response '400': content: @@ -11703,16 +25920,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11721,111 +25934,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: - post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. - - > info - - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': + '403': content: application/json: examples: - badRequest: + forbidden: value: - error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request - statusCode: 400 + error: Forbidden + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - unauthorized: + notFound: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + message: 'exception list list_id: "foo" does not exist' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -11835,168 +25971,85 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Add and remove detection alert tags + summary: Get exception list items tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/summary: get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/encrypted_saved_objects/_rotate_key: - post: - description: > - Superuser role required. - + description: |- + **Spaces method and path for this operation:** - If a saved object cannot be decrypted using the primary encryption key, - then Kibana will attempt to decrypt it using the specified - decryption-only keys. In most of the cases this overhead is negligible, - but if you're dealing with a large number of saved objects and - experiencing performance issues, you may want to rotate the encryption - key. +
get /s/{space_id}/api/exception_lists/summary
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: rotateEncryptionKey + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary parameters: - - description: > - Specifies a maximum number of saved objects that Kibana can process - in a single batch. Bulk key rotation is an iterative process since - Kibana may not be able to fetch and process all required saved - objects in one go and splits processing into consequent batches. By - default, the batch size is 10000, which is also a maximum allowed - value. + - description: Exception list's identifier generated upon creation. in: query - name: batch_size + name: id required: false schema: - default: 10000 - type: number - - description: > - Limits encryption key rotation only to the saved objects with the - specified type. By default, Kibana tries to rotate the encryption - key for all saved object types that may contain encrypted - attributes. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. in: query - name: type + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter required: false schema: + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 schema: type: object properties: - failed: - description: > - Indicates the number of the saved objects that were still - encrypted with one of the old encryption keys that Kibana - failed to re-encrypt with the primary key. - type: number - successful: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - - - NOTE: In most cases, `total` will be greater than - `successful` even if `failed` is zero. The reason is that - Kibana may not need or may not be able to rotate - encryption keys for all encrypted saved objects. - type: number + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer total: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - type: number - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - '429': - content: - application/json: - schema: - type: object - description: Already in progress. - summary: Rotate a key for encrypted saved objects - tags: - - saved objects - /api/endpoint_list: - post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList - responses: - '200': - content: - application/json: - examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created - value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer description: Successful response '400': content: @@ -12005,17 +26058,13 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body]: expected value of type [object] but got - [undefined] + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12023,12 +26072,11 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: @@ -12036,15 +26084,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [POST /api/endpoint_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -12054,66 +26109,79 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exceptions/shared
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + examples: + createSharedExceptionList: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description + required: true responses: '200': content: application/json: examples: - deleted: - summary: Deleted endpoint exception list item + sharedList: value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: @@ -12122,17 +26190,13 @@ paths: badRequest: value: error: Bad Request - message: >- - Either "item_id" or "id" needs to be defined in the - request + message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12143,40 +26207,30 @@ paths: message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: - error: Forbidden - message: >- - API [DELETE - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + message: Unable to create exception-list + status_code: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - notFound: + alreadyExists: value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 + message: 'exception list id: "simple_list" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response '500': content: application/json: @@ -12186,3377 +26240,4828 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list tags: - - Security Endpoint Exceptions API + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/features: get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: | + Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. + operationId: get-features + responses: + '200': + content: + application/json: + examples: + getFeaturesExample: + value: | + { + "features": [ + { + "name": "tasks", + "description": "Manages task results" + }, + { + "name": "security", + "description": "Manages configuration for Security features, such as users and roles" + }, + { + "name": "searchable_snapshots", + "description": "Manages caches and configuration for searchable snapshots" + }, + { + "name": "logstash_management", + "description": "Enables Logstash Central Management pipeline storage" + }, + { + "name": "transform", + "description": "Manages configuration and state for transforms" + }, + { + "name": "kibana", + "description": "Manages Kibana configuration and reports" + }, + { + "name": "synonyms", + "description": "Manages synonyms" + }, + { + "name": "async_search", + "description": "Manages results of async searches" + }, + { + "name": "ent_search", + "description": "Manages configuration for Enterprise Search features" + }, + { + "name": "machine_learning", + "description": "Provides anomaly detection and forecasting functionality" + }, + { + "name": "geoip", + "description": "Manages data related to GeoIP database downloader" + }, + { + "name": "watcher", + "description": "Manages Watch definitions and state" + }, + { + "name": "fleet", + "description": "Manages configuration for Fleet" + }, + { + "name": "enrich", + "description": "Manages data related to Enrich policies" + }, + { + "name": "inference_plugin", + "description": "Inference plugin for managing inference services and inference" + } + ] + } + schema: + type: object + description: Indicates a successful call + summary: Get features + tags: + - system + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item + getDownloadSourcesExample: + description: List of agent binary download sources value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: id or item_id required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources tags: - - Security Endpoint Exceptions API + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash + postDownloadSourceRequestExample: + description: Create a new agent binary download source value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source schema: + additionalProperties: false type: object properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string required: - - type - name - - description - - entries - description: Exception list item's properties - required: true + - host + responses: + '200': + content: + application/json: + examples: + postDownloadSourceExample: + description: The created agent binary download source + value: + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + deleteDownloadSourceExample: + description: The download source was successfully deleted value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + id: download-source-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: name: Required' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - unauthorized: + notFoundExample: + description: No download source was found with the given ID value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - forbidden: + getDownloadSourceExample: + description: An agent binary download source value: - error: Forbidden - message: >- - API [POST /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': content: application/json: examples: - alreadyExists: + genericErrorResponseExample: + description: Example of a generic error response value: - message: >- - exception list item id: "block-malicious-file" already - exists - status_code: 409 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No download source was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source tags: - - Security Endpoint Exceptions API + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string requestBody: content: application/json: examples: - updateName: - summary: Update an endpoint exception list item + putDownloadSourceRequestExample: + description: Update an agent binary download source value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source schema: + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + type: string + is_default: + default: false + type: boolean name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string required: - - type - name - - description - - entries - description: Exception list item's properties - required: true + - host responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated + putDownloadSourceExample: + description: The updated agent binary download source value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: name: Required' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: examples: - notFound: - value: - message: 'list item item_id: "block-malicious-file" not found' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No download source was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies: get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return +
get /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - description: Page number in: query name: page required: false schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page + type: number + - description: Number of results per page in: query - name: per_page + name: perPage required: false schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results + type: number + - description: Field to sort results by in: query - name: sort_field + name: sortField required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` + type: string + - description: Sort order, ascending or descending in: query - name: sort_order + name: sortOrder required: false schema: enum: - desc - asc type: string + - description: When true, only show policies with upgradeable agents + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - foundItems: - summary: Found endpoint exception list items + getAgentPoliciesExample: + description: List of agent policies value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 page: 1 - per_page: 20 + perPage: 20 total: 1 schema: + additionalProperties: false type: object properties: - data: - description: The list of endpoint exception list items. + items: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 type: array page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string + type: number + perPage: + type: number total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer + type: number required: - - data - - page - - per_page + - items - total + - page + - perPage description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request query]: page: Expected number, received string' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/endpoint_list/items/_find] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to add the system integration to the new agent policy + in: query + name: sys_monitoring + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postAgentPolicyRequestExample: + description: Create a new agent policy + value: + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': content: application/json: examples: - notFound: + postAgentPolicyExample: + description: The created agent policy value: - message: 'list id: "endpoint_list" does not exist' - status_code: 404 + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy tags: - - Security Endpoint Exceptions API - /api/endpoint/action: - get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of response actions to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A list of response action command names to filter by. - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - description: A list of Elastic Agent IDs to filter the response actions by. - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - description: A list of user IDs that submitted the response actions. - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - description: >- - A start date in ISO 8601 format or Date Math format (for example, - `now-24h`). - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - description: >- - An end date in ISO 8601 format or Date Math format (for example, - `now`). - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - description: >- - The agent type to filter response actions by. Defaults to - `endpoint`. - in: query - name: agentTypes - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - description: >- - A list of response action IDs whose outputs should be included in - the response. - in: query - name: withOutputs - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - description: >- - A list of response action types to filter by (`automated`, - `manual`). + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' in: query - name: types + name: format required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids responses: '200': content: application/json: examples: - actionsList: - summary: A list of response actions + postBulkGetAgentPoliciesExample: + description: The requested agent policies value: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 2 + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse - description: Indicates a successful call. - summary: Get response actions - tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response + '400': content: application/json: examples: - actionStatus: - summary: Pending response actions per agent + genericErrorResponseExample: + description: Example of a generic error response value: - data: - - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - pending_actions: - execute: 0 - get-file: 0 - isolate: 0 - kill-process: 1 - running-processes: 0 - scan: 0 - unisolate: 0 - upload: 0 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - description: The ID of the response action to retrieve. - in: path - name: action_id - required: true - schema: - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - actionDetails: - summary: Details of an isolate response action + notFoundExample: + description: One or more agent policies were not found value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: get: - description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy in: path - name: file_id + name: agentPolicyId required: true schema: type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - fileInfo: - summary: File information for a response action upload + getAgentPolicyExample: + description: An agent policy value: - data: - actionId: 233db9ea-6733-4849-9226-5a7039c7161d - agentId: ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - created: '2025-02-26T13:37:30.452Z' - id: >- - 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 - mimeType: application/zip - name: memory_dump.zip - size: 1048576 - status: READY + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error + type: object properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string - description: Indicates a successful call. - summary: Get file information + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + - description: The ID of the agent policy in: path - name: file_id + name: agentPolicyId required: true schema: type: string - responses: - '200': - content: - application/octet-stream: - examples: - fileDownload: - summary: >- - Password-protected ZIP archive containing the response - action file - value: binary file content (password-protected .zip) - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host + putAgentPolicyRequestExample: + description: Update an agent policy value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - CancelSuccess: - summary: Cancel action successfully created + putAgentPolicyExample: + description: The updated agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Cancel a response action + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - ExecuteSuccess: - summary: Execute action successfully created + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 + schema: + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a command + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - getFile: - summary: Get a specific file from an endpoint + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt + description: A copy of the original agent policy + name: Copy of my agent policy schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + postCopyAgentPolicyExample: + description: The copied agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get a file - tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': content: application/json: examples: - IsolateSuccess: - summary: Isolate action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse - description: Indicates a successful call. - summary: Isolate an endpoint + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number responses: '200': content: application/json: examples: - KillProcessSuccess: - summary: Kill process action successfully created + getDownloadAgentPolicyExample: + description: The agent policy download response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Terminate a process - tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: - post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump - requestBody: - content: - application/json: - examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine - value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody - required: true - responses: - '200': + type: string + description: Successful response — returns the agent policy as a YAML file download + '400': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + notFoundExample: + description: No agent policy was found with the given ID value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Not Found + message: Agent policy not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: - post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction - requestBody: - content: - application/json: - examples: - Elastic Defend: - description: Endpoint runscript to collect logs - summary: Run a script against an Elastic Defend agent - value: - agent_type: endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--path= /usr/log/exec.log' - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + getFullAgentPolicyExample: + description: The full agent policy configuration value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script - tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json: - examples: - scanFile: - summary: Scan a file on an endpoint - value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' + description: Successful response + '400': content: application/json: examples: - ScanSuccess: - summary: Scan action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/state: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - actionsState: - summary: Response actions state with encryption enabled + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy value: - data: - canEncrypt: true + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/delete: post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 + agentPolicyId: agent-policy-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' responses: '200': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + id: agent-policy-id-1 + name: My agent policy schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Suspend a process + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/outputs: post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' responses: '200': content: application/json: examples: - UnisolateSuccess: - summary: Unisolate action successfully created + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - examples: - uploadFile: - summary: Upload a script file to a specific endpoint - value: - comment: Pushing remediation script to host - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - file: RWxhc3RpYw== - parameters: - overwrite: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' + description: Successful response + '400': content: application/json: examples: - UploadSuccess: - summary: Upload action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies tags: - - Security Endpoint Management API - /api/endpoint/metadata: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status: get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status parameters: - - description: The page number to return. + - description: Filter by agent policy ID in: query - name: page + name: policyId required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of endpoints to return per page. + type: string + - description: Filter by one or more agent policy IDs in: query - name: pageSize + name: policyIds required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A KQL string to filter the endpoint metadata results. + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results in: query name: kuery required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - description: >- - A set of host statuses to filter the results by (for example, - `healthy`, `updating`). - in: query - name: hostStatuses - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - description: The field used to sort the results. - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - description: The sort order, either `asc` or `desc`. - in: query - name: sortDirection - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection + type: string responses: '200': content: application/json: examples: - metadataList: - summary: A list of endpoint host metadata + getAgentStatusExample: + description: Agent status summary for an agent policy value: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 1 + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list - tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: - get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata - parameters: - - description: The agent ID of the endpoint. - in: path - name: id - required: true - schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results + description: Successful response + '400': content: application/json: examples: - endpointMetadata: - summary: Host metadata for a specific endpoint + genericErrorResponseExample: + description: Example of a generic error response value: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary tags: - - Security Endpoint Management API - /api/endpoint/policy_response: + - Elastic Agent status + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status/data: get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data parameters: - - description: The agent ID to retrieve the policy response for. + - description: Agent IDs to check data for, as an array or comma-separated string in: query - name: agentId + name: agentsIds required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name + in: query + name: pkgName + required: false + schema: + type: string + - description: Filter by integration package version + in: query + name: pkgVersion + required: false + schema: + type: string + - description: When true, return a preview of the ingested data + in: query + name: previewData + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - policyResponse: - summary: The most recent policy response for an endpoint + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - policy_response: - '@timestamp': '2023-07-04T15:48:57.360Z' - agent: - id: ed518850-681a-4d60-bb98-e22640cae2a8 - version: 7.16.0 - Endpoint: - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: My endpoint policy - status: success - version: '3' + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response - tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote - parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response + '400': content: application/json: examples: - protectionUpdatesNote: - summary: The protection updates note for a package policy + genericErrorResponseExample: + description: Example of a generic error response value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data tags: - - Security Endpoint Management API + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies: post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. - in: path - name: package_policy_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' + type: string + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified type: string requestBody: content: application/json: examples: - setNote: - summary: Set a new protection updates note + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies value: - note: >- - Pinned protection updates to 2025-01-01 while validating new - signatures. - schema: - type: object - properties: - note: - description: The note content. - type: string - required: true - responses: - '200': - content: - application/json: - examples: - noteSaved: - summary: Protection updates note saved - value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library: - get: - description: Retrieve a list of scripts - operationId: EndpointScriptLibraryListScripts - parameters: - - description: Page number of the results to return. Defaults to 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: >- - Number of results to return per page. Defaults to 10. Max value is - 1000. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - - description: The field to sort the results by. Defaults to name. - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - - description: The direction to sort the results by. Defaults to asc (ascending). - in: query - name: sortDirection - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - - description: > - A KQL query string to filter the list of scripts. Nearly all fields - in the script object are searchable. - in: query - name: kuery - required: false - schema: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - example: platform:windows + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector + value: + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - response: - summary: List of scripts response example + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration + value: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Indicates a successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - data: [] - page: 1 - pageSize: 10 - sortDirection: asc - sortField: name - total: 100 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScript - type: array - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiPageSize - sortDirection: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - sortField: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiSortField - total: - description: The total number of scripts matching the query - type: integer - description: List of scripts response - summary: Get a list of scripts - tags: - - Security Endpoint Management API - post: - description: Create a new script entry by uploading a script file - operationId: EndpointScriptLibraryCreateScript - requestBody: - content: - multipart/form-data: - examples: - CreateArchiveScriptEntry: - summary: Create an archive script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.zip - fileType: archive - instructions: Collects host data for investigation - name: Collect host data - pathToExecutable: ./bin/collect_host_data.sh - platform: - - linux - - macos - requiresInput: false - CreateScriptEntry: - summary: Create a script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.sh - fileType: script - instructions: Collects host data for investigation - name: Collect host data - platform: - - linux - - macos - requiresInput: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody - required: true - responses: - '200': + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - CreateScriptEntrySuccess: - summary: Create a script entry + conflictErrorResponseExample: + description: Example of a conflict error response value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully created - summary: Create script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}: - delete: - description: Delete a script - operationId: EndpointScriptLibraryDeleteScript - parameters: - - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/json: - examples: - response: - summary: Delete script response example. - value: {} + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: + additionalProperties: false + description: Generic Error type: object - description: Delete script response. - summary: Delete a script - tags: - - Security Endpoint Management API - get: - description: Get a script - operationId: EndpointScriptLibraryGetOneScript - parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/json: - examples: - UpdateScriptEntrySuccess: - summary: Get one script entry success - value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Get script response - summary: Get script + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy tags: - - Security Endpoint Management API - patch: - description: Update (full or partial) a script entry - operationId: EndpointScriptLibraryPatchUpdateScript + - Fleet agentless policies + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid parameters: - - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + example: 'true' type: string - requestBody: - content: - multipart/form-data: - examples: - PatchUpdateScriptEntry: - summary: Update script entry instructions - value: - instructions: ./collect_host_data.sh --help - PatchUpdateScriptEntryFromArchiveToScript: - summary: Update script entry from an archive to a script - value: - fileType: script - PatchUpdateScriptEntryToArchive: - summary: Update script entry to be an archive - value: - fileType: archive - pathToExecutable: ./bin/collect_host_data.sh - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - UpdateScriptEntrySuccess: - summary: Update script entry success - value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully updated - summary: Update script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}/download: - get: - description: Download a script file - operationId: EndpointScriptLibraryDownloadScript - parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + - description: The ID of the policy to delete. in: path - name: script_id + name: policyId required: true schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string - responses: - '200': - content: - application/octet-stream: - examples: - response: - summary: Download script file response example. - value: null - schema: - description: A download stream is returned. - format: binary - type: string - description: Download script file response. - summary: Download a script file - tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data + - description: Force delete the policy even if the policy is managed. in: query - name: data + name: force required: false schema: - default: false type: boolean responses: '200': content: application/json: examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully - value: - deleted: true - schema: - type: object - properties: - deleted: - type: boolean - required: - - deleted - description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': - content: - application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: - post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine - responses: - '200': - content: - application/json: - examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - '500': - content: - application/json: - examples: - InitMonitoringEngineError: - summary: Internal server error during engine initialization - value: - error: - message: Failed to initialize monitoring engine - status: error - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine - responses: - '200': - content: - application/json: - examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully - value: - success: true - schema: - type: object - properties: - success: - description: Indicates the scheduling was successful - type: boolean - description: Successful response - '409': - content: - application/json: - examples: - ScheduleMonitoringEngineConflict: - summary: Engine is already running + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - message: Monitoring engine is already running + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: + additionalProperties: false + description: Response for deleting an agentless package policy. type: object properties: - message: - description: Error message indicating the engine is already running + id: + description: The ID of the deleted agentless package policy. type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: - get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth - responses: - '200': - content: - application/json: - examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine - value: - status: started - users: - current_count: 42 - max_allowed: 1000 - schema: - type: object - properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed required: - - status - description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges - responses: - '200': + - id + description: Indicates a successful response + '400': content: application/json: examples: - PrivMonPrivilegesResponse: - summary: Privileges check response + genericErrorResponseExample: + description: Example of a generic error response value: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: - post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - CreatePrivMonUserResponse: - summary: Created monitored user + conflictErrorResponseExample: + description: Example of a conflict error response value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Delete an agentless policy tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: - post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - examples: - PrivmonBulkUploadUsersCSVRequest: - summary: CSV file with privileged users - value: - file: | - username,is_privileged - john.doe,true - jane.smith,true - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file + - Fleet agentless policies + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination + in: query + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive + required: false + schema: + type: string responses: '200': content: application/json: examples: - PrivmonBulkUploadUsersCSVResponse: - summary: Bulk upload response with mixed results + getAgentsExample: + description: List of agents value: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 2 + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - errors: + items: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: - delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - description: The document ID of the monitored user to delete - in: path - name: id - required: true - schema: - type: string - responses: - '200': + - items + - total + - page + - perPage + description: Successful response + '400': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + genericErrorResponseExample: + description: Example of a generic error response value: - acknowledged: true - message: User deleted successfully + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: >- - A message providing additional information about the - deletion status type: string + statusCode: + type: number required: - - success - description: User deleted successfully - summary: Delete a monitored user + - message + - attributes + description: Bad Request + summary: Get agents tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents parameters: - - description: The document ID of the monitored user to update - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe + actionIds: + - action-id-1 + - action-id-2 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: - get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 1000 + type: array + required: + - actionIds responses: '200': content: application/json: examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: - message: Privileged access detection package installed successfully + items: + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 schema: + additionalProperties: false type: object properties: - message: - type: string + items: + items: + type: string + maxItems: 10000 + type: array required: - - message + - items description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': + '400': content: application/json: examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running + genericErrorResponseExample: + description: Example of a generic error response value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete + attributes: + nullable: true + error: type: string - package_installation_status: - enum: - - complete - - incomplete + errorType: + type: string + message: type: string + statusCode: + type: number required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: - post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist - requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns - type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - CreateWatchlistResponse: - summary: Created watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist + - message + - attributes + description: Bad Request + summary: Get agents by action ids tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid parameters: - - description: Unique ID of the watchlist - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - responses: - '200': - content: - application/json: - examples: - GetWatchlistResponse: - summary: Watchlist details - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID - tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update + - description: The agent ID in: path - name: id + name: agentId required: true schema: type: string - requestBody: - content: - application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true responses: '200': content: application/json: examples: - UpdateWatchlistResponse: - summary: Updated watchlist + deleteAgentExample: + description: Agent successfully deleted value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + id: agent-id-1 + success: true schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + additionalProperties: false + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity - - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - - - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - field is updated in the entity store. +
get /s/{space_id}/api/fleet/agents/{agentId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors + - description: The agent ID in: path - name: watchlist_id + name: agentId required: true schema: type: string - requestBody: - content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - required: true + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - CsvUploadResponse: - summary: CSV upload response with mixed results + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. - - The entities must already exist in the entity store. + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/fleet/agents/{agentId}
- If an entity is already on the watchlist, no new document is created — - the "manual" label + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - is added to its existing source labels instead. - operationId: AssignWatchlistEntities + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: watchlist_id + name: agentId required: true schema: type: string @@ -15564,91 +31069,478 @@ paths: content: application/json: examples: - assignEntities: - summary: Assign two entities to a watchlist + putAgentRequestExample: + description: Update agent tags value: - euids: - - user:john.doe - - host:web-01 + tags: + - production + - linux schema: + additionalProperties: false type: object properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 + tags: items: type: string + maxItems: 10 type: array - required: - - euids - required: true + user_provided_metadata: + additionalProperties: + nullable: true + type: object responses: '200': content: application/json: examples: - assignEntitiesResponse: - summary: Successful assignment of two entities + putAgentExample: + description: Updated agent details + value: + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/actions: post: - description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: watchlist_id + name: agentId required: true schema: type: string @@ -15656,3861 +31548,3731 @@ paths: content: application/json: examples: - unassignEntities: - summary: Unassign two entities from a watchlist + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent value: - euids: - - user:john.doe - - host:web-01 + action: + type: UNENROLL schema: + additionalProperties: false type: object properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data required: - - euids - required: true + - action responses: '200': content: application/json: examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities + postAgentActionExample: + description: Created agent action value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: + additionalProperties: false type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem - type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': - content: - application/json: - examples: - ListWatchlistsResponse: - summary: List of watchlists - value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' - schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: - post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true - responses: - '200': - content: - application/json: - examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines - value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true - schema: - type: object - properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean + - item description: Successful response '400': - description: Invalid request - summary: Initialize the Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service - in: query - name: entityTypes - required: false - schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - responses: - '200': content: application/json: examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine + genericErrorResponseExample: + description: Example of a generic error response value: - deleted: - - host - still_running: - - generic - - user - - service + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - description: Successful response - summary: Delete Entity Engines + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action tags: - - Security Entity Analytics API + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/effective_config: get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': - content: - application/json: - examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed - value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user - schema: - type: object - properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host + - description: The agent ID to get effective config of in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean + type: string responses: '200': content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + successResponse: value: - deleted: true + effective_config: {} schema: + additionalProperties: false type: object properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': content: application/json: examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine + badRequestResponse: value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get an agent's effective config tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/migrate: post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate parameters: - - description: The entity type of the engine. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string requestBody: content: application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 schema: + additionalProperties: false type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' + enrollment_token: type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri type: string - description: Schema for the engine initialization - required: true + required: + - uri + - enrollment_token responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + postMigrateAgentExample: + description: Agent migration initiated value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + genericErrorResponseExample: + description: Example of a generic error response value: - started: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change parameters: - - description: The entity type of the engine to stop. - example: host + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to change privilege level for in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully - value: - stopped: true - schema: - type: object - properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string responses: '200': content: application/json: examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated - value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true - schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': - content: - application/json: - examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed + successResponse: value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false + actionId: actionId schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error + badRequestResponse: value: - body: An internal error occurred while updating engine indices - statusCode: 500 + message: Bad Request schema: + additionalProperties: false + description: Generic Error type: object properties: - body: - description: Error message. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string statusCode: - description: HTTP status code. type: number - description: Error response - summary: Apply DataView indices to all installed engines + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. + - Elastic Agents + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign parameters: - - example: user + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string requestBody: content: application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 schema: + additionalProperties: false type: object properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe + policy_id: type: string required: - - id - description: Schema for the deleting entity - required: true + - policy_id responses: '200': content: application/json: examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted + postReassignAgentExample: + description: Agent successfully reassigned + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - deleted: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/remove_collector: + post: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
- > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector parameters: - - example: user - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false + example: 'true' + type: string + - description: The collector agent ID + in: path + name: agentId + required: true schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true + type: string responses: '200': content: application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store + examples: + postRemoveCollectorExample: + description: Collector successfully removed + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Remove an OpAMP collector tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. + - Elastic Agent actions + x-state: Experimental; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
- The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: + examples: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent + value: + additional_metrics: + - CPU schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array + additionalProperties: false + nullable: true + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array responses: '200': content: application/json: + examples: + postRequestDiagnosticsExample: + description: Diagnostics action result + value: + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity - type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer + actionId: + type: string required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/entity_store/status: - get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': + - actionId + description: Successful response + '400': content: application/json: examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines + genericErrorResponseExample: + description: Example of a generic error response value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running + error: Bad Request + message: Agent agent-id-1 does not support request diagnostics action. + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object - properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus - type: array - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store + - message + - attributes + description: Bad Request + summary: Request agent diagnostics tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the - - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The agent ID to rollback + in: path + name: agentId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - detectionExceptionList: + successResponse: value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + actionId: actionId schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent + tags: + - Elastic Agent actions + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent tags: - - Security Exceptions API - get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version responses: '200': content: application/json: examples: - detectionType: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: {} description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + getAgentUploadsExample: + description: List of files uploaded by the agent value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads tags: - - Security Exceptions API - post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/action_status: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/agents/action_status
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList - requestBody: - content: - application/json: - examples: - createDetection: - value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status + parameters: + - description: Page number + in: query + name: page + required: false + schema: + default: 0 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: Return actions created before this date + in: query + name: date + required: false + schema: + type: string + - description: Return only the latest N actions + in: query + name: latest + required: false + schema: + type: number + - description: Number of error details to include per action + in: query + name: errorSize + required: false + schema: + default: 5 + type: number responses: '200': content: application/json: examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: + getActionStatusExample: + description: Status of recent agent actions value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} + responses: + '200': content: application/json: examples: - unauthorized: + postCancelActionExample: + description: Cancellation action created value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] + responses: + '200': content: application/json: examples: - alreadyExists: + getAvailableVersionsExample: + description: List of available agent versions for upgrade value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get available agent versions tags: - - Security Exceptions API - put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - fullReplace: + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion required: - - name - - description - - type - description: Exception list's properties - required: true + - agents + - uri + - enrollment_token responses: '200': content: application/json: examples: - simpleList: + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate multiple agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: + value: + agents: agent + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + required: + - agents + responses: + '200': content: application/json: examples: - notFound: + successResponse: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + actionId: actionId schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level tags: - - Security Exceptions API - /api/exception_lists/_duplicate: + - Elastic Agents + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_reassign: post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign parameters: - - description: The `list_id` of the existing exception list to copy (source list). - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. - in: query - name: include_expired_exceptions + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy + value: + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: + type: string + required: + - policy_id + - agents responses: '200': content: application/json: examples: - detectionExceptionList: + postBulkReassignAgentsExample: + description: Bulk reassign action result value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': - content: - application/json: - examples: - notAllowed: - value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents tags: - - Security Exceptions API - /api/exception_lists/_export: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_remove_collectors: post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - default: 'true' - enum: - - 'true' - - 'false' + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors + value: + agents: + - collector-id-1 + - collector-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean + required: + - agents responses: '200': content: - application/ndjson: + application/json: examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result + value: + actionId: action-id-1 schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk remove OpAMP collectors + tags: + - Elastic Agent actions + x-state: Experimental; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents + value: + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 + schema: + additionalProperties: false + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents + responses: + '200': content: application/json: examples: - unauthorized: + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents + responses: + '200': content: application/json: examples: - notFound: + successResponse: value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + actionIds: + - actionId1 + - actionId2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback agents tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - + - Elastic Agent actions + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** - - `exception-list`: Specify a space-aware exception list. +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
- - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - desc - - asc - example: desc + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + revoke: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents responses: '200': content: application/json: examples: - simpleLists: + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer + actionId: + type: string required: - - data - - page - - per_page - - total + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array + required: + - agents + responses: + '200': content: application/json: examples: - forbidden: + postBulkUpdateAgentTagsExample: + description: Bulk action result value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags tags: - - Security Exceptions API - /api/exception_lists/_import: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_upgrade: post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. + description: |- + **Spaces method and path for this operation:** - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
- Additional `item_id`'s are generated for each exception item. Both - the exception + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - list and its items are overwritten. - in: query - name: as_new_list - required: false + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - example: false - type: boolean + example: 'true' + type: string requestBody: content: - multipart/form-data: + application/json: examples: - ndjsonUpload: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version value: - file: exception_lists.ndjson + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 schema: + additionalProperties: false type: object properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: type: string - required: true + start_time: + type: string + version: + type: string + required: + - agents + - version responses: '200': content: application/json: examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean + actionId: + type: string required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents tags: - - Security Exceptions API - /api/exception_lists/items: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}: delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified - in: query - name: item_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The ID of the uploaded file + in: path + name: fileId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - simpleExceptionItem: + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + deleted: true + id: file-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an uploaded file tags: - - Security Exceptions API + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. - in: query - name: item_id - required: false + - description: The ID of the uploaded file + in: path + name: fileId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must - - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + type: string + - description: The name of the uploaded file + in: path + name: fileName + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - simpleListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response + type: object + description: Successful response — returns the uploaded file content '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] + responses: + '200': content: application/json: examples: - unauthorized: + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + type: object + properties: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + responses: + '200': content: application/json: examples: - notFound: + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + isInitialized: true + nonFatalErrors: [] schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup tags: - - Security Exceptions API - post: - description: > - Create an exception item and associate it with the specified exception - list. + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/agents/tags
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem - requestBody: - content: - application/json: - examples: - simpleItem: - value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: - value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: When true, include tags from inactive agents + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getAgentTagsExample: + description: List of tags used across agents + value: + items: + - production + - linux + - datacenter-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions + parameters: + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges + in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors + parameters: + - description: The page number for pagination. + in: query + name: page + required: false + schema: + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': content: application/json: examples: - alreadyExists: + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors tags: - - Security Exceptions API - put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateItem: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + required: + - name + - cloudProvider + - vars responses: '200': content: application/json: examples: - simpleListItem: + postCloudConnectorExample: + description: The created Fleet cloud connector value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: item_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item - tags: - - Security Exceptions API - /api/exception_lists/items/_find: - get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector + tags: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** - or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). - in: query - name: search - required: false +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - example: host.name + example: 'true' type: string - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name - in: query - name: sort_field - required: false + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. + type: string + - description: If true, forces deletion even if the cloud connector is in use. in: query - name: sort_order + name: force required: false schema: - enum: - - desc - - asc - example: desc - type: string + type: boolean responses: '200': content: application/json: examples: - simpleListItems: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + id: cloud-connector-id-1 schema: + additionalProperties: false type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: + id: type: string - total: - minimum: 0 - type: integer required: - - data - - page - - per_page - - total + - id description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) tags: - - Security Exceptions API - /api/exception_lists/summary: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must + description: |- + **Spaces method and path for this operation:** - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause - in: query - name: filter - required: false +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: - summary: + getCloudConnectorExample: + description: A Fleet cloud connector value: - linux: 0 - macos: 0 - total: 0 - windows: 0 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connector tags: - - Security Exceptions API - /api/exceptions/shared: - post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: examples: - createSharedExceptionList: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware + name: Updated AWS connector + vars: {} schema: + additionalProperties: false type: object properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true - responses: - '200': - content: - application/json: - examples: - sharedList: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: list_id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + responses: + '200': content: application/json: examples: - alreadyExists: + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - /api/features: - get: - description: > - Get information about all Kibana features. Features are used by spaces - and security to refine and secure access to Kibana. - operationId: get-features - responses: - '200': - content: - application/json: - examples: - getFeaturesExample: - value: | - { - "features": [ - { - "name": "tasks", - "description": "Manages task results" - }, - { - "name": "security", - "description": "Manages configuration for Security features, such as users and roles" - }, - { - "name": "searchable_snapshots", - "description": "Manages caches and configuration for searchable snapshots" - }, - { - "name": "logstash_management", - "description": "Enables Logstash Central Management pipeline storage" - }, - { - "name": "transform", - "description": "Manages configuration and state for transforms" - }, - { - "name": "kibana", - "description": "Manages Kibana configuration and reports" - }, - { - "name": "synonyms", - "description": "Manages synonyms" - }, - { - "name": "async_search", - "description": "Manages results of async searches" - }, - { - "name": "ent_search", - "description": "Manages configuration for Enterprise Search features" - }, - { - "name": "machine_learning", - "description": "Provides anomaly detection and forecasting functionality" - }, - { - "name": "geoip", - "description": "Manages data related to GeoIP database downloader" - }, - { - "name": "watcher", - "description": "Manages Watch definitions and state" - }, - { - "name": "fleet", - "description": "Manages configuration for Fleet" - }, - { - "name": "enrich", - "description": "Manages data related to Enrich policies" - }, - { - "name": "inference_plugin", - "description": "Inference plugin for managing inference services and inference" - } - ] - } + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object - description: Indicates a successful call - summary: Get features + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector tags: - - system - x-state: Technical Preview - /api/fleet/agent_download_sources: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: get: - description: >- - List all agent binary download sources.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number responses: '200': content: application/json: examples: - getDownloadSourcesExample: - description: List of agent binary download sources + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector value: items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' page: 1 perPage: 20 - total: 1 + total: 2 schema: additionalProperties: false type: object @@ -19520,106 +35282,313 @@ paths: additionalProperties: false type: object properties: - auth: + created_at: + type: string + id: + type: string + name: + type: string + package: additionalProperties: false - nullable: true type: object properties: - api_key: + name: type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: + title: type: string - username: + version: type: string - host: - format: uri + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: type: string - id: + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Cloud connector not found + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) + tags: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] + responses: + '200': + content: + application/json: + examples: + getDataStreamsExample: + description: List of Fleet-managed data streams + value: + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics + schema: + additionalProperties: false + type: object + properties: + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: type: string - is_default: - default: false - type: boolean - name: + index: type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true + last_activity_ms: + type: number + namespace: type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + package: + type: string + package_version: + type: string + serviceDetails: additionalProperties: false + nullable: true type: object properties: - certificate: + environment: type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + serviceName: type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string required: - - id - - name - - host + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array + required: + - data_streams + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys + parameters: + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeysExample: + description: List of enrollment API keys + value: + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' maxItems: 10000 type: array page: @@ -19633,6 +35602,7 @@ paths: - total - page - perPage + - list description: Successful response '400': content: @@ -19663,14 +35633,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent binary download sources + summary: Get enrollment API keys tags: - - Elastic Agent binary download sources + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new agent binary download source.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks in: header @@ -19683,238 +35661,289 @@ paths: content: application/json: examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: application/json: examples: - postDownloadSourceExample: - description: The created agent binary download source + postEnrollmentApiKeyExample: + description: The created enrollment API key value: + action: created item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs + value: + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' + responses: + '200': + content: + application/json: + examples: + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed + value: + action: deleted + count: 2 + errorCount: 0 + successCount: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: Either tokenIds or kuery must be provided + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk revoke or delete enrollment API keys + tags: + - Fleet enrollment API keys + x-state: Generally available; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + in: query + name: forceDelete + required: false + schema: + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + in: query + name: includeHidden + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked + value: + action: deleted + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeyExample: + description: An enrollment API key + value: + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: @@ -19945,15 +35974,34 @@ paths: - message - attributes description: Bad Request - summary: Create an agent binary download source + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: - delete: - description: >- - Delete an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -19962,29 +36010,36 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source - in: path - name: sourceId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' responses: '200': content: application/json: examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted + postBulkGetAssetsExample: + description: Requested assets value: - id: download-source-id-1 + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' description: Successful response '400': content: @@ -20015,156 +36070,53 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source + summary: Bulk get assets tags: - - Elastic Agent binary download sources + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/categories: get: - description: >- - Get an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - description: The ID of the download source - in: path - name: sourceId - required: true + - description: When true, include prerelease packages in the results + in: query + name: prerelease + required: false schema: - type: string + type: boolean + - description: When true, include categories that only contain policy templates + in: query + name: include_policy_templates + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getDownloadSourceExample: - description: An agent binary download source + getCategoriesExample: + description: List of integration categories value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts + items: + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: @@ -20195,25 +36147,23 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source + summary: Get package categories tags: - - Elastic Agent binary download sources - put: - description: >- - Update an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header @@ -20222,248 +36172,127 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source - in: path - name: sourceId - required: true - schema: - type: string requestBody: content: application/json: examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' responses: '200': content: application/json: examples: - putDownloadSourceExample: - description: The updated agent binary download source + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData + responses: + '200': + content: + application/json: + examples: + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} description: Successful response '400': content: @@ -20494,43 +36323,39 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Download source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent binary download source + summary: Update a custom integration tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/data_streams: get: - description: >- - List all agent policies.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page + - description: Filter by data stream type in: query - name: perPage + name: type required: false schema: - type: number - - description: Field to sort results by + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: Filter data streams by dataset name in: query - name: sortField + name: datasetQuery required: false schema: type: string @@ -20539,93 +36364,128 @@ paths: name: sortOrder required: false schema: + default: asc enum: - - desc - asc + - desc type: string - - description: When true, only show policies with upgradeable agents + - description: When true, only return data streams that are not associated with a package in: query - name: showUpgradeable + name: uncategorisedOnly required: false schema: + default: false type: boolean - - description: A KQL query string to filter results + responses: + '200': + content: + application/json: + examples: + getDataStreamsExample: + description: List of data streams from installed packages + value: + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages + parameters: + - description: Filter packages by category in: query - name: kuery + name: category required: false schema: type: string - - description: use withAgentCount instead + - description: When true, include prerelease packages in the results in: query - name: noAgentCount + name: prerelease required: false schema: - deprecated: true type: boolean - - description: get policies with agent count + - description: When true, exclude the install status from the response in: query - name: withAgentCount + name: excludeInstallStatus required: false schema: type: boolean - - description: get full policies with package policies populated + - description: When true, include the number of package policies per package in: query - name: full + name: withPackagePoliciesCount required: false schema: type: boolean - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string responses: '200': content: application/json: examples: - getAgentPoliciesExample: - description: List of agent policies + getPackagesExample: + description: List of available integration packages value: items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 total: 1 schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_agent_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' description: Successful response '400': content: @@ -20656,14 +36516,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent policies + summary: Get packages tags: - - Elastic Agent policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new agent policy.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header @@ -20672,53 +36540,64 @@ paths: schema: example: 'true' type: string - - description: Whether to add the system integration to the new agent policy + - description: When true, ignore mapping update errors during installation in: query - name: sys_monitoring + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover required: false schema: + default: false type: boolean requestBody: content: - application/json: + application/gzip: examples: - postAgentPolicyRequestExample: - description: Create a new agent policy - value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + format: binary + type: string responses: '200': content: - application/json: + application/gzip; application/zip: examples: - postAgentPolicyExample: - description: The created agent policy + postInstallByUploadExample: + description: Package successfully installed from upload value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + application/json: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template description: Successful response '400': content: - application/json: + application/gzip; application/zip: examples: genericErrorResponseExample: description: Example of a generic error response @@ -20744,17 +36623,32 @@ paths: required: - message - attributes + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 description: Bad Request - summary: Create an agent policy + summary: Install a package by upload tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk: post: - description: >- - Get multiple agent policies by ID.

[Required authorization] - Route required privileges: fleet-agent-policies-read OR - fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks in: header @@ -20763,63 +36657,43 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' + - description: When true, allow installing prerelease versions in: query - name: format + name: prerelease required: false schema: - enum: - - simplified - - legacy - type: string + type: boolean requestBody: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + packages: + - system + - aws schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies + postBulkInstallPackagesExample: + description: Bulk install results value: items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' description: Successful response '400': content: @@ -20850,75 +36724,74 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + summary: Bulk install packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: >- - Get an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_namespace_customization: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string + requestBody: + content: + application/json: + examples: + bulkNamespaceCustomizationRequest: + value: + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + successResponse: value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + items: + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: error: Bad Request - message: An error message describing what went wrong + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: additionalProperties: false @@ -20938,96 +36811,60 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages tags: - - Elastic Agent policies - put: - description: >- - Update an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback parameters: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId + in: header + name: kbn-xsrf required: true schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy + example: 'true' type: string requestBody: content: application/json: examples: - putAgentPolicyRequestExample: - description: Update an agent policy + bulkRollbackRequest: value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default + packages: + - name: system schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' responses: '200': content: application/json: examples: - putAgentPolicyExample: - description: The updated agent policy + successResponse: value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + taskId: taskId schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -21046,21 +36883,28 @@ paths: required: - message - attributes - description: Bad Request - summary: Update an agent policy + description: A bad request. + summary: Bulk rollback packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: get: - description: >- - Get the auto-upgrade status for agents assigned to an agent - policy.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - - description: The ID of the agent policy + - description: Task ID of the bulk operation in: path - name: agentPolicyId + name: taskId required: true schema: type: string @@ -21069,72 +36913,19 @@ paths: content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + successResponse: value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 + status: success schema: - additionalProperties: false - type: object - properties: - currentVersions: - items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: >- - Number of agents that failed to upgrade to this - version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -21153,16 +36944,24 @@ paths: required: - message - attributes - description: Bad Request - summary: Get auto upgrade agent status + description: A bad request. + summary: Get Bulk rollback packages details tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: post: - description: >- - Copy an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall parameters: - description: A required header to protect against CSRF attacks in: header @@ -21171,54 +36970,29 @@ paths: schema: example: 'true' type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string requestBody: content: application/json: examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages value: - description: A copy of the original agent policy - name: Copy of my agent policy + packages: + - name: aws + - name: gcp schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + taskId: task-id-1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -21249,65 +37023,47 @@ paths: - message - attributes description: Bad Request - summary: Copy an agent policy + summary: Bulk uninstall packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: get: - description: >- - Download an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - - description: The ID of the agent policy + - description: Task ID of the bulk operation in: path - name: agentPolicyId + name: taskId required: true schema: type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - item: >- - id: agent-policy-id-1\nrevision: 1\noutputs:\n - default:\n type: elasticsearch\n hosts:\n - - https://elasticsearch.example.com:9200\n + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - type: string - description: >- - Successful response — returns the agent policy as a YAML file - download + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: Successful response '400': content: application/json: @@ -21337,16 +37093,65 @@ paths: - message - attributes description: Bad Request - '404': + summary: Get Bulk uninstall packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions + value: + packages: + - name: system + - name: elastic_agent + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' + responses: + '200': content: application/json: examples: - notFoundExample: - description: No agent policy was found with the given ID + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - error: Not Found - message: Agent policy not found - statusCode: 404 + taskId: task-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -21365,73 +37170,47 @@ paths: required: - message - attributes - description: Not Found - summary: Download an agent policy + description: Bad Request + summary: Bulk upgrade packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/full: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: - description: >- - Get a full agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - - description: The ID of the agent policy + - description: Task ID of the bulk operation in: path - name: agentPolicyId + name: taskId required: true schema: type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -21462,54 +37241,56 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy + summary: Get Bulk upgrade packages details tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: >- - Get a list of outputs associated with agent policy by policy - id.

[Required authorization] Route required privileges: - fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname parameters: - - description: The ID of the agent policy + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy + deletePackageExample: + description: Package successfully deleted value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -21540,58 +37321,76 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy + summary: Delete a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/delete: - post: - description: >- - Delete an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + getPackageInfoExample: + description: Package details and installation status value: - id: agent-policy-id-1 - name: My agent policy + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -21622,58 +37421,90 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy + summary: Get a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/outputs: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Get a list of outputs associated with agent policies.

[Required - authorization] Route required privileges: fleet-agent-policies-read AND - fleet-settings-read. - operationId: post-fleet-agent-policies-outputs + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: - example: 'true' - type: string + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + ignore_constraints: false schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies + postInstallPackageExample: + description: Package successfully installed value: + _meta: + install_source: registry items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -21704,95 +37535,66 @@ paths: - message - attributes description: Bad Request - summary: Get outputs for agent policies + summary: Install a package from the registry tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - description: Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname parameters: - - description: Filter by agent policy ID - in: query - name: policyId - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Filter by one or more agent policy IDs - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: Package name + in: path + name: pkgName + required: true schema: type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + putUpdatePackageExample: + description: Updated package settings value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active - required: - - results + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: @@ -21823,85 +37625,62 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + summary: Update package settings tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - description: >- - Get the data streams that an agent is actively sending data - to.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-status-data + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query + example: 'true' + type: string + - description: Package name + in: path name: pkgName - required: false + required: true schema: type: string - - description: Filter by integration package version - in: query + - description: Package version + in: path name: pkgVersion - required: false + required: true schema: type: string - - description: When true, return a preview of the ingested data + - description: When true, delete the package even if it has active package policies in: query - name: previewData + name: force required: false schema: - default: false type: boolean responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + deletePackageExample: + description: Package successfully deleted value: items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array - required: - - items - - dataPreview + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -21932,869 +37711,299 @@ paths: - message - attributes description: Bad Request - summary: Get incoming agent data + summary: Delete a package tags: - - Elastic Agents - /api/fleet/agentless_policies: - post: - description: Create an agentless policy - operationId: post-fleet-agentless-policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - - description: The format of the response package policy. + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified in: query - name: format + name: ignoreUnverified required: false schema: - default: simplified - enum: - - legacy - - simplified - type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: >- - Example request to create agentless policy reusing an existing - AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: >- - Example request to create agentless policy with AWS cloud - connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: >- - Example request to create agentless policy with Azure cloud - connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration + getPackageInfoExample: + description: Package details and installation status value: item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - description: The created agentless package policy. - type: object - properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added - to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: >- - ID of the cloud connector associated with this package - policy. - nullable: true - type: string - cloud_connector_name: - description: >- - Transient field for cloud connector name during - creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this integration to its - inputs. - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: >- - The name of the custom field. Cannot contain - spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group - name to the selected option name within that - group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that input. Defaults to - `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults - to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to - the integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration - documentation to know which streams are - available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration - documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit - the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package - policy. The override option should be used only in - unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_package - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: >- - ID of the agent policy which the package policy will - be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy - will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an - agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: >- - Indicates whether the package policy supports cloud - connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation - for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - package - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item - description: Indicates a successful response + - message + - attributes + description: Bad Request + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + responses: + '200': + content: + application/json: + examples: + putUpdatePackageExample: + description: Updated package settings + value: + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + description: Successful response '400': content: application/json: @@ -22824,16 +38033,62 @@ paths: - message - attributes description: Bad Request - '409': + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Conflict + error: Bad Request message: An error message describing what went wrong - statusCode: 409 + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22852,15 +38107,24 @@ paths: required: - message - attributes - description: Conflict - summary: Create an agentless policy + description: Bad Request + summary: Get a package file tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agentless_policies/{policyId}: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: delete: - description: Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -22869,41 +38133,38 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. + - description: Package name in: path - name: policyId + name: pkgName required: true schema: type: string - - description: Force delete the policy even if the policy is managed. + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: The ID of the package policy in: query - name: force - required: false + name: packagePolicyId + required: true schema: - type: boolean + type: string responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted value: - item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + items: + - id: logs-my_package.access-default + type: index_template schema: - additionalProperties: false - description: Response for deleting an agentless package policy. - type: object - properties: - id: - description: The ID of the deleted agentless package policy. - type: string - required: - - id - description: Indicates a successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' + description: Successful response '400': content: application/json: @@ -22933,16 +38194,63 @@ paths: - message - attributes description: Bad Request - '409': + summary: Delete assets for an input package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + dependenciesResponse: value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 + items: + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false description: Generic Error @@ -22961,515 +38269,239 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: A bad request. + summary: Get package dependencies tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents: - get: - description: >- - List agents, with optional filtering and pagination.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable - in: query - name: showUpgradeable - required: false + type: string + - description: Package version + in: path + name: pkgVersion + required: true schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response - in: query - name: getStatusSummary - required: false + type: string + responses: + '200': + content: + application/json: + examples: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean - - description: Field to sort results by - in: query - name: sortField - required: false + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true schema: type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - enum: - - asc - - desc type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + requestBody: + content: + application/json: + examples: + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false - schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + - description: Package name + in: path + name: pkgName + required: true schema: type: string - - description: Duration to keep the point-in-time alive, for example, `1m` - in: query - name: pitKeepAlive - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true responses: '200': content: application/json: examples: - getAgentsExample: - description: List of agents + postInstallRuleAssetsExample: + description: Rule assets successfully installed value: items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 + - id: rule-asset-id-1 + type: security_rule schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: - type: string - page: - type: number - perPage: - type: number - pit: - type: string - statusSummary: - additionalProperties: - type: number - type: object - total: - type: number - required: - - items - - total - - page - - perPage + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -23500,14 +38532,23 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Install Kibana alert rule for a package tags: - - Elastic Agents + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: - description: >- - Retrieve agents associated with specific action IDs.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - description: A required header to protect against CSRF attacks in: header @@ -23516,52 +38557,64 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean requestBody: content: application/json: examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package value: - actionIds: - - action-id-1 - - action-id-2 + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized value: - items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + - success: true + transformId: logs-transform-1 schema: - additionalProperties: false - type: object - properties: - items: - items: + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: type: string - maxItems: 10000 - type: array - required: - - items + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -23592,15 +38645,23 @@ paths: - message - attributes description: Bad Request - summary: Get agents by action ids + summary: Authorize transforms tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - description: >- - Delete an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -23609,43 +38670,40 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: Package name to review upgrade for in: path - name: agentId + name: pkgName required: true schema: type: string + requestBody: + content: + application/json: + examples: + acceptUpgrade: + value: + action: accept + target_version: 2.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' responses: '200': content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted + successResponse: value: - id: agent-id-1 success: true schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -23664,430 +38722,114 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations tags: - - Elastic Agents - get: - description: >- - Get an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false + - description: Package name to roll back + in: path + name: pkgName + required: true schema: - default: false - type: boolean + type: string responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details + successResponse: value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + success: true + version: 1.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: A bad request. + summary: Rollback a package to previous version + tags: + - Elastic Package Manager (EPM) + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageStatsExample: + description: Usage stats for a specific package + value: + response: + agent_policy_count: 3 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -24118,446 +38860,510 @@ paths: - message - attributes description: Bad Request - '404': + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/installed: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed + parameters: + - description: Filter by data stream type + in: query + name: dataStreamType + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: When true, only return packages with active data streams + in: query + name: showOnlyActiveDataStreams + required: false + schema: + type: boolean + - description: Filter packages by name + in: query + name: nameQuery + required: false + schema: + type: string + - description: Sort values from the previous page for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 15 + type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + responses: + '200': content: application/json: examples: - notFoundExample: - description: No agent was found with the given ID + getInstalledPackagesExample: + description: List of installed integration packages value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get installed packages tags: - - Elastic Agents - put: - description: >- - Update an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': + content: + application/json: + examples: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled + value: + items: + - elastic_agent + - fleet_server + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a limited package list + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - - description: The agent ID + - description: Package version in: path - name: agentId + name: pkgVersion required: true schema: type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: + - description: 'Output format for the inputs template: json, yml, or yaml' + in: query + name: format + required: false + schema: + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return inputs even if the package signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getInputsTemplateExample: + description: Inputs template for a package + value: + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: nullable: true - type: object + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an inputs template + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + id: D27D666CD88E42B4 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] + responses: + '200': + content: + application/json: + examples: + getFleetServerHostsExample: + description: List of Fleet Server hosts + value: + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: + proxy_id: + nullable: true type: string - type: object - outputs: - additionalProperties: + secrets: additionalProperties: false type: object properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: + ssl: additionalProperties: false type: object properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - retry_until: + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: type: string - scheduled_at: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage description: Successful response '400': content: @@ -24588,26 +39394,22 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Get Fleet Server hosts tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header @@ -24616,84 +39418,136 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent + postFleetServerHostRequestExample: + description: Create a new Fleet Server host value: - action: - type: UNENROLL + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server schema: additionalProperties: false type: object properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false type: object properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - - action + - name + - host_urls responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + postFleetServerHostExample: + description: The created Fleet Server host value: item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server schema: additionalProperties: false type: object @@ -24702,46 +39556,107 @@ paths: additionalProperties: false type: object properties: - ack_data: - nullable: true - agents: + host_urls: items: type: string - maxItems: 10000 + maxItems: 10 + minItems: 1 type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string id: type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: type: string - total: - type: number - type: + proxy_id: + nullable: true type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: + - name + - host_urls - id - - type - - data - - created_at - - ack_data required: - item description: Successful response @@ -24774,74 +39689,23 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/effective_config: - get: - description: >- - Get an agent's effective config by ID.

[Required authorization] - Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - effective_config: {} - schema: - additionalProperties: false - type: object - properties: - effective_config: - nullable: true - required: - - effective_config - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get an agent's effective config + summary: Create a Fleet Server host tags: - - Elastic Agents - /api/fleet/agents/{agentId}/migrate: - post: - description: >- - Migrate a single agent to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -24850,89 +39714,29 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: The ID of the Fleet Server host in: path - name: agentId + name: itemId required: true schema: type: string - requestBody: - content: - application/json: - examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster - value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - replace_token: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - uri - - enrollment_token responses: '200': content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - actionId: action-id-1 + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - actionId: + id: type: string required: - - actionId + - id description: Successful response '400': content: @@ -24963,76 +39767,177 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Elastic Agents - /api/fleet/agents/{agentId}/privilege_level_change: - post: - description: >- - Change the privilege level of a single agent to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to change privilege level for + - description: The ID of the Fleet Server host in: path - name: agentId + name: itemId required: true schema: type: string - requestBody: - content: - application/json: - examples: - changeAgentPrivilegeLevelRequest: - value: - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - nullable: true - type: object - properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string responses: '200': content: application/json: examples: - successResponse: + getFleetServerHostExample: + description: A Fleet Server host value: - actionId: actionId + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -25051,17 +39956,34 @@ paths: required: - message - attributes - description: A bad request. - summary: Change agent privilege level + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents/{agentId}/reassign: - post: - description: >- - Reassign an agent to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -25070,9 +39992,9 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: The ID of the Fleet Server host in: path - name: agentId + name: itemId required: true schema: type: string @@ -25080,30 +40002,236 @@ paths: content: application/json: examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy + putFleetServerHostRequestExample: + description: Update a Fleet Server host value: - policy_id: agent-policy-id-2 + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server schema: additionalProperties: false type: object properties: - policy_id: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - - policy_id + - proxy_id responses: '200': content: application/json: examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} + putFleetServerHostExample: + description: The updated Fleet Server host + value: + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server schema: additionalProperties: false type: object - properties: {} + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item description: Successful response '400': content: @@ -25134,61 +40262,34 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/remove_collector: - post: - description: >- - Remove a specific OpAMP collector from the Fleet agents list. Marks the - collector as unenrolled. This action does not invalidate API keys, so - the collector can reconnect on its own.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No Fleet Server host was found with the given ID value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Remove an OpAMP collector + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.5.0 - /api/fleet/agents/{agentId}/request_diagnostics: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/health_check: post: - description: >- - Request a diagnostics bundle from a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header @@ -25197,62 +40298,59 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID value: - additional_metrics: - - CPU + id: fleet-server-host-id-1 schema: additionalProperties: false - nullable: true type: object properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array + id: + type: string + required: + - id responses: '200': content: application/json: examples: - postRequestDiagnosticsExample: - description: Diagnostics action result + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy value: - actionId: action-id-1 + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE schema: additionalProperties: false type: object properties: - actionId: + host_id: + type: string + name: + type: string + status: type: string required: - - actionId - description: Successful response + - status + description: Successful health check response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestExample: + description: The host ID exists but has no associated host URLs configured value: error: Bad Request - message: >- - Agent agent-id-1 does not support request diagnostics - action. + message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false @@ -25273,50 +40371,16 @@ paths: - message - attributes description: Bad Request - summary: Request agent diagnostics - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/rollback: - post: - description: >- - Rollback an agent to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - successResponse: - value: - actionId: actionId - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' - '400': + '404': content: application/json: examples: - badRequestResponse: + notFoundExample: + description: No Fleet Server host was found with the given ID value: - message: Bad Request + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -25335,57 +40399,54 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback an agent + description: Not Found + summary: Check Fleet Server health tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - /api/fleet/agents/{agentId}/unenroll: - post: - description: >- - Unenroll a specific agent, optionally revoking its enrollment API - key.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: - example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key - value: - revoke: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean responses: '200': content: application/json: examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent + value: + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' description: Successful response '400': content: @@ -25397,65 +40458,72 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Unenroll an agent + summary: Get a full K8s agent manifest tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/upgrade: - post: - description: >- - Upgrade a specific agent to a newer version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: - example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version - value: - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - skipRateLimitCheck: - type: boolean - source_uri: - type: string - version: - type: string - required: - - version responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: - additionalProperties: false - type: object - properties: {} - description: Successful response + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: @@ -25485,89 +40553,16 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/uploads: - get: - description: >- - Get a list of files uploaded by a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads - parameters: - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadsExample: - description: List of files uploaded by the agent - value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No manifest was found value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Not Found + message: Agent manifest not found + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -25586,178 +40581,49 @@ paths: required: - message - attributes - description: Bad Request - summary: Get agent uploads + description: Not Found + summary: Download an agent manifest tags: - - Elastic Agents - /api/fleet/agents/action_status: - get: - description: >- - Get the current status of recent agent actions.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 0 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: Return actions created before this date - in: query - name: date - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Return only the latest N actions - in: query - name: latest - required: false - schema: - type: number - - description: Number of error details to include per action - in: query - name: errorSize - required: false - schema: - default: 5 - type: number responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + postLogstashApiKeyExample: + description: The generated Logstash API key value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: >- - latest errors that happened when the agents - executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array + api_key: + type: string required: - - items + - api_key description: Successful response '400': content: @@ -25788,15 +40654,23 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Generate a Logstash API key tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: post: - description: >- - Cancel a pending action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header @@ -25805,93 +40679,40 @@ paths: schema: example: 'true' type: string - - description: The ID of the action to cancel - in: path - name: actionId - required: true + - description: Set to true to confirm you understand the risks of rotating the key pair + in: query + name: acknowledge + required: false schema: - type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} + default: false + type: boolean responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data + message: + type: string required: - - item - description: Successful response + - message + description: Key pair rotated successfully '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true value: error: Bad Request - message: An error message describing what went wrong + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' statusCode: 400 schema: additionalProperties: false @@ -25912,40 +40733,96 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair tags: - - Elastic Agent actions - /api/fleet/agents/available_versions: + - Message Signing Service + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs: get: - description: >- - Get a list of Elastic Agent versions available for - upgrade.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agents-available-versions + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs parameters: [] responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + getOutputsExample: + description: List of Fleet outputs value: items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: items: items: - type: string + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: @@ -25969,118 +40846,84 @@ paths: errorType: type: string message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get available agent versions - tags: - - Elastic Agents - /api/fleet/agents/bulk_migrate: - post: - description: >- - Bulk migrate agents to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + postOutputExample: + description: The created Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26111,16 +40954,23 @@ paths: - message - attributes description: Bad Request - summary: Migrate multiple agents + summary: Create output tags: - - Elastic Agents - /api/fleet/agents/bulk_privilege_level_change: - post: - description: >- - Change multiple agents' privilege level to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26129,66 +40979,40 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string responses: '200': content: application/json: examples: - successResponse: + deleteOutputExample: + description: The output was successfully deleted value: - actionId: actionId + id: output-id-1 schema: additionalProperties: false type: object properties: - actionId: + id: type: string required: - - actionId - description: 'OK: A successful request.' + - id + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -26207,74 +41031,87 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk change agent privilege level + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents/bulk_reassign: - post: - description: >- - Reassign multiple agents to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the output + in: path + name: outputId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + getOutputExample: + description: A Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26305,17 +41142,33 @@ paths: - message - attributes description: Bad Request - summary: Bulk reassign agents + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output tags: - - Elastic Agent actions - /api/fleet/agents/bulk_remove_collectors: - post: - description: >- - Remove multiple OpAMP collectors from the Fleet agents list. Marks the - collectors as unenrolled. This action does not invalidate API keys, so - collectors can reconnect on their own.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26324,53 +41177,56 @@ paths: schema: example: 'true' type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string requestBody: content: application/json: examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors + putOutputRequestExample: + description: Update a Fleet output value: - agents: - - collector-id-1 - - collector-id-2 + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: >- - When passing collectors by KQL query, also removes inactive - collectors - type: boolean - required: - - agents + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + putOutputExample: + description: The updated Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26401,75 +41257,69 @@ paths: - message - attributes description: Bad Request - summary: Bulk remove OpAMP collectors + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.5.0 - /api/fleet/agents/bulk_request_diagnostics: - post: - description: >- - Request diagnostics bundles from multiple agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the output + in: path + name: outputId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents - value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 - schema: - additionalProperties: false - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - required: - - agents responses: '200': content: application/json: examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result + getOutputHealthExample: + description: The latest health status of a Fleet output value: - actionId: action-id-1 + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - actionId: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state type: string required: - - actionId + - state + - message + - timestamp description: Successful response '400': content: @@ -26500,81 +41350,134 @@ paths: - message - attributes description: Bad Request - summary: Bulk request diagnostics from agents + summary: Get the latest output health tags: - - Elastic Agent actions - /api/fleet/agents/bulk_rollback: - post: - description: >- - Rollback multiple agents to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all package policies. + operationId: get-fleet-package-policies parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - successResponse: + getPackagePoliciesExample: + description: List of package policies value: - actionIds: - - actionId1 - - actionId2 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - actionIds: + items: items: - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - actionIds - description: 'OK: A successful request.' + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -26593,18 +41496,23 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback agents + description: Bad Request + summary: Get package policies tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - /api/fleet/agents/bulk_unenroll: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Unenroll multiple agents, optionally revoking their enrollment API - keys.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header @@ -26613,62 +41521,59 @@ paths: schema: example: 'true' type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents + postPackagePolicyRequestExample: + description: Create a new nginx package policy value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + postPackagePolicyExample: + description: The created package policy value: - actionId: action-id-1 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' description: Successful response '400': content: @@ -26699,93 +41604,16 @@ paths: - message - attributes description: Bad Request - summary: Bulk unenroll agents - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_update_agent_tags: - post: - description: >- - Add or remove tags across multiple agents.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents - responses: - '200': - content: - application/json: - examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': + '409': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictExample: + description: A package policy with the same name already exists value: - error: Bad Request + error: Conflict message: An error message describing what went wrong - statusCode: 400 + statusCode: 409 schema: additionalProperties: false description: Generic Error @@ -26804,17 +41632,24 @@ paths: required: - message - attributes - description: Bad Request - summary: Bulk update agent tags + description: Conflict + summary: Create a package policy tags: - - Elastic Agent actions - /api/fleet/agents/bulk_upgrade: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/_bulk_get: post: - description: >- - Upgrade multiple agents to a newer version, with optional rollout - controls.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -26823,67 +41658,63 @@ paths: schema: example: 'true' type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 + ids: + - package-policy-id-1 + - package-policy-id-2 schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string required: - - agents - - version + - ids responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - actionId: action-id-1 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' description: Successful response '400': content: @@ -26914,15 +41745,42 @@ paths: - message - attributes description: Bad Request - summary: Bulk upgrade agents + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies tags: - - Elastic Agent actions - /api/fleet/agents/files/{fileId}: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/{packagePolicyId}: delete: - description: >- - Delete a file uploaded by an agent.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26931,33 +41789,29 @@ paths: schema: example: 'true' type: string - - description: The ID of the uploaded file + - description: The ID of the package policy in: path - name: fileId + name: packagePolicyId required: true schema: type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + deletePackagePolicyExample: + description: The package policy was successfully deleted value: - deleted: true - id: file-id-1 + id: package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - deleted: - type: boolean - id: - type: string - required: - - id - - deleted + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' description: Successful response '400': content: @@ -26988,39 +41842,69 @@ paths: - message - attributes description: Bad Request - summary: Delete an uploaded file + summary: Delete a package policy tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}/{fileName}: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get a file uploaded by an agent.

[Required authorization] Route - required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - description: The ID of the uploaded file + - description: The ID of the package policy in: path - name: fileId + name: packagePolicyId required: true schema: type: string - - description: The name of the uploaded file - in: path - name: fileName - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string responses: '200': content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + getPackagePolicyExample: + description: A package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: + additionalProperties: false type: object - description: Successful response — returns the uploaded file content + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + description: Successful response '400': content: application/json: @@ -27050,93 +41934,115 @@ paths: - message - attributes description: Bad Request - summary: Get an uploaded file + '404': + content: + application/json: + examples: + notFoundExample: + description: No package policy was found with the given ID + value: + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy tags: - - Elastic Agents - /api/fleet/agents/setup: - get: - description: >- - Get the current Fleet setup status, including whether Fleet is ready to - enroll agents and which requirements or optional features are - missing.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - agentsSetupNotReadyExample: - description: >- - Fleet is not ready — a Fleet Server and API keys are - required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met + putPackagePolicyExample: + description: The updated package policy value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' schema: additionalProperties: false - description: >- - A summary of the agent setup status. `isReady` indicates - whether the setup is ready. If the setup is not ready, - `missing_requirements` lists which requirements are missing. type: object properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status + - item + description: Successful response '400': content: application/json: @@ -27166,17 +42072,52 @@ paths: - message - attributes description: Bad Request - summary: Get agent setup info + '403': + content: + application/json: + examples: + forbiddenExample: + description: The update is not authorized for this package + value: + error: Forbidden + message: An error message describing what went wrong + statusCode: 403 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Forbidden + summary: Update a package policy tags: - - Elastic Agents + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/delete: post: - description: >- - Initialize Fleet. This endpoint is used by Elastic Agents to trigger - Fleet setup. Safe to call multiple times; subsequent calls are - idempotent.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-agents-setup + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -27185,47 +42126,36 @@ paths: schema: example: 'true' type: string + requestBody: + content: + application/json: + examples: + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID + value: + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: '200': content: application/json: examples: - agentsSetupSuccessExample: - description: >- - Fleet setup initialized successfully with no non-fatal - errors + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation value: - isInitialized: true - nonFatalErrors: [] + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array + description: Successful response '400': content: application/json: @@ -27255,52 +42185,58 @@ paths: - message - attributes description: Bad Request - summary: Initiate Fleet setup + summary: Bulk delete package policies tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - description: >- - Get a list of all tags used across enrolled agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade parameters: - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include tags from inactive agents - in: query - name: showInactive - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation value: - items: - - production - - linux - - datacenter-1 + - id: package-policy-id-1 + name: nginx-1 + success: true schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array description: Successful response '400': content: @@ -27331,52 +42267,192 @@ paths: - message - attributes description: Bad Request - summary: Get agent tags + summary: Upgrade a package policy tags: - - Elastic Agents - /api/fleet/check-permissions: - get: - description: >- - Check whether the current user has the required permissions to use - Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade/dryrun: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - - description: >- - When true, check Fleet Server setup privileges in addition to - standard Fleet privileges - in: query - name: fleetServerSetup - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff value: - success: true + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + maxItems: 1 + type: array + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + diff: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array description: Successful response '400': content: @@ -27407,51 +42483,40 @@ paths: - message - attributes description: Bad Request - summary: Check permissions + summary: Dry run a package policy upgrade tags: - - Fleet internals - /api/fleet/cloud_connectors: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies: get: - description: >- - List all Fleet cloud connectors.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors - parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - type: string - - description: KQL query to filter cloud connectors. - in: query - name: kuery - required: false - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] responses: '200': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + getFleetProxiesExample: + description: List of Fleet proxies value: items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object @@ -27461,44 +42526,49 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: @@ -27529,15 +42599,22 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connectors + summary: Get proxies tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new Fleet cloud connector.

[Required authorization] - Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header @@ -27550,93 +42627,57 @@ paths: content: application/json: examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector + postFleetProxyRequestExample: + description: Create a new Fleet proxy value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account + certificate: + nullable: true type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true type: string + id: + type: string + is_preconfigured: + default: false + type: boolean name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 type: string - vars: + proxy_headers: additionalProperties: anyOf: - - maxLength: 1000 - type: string - - type: number + - type: string - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value + - type: number + nullable: true type: object + url: + type: string required: + - url - name - - cloudProvider - - vars responses: '200': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + postFleetProxyExample: + description: The created Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object @@ -27645,40 +42686,36 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at required: - item description: Successful response @@ -27711,18 +42748,23 @@ paths: - message - attributes description: Bad Request - summary: Create cloud connector + summary: Create a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/cloud_connectors/{cloudConnectorId}: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies/{itemId}: delete: - description: >- - Delete a cloud connector by ID. Use the `force` query parameter to - delete even if package policies are still using it.

[Required - authorization] Route required privileges: fleet-agent-policies-all OR - integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -27731,27 +42773,21 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to delete. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - id: cloud-connector-id-1 + id: proxy-id-1 schema: additionalProperties: false type: object @@ -27790,19 +42826,37 @@ paths: - message - attributes description: Bad Request - summary: Delete cloud connector (supports force deletion) + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: The unique identifier of the cloud connector. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string @@ -27811,18 +42865,14 @@ paths: content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + getFleetProxyExample: + description: A Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object @@ -27831,40 +42881,36 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at required: - item description: Successful response @@ -27897,15 +42943,33 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connector + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -27914,9 +42978,9 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to update. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string @@ -27924,80 +42988,53 @@ paths: content: application/json: examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector + putFleetProxyRequestExample: + description: Update a Fleet proxy value: - name: Updated AWS connector - vars: {} + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true type: string name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 type: string - vars: + proxy_headers: additionalProperties: anyOf: - - maxLength: 1000 - type: string - - type: number + - type: string - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value + - type: number + nullable: true type: object + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key responses: '200': content: application/json: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + putFleetProxyExample: + description: The updated Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object @@ -28006,42 +43043,226 @@ paths: additionalProperties: false type: object properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/{outputId}/remote_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of remote integrations for a specific output by its ID.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-outputid-remote-status + parameters: + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRemoteSyncedIntegrationsInfoExample: + description: Synchronization status of remote integrations for a specific output + value: + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx + package_version: 1.20.0 + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + custom_assets: + additionalProperties: + additionalProperties: false + type: object + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: + items: + additionalProperties: false + type: object + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - sync_status + - install_status + maxItems: 10000 + type: array + warning: + additionalProperties: false + type: object + properties: + message: type: string - verification_status: + title: type: string required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at + - title required: - - item + - integrations description: Successful response '400': content: @@ -28072,119 +43293,158 @@ paths: - message - attributes description: Bad Request - summary: Update cloud connector + summary: Get remote synced integrations status by outputId tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/status: get: - description: >- - Get a list of package policies that are using a given cloud - connector.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - minimum: 1 - type: number + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of all remote integrations across connected remote clusters.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-status + parameters: [] responses: '200': content: application/json: examples: - getCloudConnectorUsageResponseExample: - description: >- - Example response showing package policies using the cloud - connector + getRemoteSyncedIntegrationsStatusExample: + description: Synchronization status of remote integrations across connected remote clusters value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx + package_version: 1.20.0 + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' + - error: Failed to sync package to remote cluster + id: system-remote + install_status: + main: installed + remote: not_installed + package_name: system + package_version: 1.38.0 + sync_status: FAILED + updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: - items: - items: + custom_assets: + additionalProperties: additionalProperties: false type: object properties: - created_at: - type: string - id: + error: type: string + is_deleted: + type: boolean name: type: string - package: + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: additionalProperties: false type: object properties: - name: + message: type: string title: type: string - version: - type: string required: - - name - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: + items: + additionalProperties: false + type: object + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string updated_at: type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title required: - - id - - name - - policy_ids - - created_at - - updated_at + - sync_status + - install_status maxItems: 10000 type: array - page: - type: number - perPage: - type: number - total: - type: number + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' + - integrations + description: Successful response '400': content: application/json: @@ -28193,7 +43453,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Cloud connector not found + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -28213,124 +43473,70 @@ paths: required: - message - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) + description: Bad Request + summary: Get remote synced integrations status tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/data_streams: - get: - description: >- - List all Fleet-managed data streams with metadata including package, - namespace, size, and last activity.

[Required authorization] - Route required privileges: fleet-agents-all AND fleet-agent-policies-all - AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/service_tokens: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server + value: + remote: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + remote: + default: false + type: boolean responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of Fleet-managed data streams + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: additionalProperties: false type: object properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array + name: + type: string + value: + type: string required: - - data_streams + - name + - value description: Successful response '400': content: @@ -28361,90 +43567,118 @@ paths: - message - attributes description: Bad Request - summary: Get data streams + summary: Create a service token tags: - - Data streams - /api/fleet/enrollment_api_keys: + - Fleet service tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/settings: get: - description: >- - List all enrollment API keys.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys - parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] responses: '200': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + getSettingsExample: + description: The current Fleet settings value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= schema: additionalProperties: false type: object properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string required: - - items - - total - - page - - perPage - - list + - item description: Successful response '400': content: @@ -28475,15 +43709,41 @@ paths: - message - attributes description: Bad Request - summary: Get enrollment API keys + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings tags: - - Fleet enrollment API keys - post: - description: >- - Create an enrollment API key for a given agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-enrollment-api-keys + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -28496,34 +43756,139 @@ paths: content: application/json: examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 + prerelease_integrations_enabled: true schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' + additionalProperties: false + type: object + properties: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true + type: boolean + integration_knowledge_enabled: + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true + items: + format: uri + type: string + maxItems: 10 + type: array + prerelease_integrations_enabled: + type: boolean responses: '200': content: application/json: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key + putSettingsExample: + description: The updated Fleet settings value: - action: created item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item description: Successful response '400': content: @@ -28554,15 +43919,42 @@ paths: - message - attributes description: Bad Request - summary: Create an enrollment API key + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Update settings tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/_bulk_delete: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/setup: post: - description: >- - Revoke or delete multiple enrollment API keys.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header @@ -28571,41 +43963,48 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs - value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query - value: - forceDelete: false - kuery: policy_id:"policy-id-1" - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request responses: '200': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup + value: + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response - description: Successful response + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: @@ -28614,7 +44013,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Either tokenIds or kuery must be provided + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -28635,17 +44034,92 @@ paths: - message - attributes description: Bad Request - summary: Bulk revoke or delete enrollment API keys + '500': + content: + application/json: + examples: + internalErrorResponseExample: + description: Example of an internal server error response + value: + error: Internal Server Error + message: An error message describing what went wrong + statusCode: 500 + schema: + additionalProperties: false + description: Internal Server Error + type: object + properties: + message: + type: string + required: + - message + description: Internal Server Error + summary: Initiate Fleet setup tags: - - Fleet enrollment API keys - x-state: Generally available; added in 9.5.0 - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: >- - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to - remove the document.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] + responses: + '200': + content: + application/json: + examples: + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -28654,52 +44128,177 @@ paths: schema: example: 'true' type: string - - description: The ID of the enrollment API key - in: path - name: keyId - required: true + requestBody: + content: + application/json: + examples: + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space + value: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 10 + type: array + responses: + '200': + content: + application/json: + examples: + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Create space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens + parameters: + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false schema: + maxLength: 50 type: string - - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. + - description: Partial match filtering for uninstall token values in: query - name: forceDelete + name: search required: false schema: - default: false - type: boolean - - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. + maxLength: 50 + type: string + - description: The number of items to return in: query - name: includeHidden + name: perPage required: false schema: - default: false - type: boolean + minimum: 5 + type: number + - description: Page number + in: query + name: page + required: false + schema: + minimum: 1 + type: number responses: '200': content: application/json: examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies value: - action: deleted + items: + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided value: error: Bad Request - message: An error message describing what went wrong + message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false @@ -28720,29 +44319,27 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key + summary: Get metadata for latest uninstall tokens tags: - - Fleet enrollment API keys + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: >- - Get an enrollment API key by ID.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - - description: The ID of the enrollment API key + - description: The ID of the uninstall token in: path - name: keyId + name: uninstallTokenId required: true schema: type: string @@ -28751,20 +44348,48 @@ paths: content: application/json: examples: - getEnrollmentApiKeyExample: - description: An enrollment API key + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy value: item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key + id: token-id-1 + namespaces: + - default policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + token: + type: string + required: + - id + - policy_id + - created_at + - token + required: + - item description: Successful response '400': content: @@ -28800,3209 +44425,2618 @@ paths: application/json: examples: notFoundExample: - description: No enrollment API key was found with the given ID + description: No uninstall token was found with the given ID value: error: Not Found - message: EnrollmentAPIKey key-id-1 not found + message: Uninstall Token not found with ID token-id-1 statusCode: 404 description: Not Found - summary: Get an enrollment API key + summary: Get a decrypted uninstall token tags: - - Fleet enrollment API keys - /api/fleet/epm/bulk_assets: - post: - description: >- - Retrieve multiple Kibana saved object assets by their IDs and - types.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Value list identifier to delete, including all of its list items. + in: query + name: id required: true schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean responses: '200': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + ipList: value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk get assets + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get a list of integration categories.

[Required authorization] - Route required privileges: integrations-read OR fleet-setup OR - fleet-all. - operationId: get-fleet-epm-categories + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList parameters: - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, include categories that only contain policy templates + - description: Value list identifier (`id`) returned when the list was created. in: query - name: include_policy_templates - required: false + name: id + required: true schema: - type: boolean + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: - getCategoriesExample: - description: List of integration categories + ip: value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package categories - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations: - post: - description: >- - Create a new custom integration package with user-defined data - streams.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created + unauthorized: value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a custom integration - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations/{pkgName}: - put: - description: >- - Update the datasets of an existing custom integration - package.

[Required authorization] Route required privileges: - fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - additionalProperties: false - type: object - properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} - description: Successful response - '400': + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update a custom integration + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/data_streams: - get: - description: >- - Get a list of data streams created by installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams - parameters: - - description: Filter by data stream type - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: Filter data streams by dataset name - in: query - name: datasetQuery - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - When true, only return data streams that are not associated with a - package - in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + examples: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED + schema: + example: + id: ip_list + name: Bad ips list - UPDATED + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + description: Value list's properties + required: true responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of data streams from installed packages + ip: value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 2 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_data_streams_response + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: name: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - /api/fleet/epm/packages: - get: - description: >- - Get a list of integration packages available in the - registry.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages - parameters: - - description: Filter packages by category - in: query - name: category - required: false - schema: - type: string - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, exclude the install status from the response - in: query - name: excludeInstallStatus - required: false - schema: - type: boolean - - description: When true, include the number of package policies per package - in: query - name: withPackagePoliciesCount - required: false - schema: - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getPackagesExample: - description: List of available integration packages + unauthorized: value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get packages + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list tags: - - Elastic Package Manager (EPM) + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Install a package by uploading a .zip or .tar.gz archive (max 100MB). - Only available to superusers.

[Required authorization] Route - required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList requestBody: content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: + ip: + value: + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword schema: - format: binary - type: string + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties + required: true responses: '200': content: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + ip: value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + notFound: value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: - application/gzip; application/zip: + application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + unauthorized: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - description: >- - Install multiple packages from the Elastic Package Registry in a single - request.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request - responses: - '200': + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - postBulkInstallPackagesExample: - description: Bulk install results + alreadyExists: value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_namespace_customization: - post: - description: >- - Enable or disable namespace-level index template customization for a - list of packages in one call. Use this for IaC-style declarative - flows.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList requestBody: content: application/json: examples: - bulkNamespaceCustomizationRequest: + replaceList: value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - name + - description + description: Value list's properties + required: true responses: '200': content: application/json: examples: - successResponse: + ip: value: - items: - - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + badRequest: value: error: Bad Request - message: >- - Namespaces must not appear in both enable and disable: - production + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback: - post: - description: >- - Rollback multiple packages to their previous - versions.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackRequest: - value: - packages: - - name: system - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - successResponse: + unauthorized: value: - taskId: taskId + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - badRequestResponse: + forbidden: value: - message: Bad Request + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: >- - Get the status and results of a bulk package rollback - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - successResponse: + notFound: value: - status: success + message: 'list id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - badRequestResponse: + serverError: value: - message: Bad Request + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall: - post: - description: >- - Uninstall multiple packages in a single operation.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - example: 'true' + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated + ipList: value: - taskId: task-id-1 + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: - get: - description: >- - Get the status and results of a bulk package uninstall - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + unauthorized: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade: - post: - description: >- - Upgrade multiple packages to their latest versions.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex responses: '200': content: application/json: examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated + acknowledged: value: - taskId: task-id-1 + acknowledged: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: - description: >- - Get the status and results of a bulk package upgrade - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + bothExist: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + list_index: true + list_item_index: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Unable to read value list data stream status for this space + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}: - delete: - description: >- - Uninstall a package and remove all its assets.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + unauthorized: value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - get: - description: >- - Get information about a package by name, returning the latest installed - or available version. - operationId: get-fleet-epm-packages-pkgname - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: >- - When true, returns the package even if the signature cannot be - verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - description: When true, include prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return the full package info including assets - in: query - name: full - required: false - schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + notFound: value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + message: Value list backing indices were not found for this space + status_code: 404 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams tags: - - Elastic Package Manager (EPM) + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Install the latest version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. + operationId: CreateListIndex responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + acknowledged: value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + acknowledged: true schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry - tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a package, such as whether policies are kept up to - date automatically.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + unauthorized: value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: >- - Uninstall a specific version of a package and remove all its - assets.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + alreadyExists: value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams tags: - - Elastic Package Manager (EPM) - get: - description: Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - When true, returns the package even if the signature cannot be - verified + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query - name: ignoreUnverified + name: id required: false schema: - type: boolean - - description: When true, include prerelease versions + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. in: query - name: prerelease + name: list_id required: false schema: - type: boolean - - description: When true, return the full package info including assets + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: full + name: value required: false schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies + example: 255.255.255.255 + type: string + - description: Determines when changes made by the request are made visible to search. in: query - name: withMetadata + name: refresh required: false schema: - default: false - type: boolean + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + ip: value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a specific version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow installing prerelease versions + - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors + name: id required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query - name: skipDataStreamRollover + name: list_id required: false schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: skipDependencyCheck + name: value required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + example: 127.0.0.2 + type: string responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + ip: value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a specific version of a package.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + changeValue: value: - keepPoliciesUpToDate: true + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + ipItem: value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - description: >- - Get the contents of a specific file from a package.

[Required - authorization] Route required privileges: integrations-read OR - fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: File path within the package - in: path - name: filePath - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: >- - Delete datastream assets for a specific input package, by data stream - name.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: The ID of the package policy - in: query - name: packagePolicyId - required: true - schema: - type: string + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a value list item and associate it with the specified value list. + + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json: + examples: + ip: + value: + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted + ip: value: - items: - - id: logs-my_package.access-default - type: index_template + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: - description: >- - Get the list of packages that a specific package depends - on.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - dependenciesResponse: + unauthorized: value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - items: [] + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_dependencies_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - packageNotFoundResponse: + listNotFound: value: - message: '[my-package-1.0.0] package not found in registry' + message: 'list id: \"ip_list\" does not exist' + status_code: 404 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: - description: >- - Delete Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted + alreadyExists: value: - items: - - id: dashboard-id-1 - type: dashboard + message: 'list item id: \"ip_item\" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem requestBody: content: application/json: examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} + fullReplace: + value: + id: ip_item + value: 255.255.255.255 schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request - nullable: true + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + ip: value: - items: - - id: dashboard-id-1 - type: dashboard + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: >- - Install Kibana alert rule assets for a specific package - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request - nullable: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed + unauthorized: value: - items: - - id: rule-asset-id-1 - type: security_rule + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: >- - Reauthorize Elasticsearch transforms installed by a package with - secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + notFound: value: - - success: true - transformId: logs-transform-1 - schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array - description: Successful response - '400': + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/review_upgrade: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_export: post: - description: >- - Review and accept or reject a pending policy upgrade for a package that - contains deprecations.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for - in: path - name: pkgName + - description: Value list's `id` to export. + in: query + name: list_id required: true schema: - type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: - application/json: + application/ndjson: examples: - successResponse: - value: - success: true + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' - description: 'OK: A successful request.' + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + description: Successful response '400': content: application/json: examples: - badRequestResponse: + badRequest: value: - message: Bad Request + error: 'Bad Request","message":"[request query]: list_id: Required' + statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - /api/fleet/epm/packages/{pkgName}/rollback: - post: - description: >- - Rollback a package to its previously installed - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - successResponse: + unauthorized: value: - success: true - version: 1.0.0 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_rollback_package_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - badRequestResponse: + forbidden: value: - message: Bad Request + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version - tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview; added in 9.1.0 - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: >- - Get usage statistics for a specific package, such as the number of agent - policies using it.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - getPackageStatsExample: - description: Usage stats for a specific package + notFound: value: - response: - agent_policy_count: 3 + message: 'list id: "unknown_list" not found' + status_code: 404 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package stats + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/installed: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_find: get: - description: >- - Get a list of all currently installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: Filter by data stream type + - description: Parent value list's `id` to page through items for. in: query - name: dataStreamType + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order required: false schema: enum: - - logs - - metrics - - traces - - synthetics - - profiling + - desc + - asc + example: asc type: string - - description: When true, only return packages with active data streams + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. in: query - name: showOnlyActiveDataStreams + name: cursor required: false schema: - type: boolean - - description: Filter packages by name + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. in: query - name: nameQuery + name: filter required: false schema: - type: string - - description: Sort values from the previous page for `search_after` pagination + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + '200': + content: + application/json: + examples: + ip: + value: + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. in: query - name: searchAfter + name: list_id required: false schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip in: query - name: perPage + name: type required: false schema: - default: 15 - type: number - - description: Sort order, ascending or descending + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. in: query - name: sortOrder + name: refresh required: false schema: - default: asc enum: - - asc - - desc + - 'true' + - 'false' + - wait_for + example: true type: string + requestBody: + content: + multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt + schema: + type: object + properties: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + required: true responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + ip: value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + message: Either type or list_id need to be defined in the query + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get installed packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/limited: - get: - description: >- - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, - fleet_server).

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + conflict: value: - items: - - elastic_agent - - fleet_server + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/privileges: get: - description: >- - Get an inputs template for a package, used to pre-populate package - policy forms.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: 'Output format for the inputs template: json, yml, or yaml' - in: query - name: format - required: false - schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: >- - When true, return inputs even if the package signature cannot be - verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - getInputsTemplateExample: - description: Inputs template for a package + privileges: value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic schema: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: 'Unable to resolve list privileges: invalid or missing space context for this request' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an inputs template - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/verification_key_id: - get: - description: >- - Get the GPG key ID used to verify the signatures of packages from the - Elastic Package Registry.

[Required authorization] Route - required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures + unauthorized: value: - id: D27D666CD88E42B4 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges tags: - - Elastic Package Manager (EPM) - /api/fleet/fleet_server_hosts: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipeline/{id}: + delete: + description: | + Delete a centrally-managed Logstash pipeline. + If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: delete-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call + summary: Delete a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - List all Fleet Server hosts.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] + description: | + Get information for a centrally-managed Logstash pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 + getLogstashPipelineResponseExample1: + value: |- + { + "id": "hello-world", + "description": "Just a simple pipeline", + "username": "elastic", + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persistent" + } + } schema: - additionalProperties: false type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': + description: Indicates a successful call + summary: Get a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + Create a centrally-managed Logstash pipeline or update a pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: put-logstash-pipeline + parameters: + - description: | + An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putLogstashPipelineRequestExample1: + value: |- + { + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persisted" + } + } + schema: + type: object + properties: + description: + description: A description of the pipeline. + type: string + pipeline: + description: A definition for the pipeline. + type: string + settings: + description: | + Supported settings, represented as object keys, include the following: + + - `pipeline.workers` + - `pipeline.batch.size` + - `pipeline.batch.delay` + - `pipeline.ecs_compatibility` + - `pipeline.ordered` + - `queue.type` + - `queue.max_bytes` + - `queue.checkpoint.writes` + type: object + required: + - pipeline + responses: + '204': + description: Indicates a successful call + summary: Create or update a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipelines: + get: + description: | + Get a list of all centrally-managed Logstash pipelines. + + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + > info + > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. + + The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipelines + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + getLogstashPipelinesResponseExample1: + value: |- + { + "pipelines": [ + { + "id": "hello-world", + "description": "Just a simple pipeline", + "last_modified": "2018-04-14T12:23:29.772Z", + "username": "elastic" + }, + { + "id": "sleepy-pipeline", + "description": "", + "last_modified": "2018-03-24T03:41:30.554Z" + } + ] + } schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts + description: Indicates a successful call + summary: Get all Logstash pipelines tags: - - Fleet Server hosts + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window: post: - description: >- - Create a new Fleet Server host.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header @@ -32015,282 +47049,558 @@ paths: content: application/json: examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window schema: additionalProperties: false type: object properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: + schedule: additionalProperties: false type: object properties: - ssl: + custom: additionalProperties: false type: object properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: additionalProperties: false - nullable: true type: object properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string required: - - name - - host_urls + - title + - schedule responses: '200': content: application/json: examples: - postFleetServerHostExample: - description: The created Fleet Server host + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false type: object properties: - item: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: additionalProperties: false type: object properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: + custom: additionalProperties: false type: object properties: - ssl: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: additionalProperties: false type: object properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: additionalProperties: false - nullable: true type: object properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query required: - - name - - host_urls - - id + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string required: - - item - description: Successful response + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Create a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find + parameters: + - description: The title of the maintenance window. + in: query + name: title + required: false + schema: + type: string + - description: The user who created the maintenance window. + in: query + name: created_by + required: false + schema: + type: string + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". + in: query + name: status + required: false + schema: + items: + enum: + - running + - finished + - upcoming + - archived + - disabled + type: string + type: array + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + maximum: 100 + minimum: 1 + type: number + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: + maintenanceWindows: + description: The list of maintenance windows. + items: + additionalProperties: false + type: object + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number + total: + description: The total number of maintenance windows that match the query. type: number required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host + - page + - per_page + - total + - maintenanceWindows + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: + - maintenance-window + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}: delete: - description: >- - Delete a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -32299,9 +47609,42 @@ paths: schema: example: 'true' type: string - - description: The ID of the Fleet Server host + - description: The identifier for the maintenance window to be deleted. in: path - name: itemId + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id + parameters: + - description: The identifier for the maintenance window. + in: path + name: id required: true schema: type: string @@ -32310,71 +47653,490 @@ paths: content: application/json: examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - id: fleet-server-host-id-1 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false type: object properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string required: - id - description: Successful response + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window + value: + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window + schema: + additionalProperties: false + type: object + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + required: + - query + required: + - alerting + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. nullable: true - error: type: string - errorType: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. type: string - message: + schedule: + additionalProperties: false + type: object + properties: + custom: + additionalProperties: false + type: object + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. tags: - - Fleet Server hosts - get: - description: >- - Get a Fleet Server host by ID.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive parameters: - - description: The ID of the Fleet Server host + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. in: path - name: itemId + name: id required: true schema: type: string @@ -32383,176 +48145,176 @@ paths: content: application/json: examples: - getFleetServerHostExample: - description: A Fleet Server host + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false type: object properties: - item: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: additionalProperties: false type: object properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: + custom: additionalProperties: false type: object properties: - ssl: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: additionalProperties: false type: object properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: additionalProperties: false - nullable: true type: object properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled type: string - errorType: + title: + description: The name of the maintenance window. type: string - message: + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Fleet Server hosts - put: - description: >- - Update a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_unarchive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header @@ -32561,2041 +48323,2296 @@ paths: schema: example: 'true' type: string - - description: The ID of the Fleet Server host + - description: The identifier for the maintenance window to be unarchived. in: path - name: itemId + name: id required: true schema: type: string - requestBody: - content: - application/json: - examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host - value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server - schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id responses: '200': content: application/json: examples: - putFleetServerHostExample: - description: The updated Fleet Server host + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: additionalProperties: false type: object properties: - item: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: additionalProperties: false type: object properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: + custom: additionalProperties: false type: object properties: - ssl: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: additionalProperties: false type: object properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + required: + - custom + scope: + additionalProperties: false + type: object + properties: + alerting: additionalProperties: false - nullable: true type: object properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query required: - - name - - host_urls - - id + - alerting + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string required: - - item - description: Successful response + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_jobs_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces + requestBody: + content: + application/json: + examples: + updateADJobSpacesRequest: + value: + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successADResponse: + value: + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': + content: + application/json: + examples: + successTMResponse: + value: + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/note: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes + parameters: + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notesPage: + summary: Paged notes for a timeline value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - description: >- - Check the health status of a Fleet Server instance by its host ID. - Returns the server status and name if available.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute requestBody: content: application/json: examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID + addNote: + summary: Add a note on an event value: - id: fleet-server-host-id-1 + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - additionalProperties: false type: object properties: - id: + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true + type: string + version: + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true type: string required: - - id + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. + required: true responses: '200': content: application/json: examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: >- - Fleet Server host is not reachable (request timed out or - aborted) - value: - host_id: fleet-server-host-id-1 - status: OFFLINE - schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': - content: - application/json: - examples: - badRequestExample: - description: >- - The host ID exists but has no associated host URLs - configured + persisted: + summary: Persisted note wrapper value: - error: Bad Request - message: >- - The requested host id fleet-server-host-id-1 does not have - associated host urls. - statusCode: 400 + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/observability_ai_assistant/chat/complete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + examples: + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' + schema: + type: object + properties: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. + type: string + required: + - messages + - connectorId + - persist + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: >- - The requested host id fleet-server-host-id-1 does not - exist. - statusCode: 404 + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health + description: Successful response + summary: Generate a chat completion tags: - - Fleet internals - /api/fleet/kubernetes: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/history: get: - description: >- - Get the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory parameters: - - description: If true, returns the manifest as a downloadable file + - description: The number of results to return per page. in: query - name: download + name: pageSize required: false schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. in: query - name: fleetServer + name: nextPage required: false schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. type: string - - description: Enrollment token to include in the manifest + - description: A search string to filter history entries by pack name, query text, or query ID. in: query - name: enrolToken + name: kuery required: false schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false + schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + unifiedHistoryExample: + summary: Example unified history response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history tags: - - Elastic Agent policies - /api/fleet/kubernetes/download: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries: get: - description: >- - Download the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries parameters: - - description: If true, returns the manifest as a downloadable file + - description: A KQL search string to filter live queries. in: query - name: download + name: kuery required: false schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. in: query - name: fleetServer + name: page required: false schema: - type: string - - description: Enrollment token to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: enrolToken + name: pageSize required: false schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + examples: + liveQueriesList: + summary: A list of recent live queries + value: + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + user_id: elastic + total: 1 + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + examples: + singleQueryAllAgents: + summary: Run a single query on all agents + value: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; + targetedQuery: + summary: Run a query against specific agents + value: + agent_ids: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + query: select * from processes; + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true responses: '200': content: application/json: examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - type: string - description: >- - Successful response — returns the Kubernetes manifest as a YAML file - download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No manifest was found + liveQueryCreated: + summary: Live query created value: - error: Not Found - message: Agent manifest not found - statusCode: 404 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query tags: - - Elastic Agent policies - /api/fleet/logstash_api_keys: - post: - description: >- - Generate an API key for Logstash to use with a Fleet - output.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: post-fleet-logstash-api-keys + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the live query. + in: path + name: id required: true schema: - example: 'true' + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryDetails: + summary: Live query details with execution status value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 1 + failed: 0 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + status: completed + successful: 1 + status: completed + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details tags: - - Fleet outputs - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: >- - Rotate the key pair used by Fleet to sign messages sent to Elastic - Agents. This operation is irreversible and requires all agents in the - Fleet to be re-enrolled after rotation. You must explicitly acknowledge - the risk by passing `acknowledge=true` as a query - parameter.

[Required authorization] Route required privileges: - fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the live query. + in: path + name: id required: true schema: - example: 'true' + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - - description: >- - Set to true to confirm you understand the risks of rotating the key - pair + - description: A KQL search string to filter results. in: query - name: acknowledge + name: kuery required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - rotateKeyPairSuccessExample: - description: >- - The key pair was rotated. All agents must be re-enrolled to - receive the new signing key. - value: - message: Key pair rotated successfully. - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': - content: - application/json: - examples: - acknowledgeRequiredExample: - description: >- - Request was rejected because the acknowledge query parameter - was not set to true - value: - error: Bad Request - message: >- - Warning: this API will cause a key pair to rotate and - should not be necessary in normal operation. If you - proceed, you may need to reinstall Agents in your network. - You must acknowledge the risks of rotating the key pair - with acknowledge=true in the request parameters. For more - information, reach out to your administrator. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available + liveQueryResults: + summary: Result rows from a live query execution value: - error: Internal Server Error - message: >- - Failed to rotate key pair. Message signing service is - unavailable! - statusCode: 500 + data: + edges: + - _id: doc1 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '12345' + - _id: doc2 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '67890' + total: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results tags: - - Message Signing Service - /api/fleet/outputs: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs: get: - description: >- - List all Fleet outputs.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getOutputsExample: - description: List of Fleet outputs + packsList: + summary: A list of query packs value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + queries: + - id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 page: 1 - perPage: 20 + per_page: 20 total: 1 schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_logstash - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs tags: - - Fleet outputs + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new Fleet output.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks requestBody: content: application/json: examples: - postOutputRequestExample: - description: Create a new Elasticsearch output + createPack: + summary: Create a pack with a single query value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true responses: '200': content: application/json: examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + packCreated: + summary: Pack created value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}: delete: - description: >- - Delete output by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output + - description: The pack ID. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 + packDeleted: + summary: Pack deleted (empty response body) + value: {} schema: - additionalProperties: false type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': + properties: {} + description: Indicates a successful call. + summary: Delete a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + packDetails: + summary: Pack details value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + examples: + renamePack: + summary: Rename a pack and update its description + value: + description: Updated pack description + enabled: true + name: my_pack_renamed + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': content: application/json: examples: - notFoundExample: - description: No output was found with the given ID + packUpdated: + summary: Pack updated value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 + data: + description: Updated pack description + enabled: true + name: my_pack_renamed + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + version: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack tags: - - Fleet outputs - get: - description: >- - Get output by ID.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks parameters: - - description: The ID of the output + - description: The ID of the pack to copy. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - getOutputExample: - description: A Fleet output + copyPackExample: + summary: Example response for copying a pack value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueriesList: + summary: A list of saved queries value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries tags: - - Fleet outputs - put: - description: >- - Update output by ID.

[Required authorization] Route required - privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery requestBody: content: application/json: examples: - putOutputRequestExample: - description: Update a Fleet output + createSavedQuery: + summary: Create a saved query value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - putOutputExample: - description: The updated Fleet output + savedQueryCreated: + summary: Saved query created value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + savedQueryDeleted: + summary: Saved query deleted (empty response body) + value: {} + schema: + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: Indicates a successful call. + summary: Delete a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - description: The saved query ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - notFoundExample: - description: No output was found with the given ID + savedQueryDetails: + summary: Saved query details value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: Indicates a successful call. + summary: Get saved query details tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: - get: - description: >- - Get the latest health status of an output by ID.

[Required - authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery parameters: - - description: The ID of the output + - description: The saved query ID. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json: + examples: + updateSavedQuery: + summary: Update a saved query + value: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + timeout: 60 + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - getOutputHealthExample: - description: The latest health status of a Fleet output + savedQueryUpdated: + summary: Saved query updated value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' + data: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 60 + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + copySavedQueryExample: + summary: Example response for copying a saved query value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: Indicates a successful call. + summary: Copy a saved query tags: - - Fleet outputs - /api/fleet/package_policies: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: get: - description: List all package policies. - operationId: get-fleet-package-policies + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Sort order, ascending or descending + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: sortOrder + name: kuery required: false schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with available upgrades + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. in: query - name: showUpgradeable + name: page required: false schema: - type: boolean - - description: A KQL query string to filter results + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. in: query - name: kuery + name: pageSize required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. in: query - name: format + name: sort required: false schema: - enum: - - simplified - - legacy - type: string - - description: When true, include the agent count per package policy + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. in: query - name: withAgentCount + name: sortOrder required: false schema: - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + scheduledActionResultsExample: + summary: Example scheduled action results response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: Indicates a successful call. + summary: Get scheduled action results tags: - - Fleet package policies - post: - description: Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId required: true schema: - example: 'true' + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: 'Format for the response: simplified or legacy' + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: format + name: kuery required: false schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - description: >- - You should use inputs as an object and not use the deprecated - inputs array. - responses: - '200': - content: - application/json: - examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists - value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy - tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - description: Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. in: query - name: format + name: sortOrder required: false schema: - enum: - - simplified - - legacy + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' type: string + responses: + '200': + content: + application/json: + examples: + scheduledQueryResultsExample: + summary: Example scheduled query results response + value: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute requestBody: content: application/json: examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID + pinEvent: + summary: Pin an event value: - ids: - - package-policy-id-1 - - package-policy-id-2 + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - additionalProperties: false type: object properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string required: - - ids + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true responses: '200': content: application/json: examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies + pinnedSaved: + summary: Pinned event saved object value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + unpinned: true schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + '200': content: application/json: examples: - notFoundExample: - description: One or more package policies were not found + CleanUpRiskEngineResponse: + summary: Successful cleanup response value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 + cleanup_successful: true schema: - additionalProperties: false type: object properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: >- - Delete a package policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': + cleanup_successful: + type: boolean + description: Successful response + '400': content: application/json: examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted + taskManagerUnavailable: + summary: Task manager is unavailable value: - id: package-policy-id-1 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + cleanupFailed: + summary: Cleanup failed value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cleanup_successful: false + errors: + - error: Risk engine is disabled or deleted already. + seq: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d + schema: + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: type: string - message: + type: array + exclude_alert_tags: + items: type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - get: - description: Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + page_size: + description: | + Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). + maximum: 10000 + minimum: 100 + type: integer + range: + type: object + properties: + end: + type: string + start: + type: string + required: true responses: '200': content: application/json: examples: - getPackagePolicyExample: - description: A package policy + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' + risk_engine_saved_object_configured: true schema: - additionalProperties: false type: object properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item + risk_engine_saved_object_configured: + type: boolean description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: examples: - notFoundExample: - description: No package policy was found with the given ID + configureError: + summary: Configure saved object failed value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 + errors: + - error: Internal server error + seq: 1 + risk_engine_saved_object_configured: false schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object tags: - - Fleet package policies - put: - description: Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow requestBody: content: application/json: examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 + emptyRequest: + summary: No request body + value: {} schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request + type: object responses: '200': content: application/json: examples: - putPackagePolicyExample: - description: The updated package policy + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' + success: true schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: examples: - forbiddenExample: - description: The update is not authorized for this package + scheduleNowError: + summary: Schedule now failed value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 + full_error: '{}' + message: Internal server error schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Forbidden - summary: Update a package policy + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Fleet package policies - /api/fleet/package_policies/delete: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_create: post: - description: >- - Delete multiple package policies by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-delete + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_create
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates multiple Kibana saved objects in a single request. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-bulk-create parameters: - description: A required header to protect against CSRF attacks in: header @@ -34604,77 +50621,153 @@ paths: schema: example: 'true' type: string + - description: Overwrite existing saved objects that match the same type and ID. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID + bulkCreateRequest: + summary: Create multiple saved objects (partial success) value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + references: [] + type: dashboard + - attributes: + title: Example dashboard 2 + id: example-dashboard-2 + references: [] + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request + items: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: + nullable: true + type: object + coreMigrationVersion: + type: string + id: + type: string + initialNamespaces: + items: + type: string + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: + type: string + type: object + references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + maxItems: 1000 + type: array + type: + type: string + typeMigrationVersion: + type: string + version: + type: string + required: + - type + - attributes + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation + bulkCreateResponse: + summary: A bulk create response with one conflict value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - error: + error: Conflict + message: Saved object [dashboard/example-dashboard-2] conflict + statusCode: 409 + id: example-dashboard-2 + type: dashboard + description: A bulk create response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies + description: A bad request. + summary: Create saved objects tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_create?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_create?overwrite=false + [{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_delete: post: - description: >- - Upgrade a package policy to a newer package version.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-upgrade + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Deletes multiple Kibana saved objects in a single request. + + There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API. + operationId: post-saved-objects-bulk-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -34683,75 +50776,103 @@ paths: schema: example: 'true' type: string + - description: When true, force deletion of multi-namespace objects from all namespaces. + in: query + name: force + required: false + schema: + type: boolean requestBody: content: application/json: examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version + bulkDeleteRequest: + summary: Delete multiple saved objects value: - packagePolicyIds: - - package-policy-id-1 + - id: example-dashboard-1 + type: dashboard + - id: does-not-exist + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation + bulkDeleteResponse: + summary: A bulk delete response with one not found result value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response + statuses: + - id: example-dashboard-1 + success: true + type: dashboard + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + success: false + type: dashboard + description: A bulk delete response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy + description: A bad request. + summary: Delete saved objects tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_delete?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_delete?force=false + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_get: post: - description: >- - Preview the changes that would be applied by upgrading a package policy - to a newer package version.

[Required authorization] Route - required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieves multiple Kibana saved objects by type and ID in a single request. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: post-saved-objects-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -34764,312 +50885,361 @@ paths: content: application/json: examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy + bulkGetRequest: + summary: Get multiple saved objects value: - packagePolicyIds: - - package-policy-id-1 + - id: example-dashboard-1 + type: dashboard + - id: does-not-exist + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request + items: + additionalProperties: false + type: object + properties: + fields: + items: + type: string + maxItems: 100 + type: array + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff + bulkGetResponse: + summary: A bulk get response with one not found result value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + type: dashboard + description: A bulk get response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: + description: A bad request. + summary: Get saved objects + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_get" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_get + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieve multiple Kibana saved objects by ID, using any legacy URL aliases if they exist. + + Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the bulk resolve API using either its new ID or its old ID. + operationId: post-saved-objects-bulk-resolve + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkResolveRequest: + summary: Resolve multiple saved objects + value: + - id: example-dashboard-1 + type: dashboard + - id: legacy-id + type: dashboard + schema: + items: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: + id: type: string - message: + type: type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - description: >- - List all Fleet proxies.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - getFleetProxiesExample: - description: List of Fleet proxies + bulkResolveResponse: + summary: A bulk resolve response with an exact and alias match + value: + resolved_objects: + - outcome: exactMatch + saved_object: + attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - alias_target_id: example-dashboard-2 + outcome: aliasMatch + saved_object: + attributes: + title: Example dashboard 2 + id: example-dashboard-2 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMl0= + description: A bulk resolve response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: + error: Bad Request + message: 'Unsupported saved object type(s): unknownType' + statusCode: 400 + description: A bad request. + summary: Resolve saved objects + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_resolve" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_resolve + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_update: + put: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/saved_objects/_bulk_update
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Updates multiple Kibana saved objects in a single request. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: put-saved-objects-bulk-update + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkUpdateRequest: + summary: Update multiple saved objects (partial success) + value: + - attributes: + title: Updated dashboard title + id: example-dashboard-1 + references: [] + type: dashboard + - attributes: + title: Updated dashboard title + id: does-not-exist + type: dashboard + schema: + items: additionalProperties: false type: object properties: - items: + attributes: + additionalProperties: + nullable: true + type: object + id: + type: string + namespace: + minLength: 1 + type: string + references: items: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string id: type: string - is_preconfigured: - default: false - type: boolean name: type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: type: string required: - - id - - url - name - maxItems: 10000 + - type + - id + maxItems: 1000 type: array - page: - type: number - perPage: - type: number - total: - type: number + type: + type: string + version: + type: string required: - - items - - total - - page - - perPage - description: Successful response + - type + - id + - attributes + maxItems: 10000 + type: array + responses: + '200': + content: + application/json: + examples: + bulkUpdateResponse: + summary: A bulk update response with one not found result + value: + saved_objects: + - attributes: + title: Updated dashboard title + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzIsMV0= + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + type: dashboard + description: A bulk update response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies + description: A bad request. + summary: Update saved objects tags: - - Fleet proxies + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/saved_objects/_bulk_update" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}]' + - lang: Console + source: | + PUT kbn://api/saved_objects/_bulk_update + [{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_export: post: - description: >- - Create a new Fleet proxy.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-proxies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header @@ -35082,325 +51252,381 @@ paths: content: application/json: examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy + exportSavedObjectsRequest: + summary: Export a specific saved object value: - name: My proxy - url: http://proxy.example.com:3128 + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: example-dashboard-1 + type: dashboard schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: + excludeExportDetails: default: false + description: Do not add export details entry at the end of the stream. type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - url - - name - responses: - '200': - content: - application/json: - examples: - postFleetProxyExample: - description: The created Fleet proxy - value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string id: type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: type: string required: + - type - id - - url - - name - required: - - item - description: Successful response + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. + responses: + '200': + content: + application/x-ndjson: + examples: + exportSavedObjectsResponse: + summary: The export response contains an NDJSON record for each exported object + value: | + {"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false} + {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} + schema: {} + description: Indicates a successfull call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Either `type` or `objects` are required.: Bad Request' statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - summary: Create a proxy + - statusCode + description: Bad request. + summary: Export saved objects tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: - delete: - description: >- - Delete a proxy by ID

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}' + - lang: Console + source: | + POST kbn://api/saved_objects/_export + {"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_find: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Searches for Kibana saved objects. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: get-saved-objects-find parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The number of items per page. + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: number + - description: The page index to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 0 + type: number + - description: The saved object type or types to search for. Use multiple `type` values to search across types. + in: query + name: type required: true schema: - example: 'true' + items: + type: string + maxItems: 100 + type: array + - description: A text search string. + in: query + name: search + required: false + schema: type: string - - description: The ID of the proxy - in: path - name: itemId - required: true + - description: The boolean operator to use when combining multiple values. + in: query + name: default_search_operator + required: false schema: + default: OR + enum: + - OR + - AND type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted - value: - id: proxy-id-1 - schema: - additionalProperties: false + - description: The fields to search on. + in: query + name: search_fields + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: The field to sort on. + in: query + name: sort_field + required: false + schema: + type: string + - description: Return only saved objects that have a reference to the specified saved object(s). + in: query + name: has_reference + required: false + schema: + anyOf: + - additionalProperties: false type: object properties: id: type: string + type: + type: string required: + - type - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + - description: The boolean operator to use when combining multiple values. + in: query + name: has_reference_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: Return only saved objects that do not have a reference to the specified saved object(s). + in: query + name: has_no_reference + required: false + schema: + anyOf: + - additionalProperties: false type: object properties: - attributes: - nullable: true - error: - type: string - errorType: + id: type: string - message: + type: type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy - tags: - - Fleet proxies - get: - description: >- - Get a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid - parameters: - - description: The ID of the proxy - in: path - name: itemId - required: true + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + - description: The boolean operator to use when combining multiple values. + in: query + name: has_no_reference_operator + required: false schema: + default: OR + enum: + - OR + - AND type: string - responses: - '200': - content: - application/json: - examples: - getFleetProxyExample: - description: A Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': + - description: The fields to return for each saved object. + in: query + name: fields + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: A KQL filter to apply to the search. + in: query + name: filter + required: false + schema: + type: string + - description: Aggregations as a JSON string. + in: query + name: aggs + required: false + schema: + type: string + - description: The namespaces (spaces) to search in. + in: query + name: namespaces + required: false + schema: + items: + type: string + maxItems: 100 + type: array + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + findSavedObjectsResponse: + summary: A page of saved objects value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + page: 1 + per_page: 20 + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + total: 1 + description: A search response. + '400': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + badRequestResponse: + summary: A bad request error value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a proxy + error: Bad Request + message: 'This type dashboard is not allowed: Bad Request' + statusCode: 400 + description: A bad request. + summary: Search for saved objects tags: - - Fleet proxies - put: - description: >- - Update a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1 + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import parameters: - description: A required header to protect against CSRF attacks in: header @@ -35409,503 +51635,298 @@ paths: schema: example: 'true' type: string - - description: The ID of the proxy - in: path - name: itemId - required: true + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: overwrite + required: false schema: - type: string + default: false + type: boolean + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean requestBody: content: - application/json: + multipart/form-data: examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy + importObjectsRequest: + summary: Import saved objects from an NDJSON file value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 + file: file.ndjson schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' type: object - url: - type: string required: - - certificate_authorities - - certificate - - certificate_key + - file responses: '200': content: application/json: examples: - putFleetProxyExample: - description: The updated Fleet proxy + importObjectsResponse: + summary: A successful import response value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 + errors: [] + success: true + successCount: 1 + successResults: + - destinationId: example-dashboard-1-copy + id: example-dashboard-1 + managed: false + type: dashboard schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array required: - - item - description: Successful response + - success + - successCount + - errors + - successResults + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a proxy + - statusCode + description: Bad request. + summary: Import saved objects tags: - - Fleet proxies - /api/fleet/remote_synced_integrations/{outputId}/remote_status: - get: - description: >- - Get the synchronization status of remote integrations for a specific - output by its ID.

[Required authorization] Route required - privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-outputid-remote-status + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson + - lang: Console + source: | + POST kbn://api/saved_objects/_import?createNewCopies=true + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects + operationId: post-saved-objects-resolve-import-errors parameters: - - description: The ID of the output - in: path - name: outputId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - responses: - '200': - content: - application/json: - examples: - getRemoteSyncedIntegrationsInfoExample: - description: >- - Synchronization status of remote integrations for a specific - output - value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: - additionalProperties: false - type: object - properties: - main: - type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: + - description: Creates copies of saved objects, regenerates each object ID, and resets the origin. + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: Applies adjustments to maintain compatibility between different Kibana versions. + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + summary: Resolve import errors by retrying objects + value: + file: file.ndjson + retries: + - id: example-dashboard-1 + overwrite: true + replaceReferences: [] + type: dashboard + schema: + additionalProperties: false + type: object + properties: + file: + type: object + retries: + items: additionalProperties: false type: object properties: - message: + createNewCopy: + type: boolean + destinationId: type: string - title: + id: type: string - required: - - title - required: - - integrations - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status by outputId - tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - /api/fleet/remote_synced_integrations/status: - get: - description: >- - Get the synchronization status of all remote integrations across - connected remote clusters.

[Required authorization] Route - required privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-status - parameters: [] - responses: - '200': - content: - application/json: - examples: - getRemoteSyncedIntegrationsStatusExample: - description: >- - Synchronization status of remote integrations across - connected remote clusters - value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - - error: Failed to sync package to remote cluster - id: system-remote - install_status: - main: installed - remote: not_installed - package_name: system - package_version: 1.38.0 - sync_status: FAILED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: + ignoreMissingReferences: + type: boolean + overwrite: + default: false + type: boolean + replaceReferences: + default: [] + items: additionalProperties: false type: object properties: - main: + from: type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: + to: type: string - title: + type: type: string required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: + - type + - from + - to + maxItems: 100 + type: array + type: type: string required: - - title - required: - - integrations - description: Successful response + - type + - id + maxItems: 10000 + type: array + required: + - file + - retries + responses: + '200': + content: + application/json: + examples: + resolveImportErrorsResponse: + summary: A successful resolve import errors response + value: + errors: [] + success: true + successCount: 1 + successResults: + - id: example-dashboard-1 + managed: false + type: dashboard + description: A successful resolve import errors response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status + description: A bad request. + summary: Resolve import errors tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - /api/fleet/service_tokens: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson \ + --form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_resolve_import_errors + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}: post: - description: >- - Create a Fleet Server service token. The token is used to enroll Fleet - Server instances with Kibana.

[Required authorization] Route - required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-type parameters: - description: A required header to protect against CSRF attacks in: header @@ -35914,6735 +51935,15721 @@ paths: schema: example: 'true' type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: Overwrite an existing saved object. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server + createDashboardRequest: + summary: Create a dashboard saved object value: - remote: true + attributes: + title: Example dashboard + references: [] schema: additionalProperties: false - nullable: true type: object properties: - remote: - default: false - type: boolean + attributes: + additionalProperties: + nullable: true + type: object + coreMigrationVersion: + type: string + initialNamespaces: + items: + type: string + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: + type: string + type: object + references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + maxItems: 1000 + type: array + typeMigrationVersion: + type: string + required: + - attributes responses: '200': content: application/json: examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token + createDashboardResponse: + summary: A created saved object value: - name: elastic/fleet-server/token-1234567890 - value: >- - AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string + attributes: + title: Example dashboard + id: example-dashboard-id + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A successful create response. + '409': + content: + application/json: + examples: + conflictResponse: + summary: A conflict error value: - type: string - required: - - name - - value - description: Successful response + error: Conflict + message: Saved object [dashboard/example-dashboard-id] conflict + statusCode: 409 + description: A conflict error. + summary: Create a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Example dashboard"},"references":[]}' + - lang: Console + source: | + POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false + {"attributes":{"title":"Example dashboard"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}/{id}: + delete: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Deletes a single Kibana saved object by type and ID. + + There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API. + operationId: delete-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + - description: When true, force deletion of multi-namespace objects from all namespaces. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSavedObjectResponse: + summary: Successful delete + value: {} + description: A successful delete response. + '404': + content: + application/json: + examples: + notFoundResponse: + summary: A not found error + value: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + description: Not found. + summary: Delete a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/saved_objects/dashboard/example-dashboard-1?force=false + x-metaTags: + - content: Kibana + name: product_name + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieves a single Kibana saved object by type and ID. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: get-saved-objects-type-id + parameters: + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSavedObjectResponse: + summary: A saved object + value: + attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A saved object. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: + description: A bad request. + summary: Get a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/dashboard/example-dashboard-1 + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + - description: Overwrite an existing saved object. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + createDashboardRequest: + summary: Create a dashboard saved object + value: attributes: + title: Example dashboard + references: [] + schema: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: nullable: true - error: - type: string - errorType: + type: object + coreMigrationVersion: + type: string + initialNamespaces: + items: type: string - message: + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token - tags: - - Fleet service tokens - /api/fleet/settings: - get: - description: >- - Get the global Fleet settings.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] + type: object + references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + maxItems: 1000 + type: array + typeMigrationVersion: + type: string + required: + - attributes responses: '200': content: application/json: examples: - getSettingsExample: - description: The current Fleet settings + createDashboardResponse: + summary: A created saved object value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= - schema: - additionalProperties: false - type: object - properties: - item: + attributes: + title: Example dashboard + id: example-dashboard-id + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A successful create response. + '409': + content: + application/json: + examples: + conflictResponse: + summary: A conflict error + value: + error: Conflict + message: Saved object [dashboard/example-dashboard-id] conflict + statusCode: 409 + description: A conflict error. + summary: Create a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Example dashboard"},"references":[]}' + - lang: Console + source: | + POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false + {"attributes":{"title":"Example dashboard"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + put: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Updates a single Kibana saved object by type and ID. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: put-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateDashboardRequest: + summary: Update a dashboard saved object + value: + attributes: + title: Updated dashboard title + references: [] + schema: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: + nullable: true + type: object + references: + items: additionalProperties: false type: object properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean id: type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error + name: type: string - version: + type: type: string - required: - - item - description: Successful response - '400': + required: + - name + - type + - id + maxItems: 1000 + type: array + upsert: + additionalProperties: + nullable: true + type: object + version: + type: string + required: + - attributes + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + updateDashboardResponse: + summary: An updated saved object value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + attributes: + title: Updated dashboard title + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzIsMV0= + description: A successful update response. '404': content: application/json: examples: - notFoundExample: - description: Fleet settings have not been initialized + notFoundResponse: + summary: A not found error value: error: Not Found - message: Settings not found + message: Saved object [dashboard/does-not-exist] not found statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings + description: Not found. + '409': + content: + application/json: + examples: + conflictResponse: + summary: A conflict error + value: + error: Conflict + message: Saved object [dashboard/example-dashboard-1] conflict + statusCode: 409 + description: A conflict error. + summary: Update a saved object tags: - - Fleet internals - put: - description: >- - Update the global Fleet settings.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-settings + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Updated dashboard title"},"references":[]}' + - lang: Console + source: | + PUT kbn://api/saved_objects/dashboard/example-dashboard-1 + {"attributes":{"title":"Updated dashboard title"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieve a single Kibana saved object by ID, using any legacy URL alias if it exists. + + Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the resolve API using either its new ID or its old ID. + operationId: get-saved-objects-resolve-type-id parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id required: true schema: - example: 'true' type: string + responses: + '200': + content: + application/json: + examples: + resolveSavedObjectResponse: + summary: A resolved saved object (alias match) + value: + alias_target_id: example-dashboard-2 + outcome: aliasMatch + saved_object: + attributes: + title: Example dashboard 2 + id: example-dashboard-2 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMl0= + description: A resolve response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: 'Unsupported saved object type(s): unknownType' + statusCode: 400 + description: A bad request. + summary: Resolve a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/resolve/dashboard/legacy-id" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/resolve/dashboard/legacy-id + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations + PerformAnonymizationFieldsBulkActionRequest: value: - prerelease_integrations_enabled: true + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 schema: - additionalProperties: false + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 type: object properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. type: object properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true - type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true - type: string - kibana_urls: - deprecated: true + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. items: - format: uri - type: string - maxItems: 10 + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array - prerelease_integrations_enabled: - type: boolean responses: '200': content: application/json: examples: - putSettingsExample: - description: The updated Fleet settings + PerformAnonymizationFieldsBulkActionResponse200Example: value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= + anonymization_fields_count: 4 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 0 + skipped: 1 + succeeded: 3 + total: 4 + message: Bulk action completed successfully + status_code: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PerformAnonymizationFieldsBulkActionResponse400Example: + value: + error: Bad Request + message: Invalid request body + statusCode: 400 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false + error: + description: Error type or name. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + description: Bad Request response. + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + example: created_at + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + FindAnonymizationFieldsResponse200Example: + value: + aggregations: + field_status: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 + schema: + type: object + properties: + aggregations: type: object properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false + field_status: type: object properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindAnonymizationFieldsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request parameters statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Update settings + description: Bad Request response. + summary: Get anonymization fields tags: - - Fleet internals - /api/fleet/setup: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/chat/complete: post: - description: >- - Initialize Fleet and create the necessary Elasticsearch resources for - Fleet to operate. Safe to call multiple times (idempotent). Returns the - initialization status and any non-fatal errors encountered during - setup.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-setup + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false schema: - example: 'true' - type: string + default: false + type: boolean + requestBody: + content: + application/json: + examples: + ChatCompleteRequest: + value: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: + application/octet-stream: examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: >- - Fleet initialized but encountered non-fatal errors during - setup - value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError + ChatCompleteResponse200Example: + value: (streaming binary response) schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + format: binary + type: string + description: Indicates a successful model response call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ChatCompleteResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request payload. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type. + example: Bad Request type: string message: + description: Human-readable error message. + example: Invalid request payload. type: string statusCode: + description: HTTP status code. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '500': + description: Bad Request response. + summary: Create a model response + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + examples: + DeleteAllConversationsRequest: + value: + excludedIds: + - abc123 + - def456 + schema: + type: object + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false + responses: + '200': content: application/json: examples: - internalErrorResponseExample: - description: Example of an internal server error response + DeleteAllConversationsResponse200Example: value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 + failures: [] + success: true + totalDeleted: 10 schema: - additionalProperties: false - description: Internal Server Error type: object properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup - tags: - - Fleet internals - /api/fleet/space_settings: - get: - description: Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings - parameters: [] - responses: - '200': + failures: + items: + type: string + type: array + success: + example: true + type: boolean + totalDeleted: + example: 10 + type: number + description: Indicates a successful call. The conversations were deleted successfully. + '400': content: application/json: examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space + DeleteAllConversationsResponse400Example: value: - item: - allowed_namespace_prefixes: - - team-a - - team-b + error: Bad Request + message: Invalid conversation ID + statusCode: 400 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available; added in 9.1.0 - put: - description: >- - Create or update Fleet settings for the current Kibana - space.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: put-fleet-space-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Delete conversations + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"excludedIds":["abc123"]}' + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation requestBody: content: application/json: examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space + CreateConversationRequest: value: - allowed_namespace_prefixes: - - team-a - - team-b + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion schema: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true responses: '200': content: application/json: examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space + CreateConversationResponse200Example: value: - item: - allowed_namespace_prefixes: - - team-a - - team-b + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. + '400': + content: + application/json: + examples: + CreateConversationResponse400Example: + value: + error: Bad Request + message: 'Missing required parameter: title' + statusCode: 400 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available; added in 9.1.0 - /api/fleet/uninstall_tokens: + error: + example: Bad Request + type: string + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Create a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: get: - description: >- - List the metadata for the latest uninstall tokens per agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: get-fleet-uninstall-tokens + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations parameters: - - description: Partial match filtering for policy IDs + - description: A list of fields to include in the response. If omitted, all fields are returned. in: query - name: policyId + name: fields required: false schema: - maxLength: 50 - type: string - - description: Partial match filtering for uninstall token values + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. in: query - name: search + name: filter required: false schema: - maxLength: 50 + example: Security Issue type: string - - description: The number of items to return + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. in: query - name: perPage + name: sort_field required: false schema: - minimum: 5 - type: number - - description: Page number + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. in: query name: page required: false schema: + default: 1 + example: 1 minimum: 1 - type: number + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies + FindConversationsResponse200Example: value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy + data: + - category: assistant + createdAt: '2023-10-31T12:00:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: conv-abc123 + messages: [] + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:05:00Z' + users: + - id: user1 + name: John Doe page: 1 perPage: 20 - total: 2 + total: 5 schema: - additionalProperties: false type: object properties: - items: + data: + description: A list of conversations. items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - required: - - id - - policy_id - - created_at - maxItems: 10000 + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array page: - type: number + description: The current page of the results. + example: 1 + type: integer perPage: - type: number + description: The number of results returned per page. + example: 20 + type: integer total: - type: number + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer required: - - items - - total - page - perPage - description: Successful response + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided + FindConversationsResponse400Example: value: error: Bad Request - message: >- - Query parameters `policyId` and `search` cannot be used at - the same time. + message: Invalid filter parameter. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid filter query parameter type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens + description: Bad Request response. + summary: Get conversations tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: - get: - description: >- - Get one decrypted uninstall token by its ID.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation parameters: - - description: The ID of the uninstall token + - description: The conversation's `id` value. + example: abc123 in: path - name: uninstallTokenId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy + DeleteConversationResponse200Example: value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + namespace: default + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token - required: - - item - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token + description: Bad Request response. + summary: Delete a conversation tags: - - Fleet uninstall tokens - /api/lists: - delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation parameters: - - description: Value list identifier to delete, including all of its list items. - in: query + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 + in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. - in: query - name: deleteReferences - required: false - schema: - default: false - example: false - type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false - schema: - default: false - example: false - type: boolean + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - ipList: + ReadConversationResponse200Example: value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. '400': content: application/json: examples: - badRequest: + ReadConversationResponse400Example: value: error: Bad Request - message: '[request query]: id: Required' + message: Invalid conversation ID statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get a conversation tags: - - Security Lists API - get: - description: Get the details of a value list using the list ID. - operationId: ReadList + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation parameters: - - description: Value list identifier (`id`) returned when the list was created. - in: query + - description: The conversation's `id` value. + example: abc123 + in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details - tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: - patchName: + UpdateConversationRequest: value: - id: ip_list - name: Bad ips list - UPDATED + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion schema: - example: - id: ip_list - name: Bad ips list - UPDATED - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - description: Value list's properties + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: + UpdateConversationResponse200Example: value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + namespace: default + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. + '400': content: application/json: examples: - forbidden: + UpdateConversationResponse400Example: value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Bad Request + message: 'Missing required field: title' + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Update a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase + responses: + '200': content: application/json: examples: - notFound: + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. value: - message: 'list id: \"foo\" not found' - status_code: 404 + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: + GetKnowledgeBaseResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid resource ID provided. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase tags: - - Security Lists API + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name post: - description: Create a new value list. - operationId: CreateList - requestBody: - content: - application/json: - examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: - value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: Value list's properties - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base. Use this endpoint when no specific resource identifier is needed. + operationId: PostKnowledgeBase + parameters: + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. '400': content: application/json: examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: + ReadKnowledgeBaseResponse400Example: value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Bad Request + message: Invalid resource ID provided. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase for a resource + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - alreadyExists: + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase for a resource tags: - - Security Lists API - put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries: + post: + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: examples: - replaceList: + CreateKnowledgeBaseEntryRequest: value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + kbResource: user + name: How to reset a password + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - name - - description - description: Value list's properties + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: examples: - ip: + CreateKnowledgeBaseEntryResponse200Example: value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries '400': content: application/json: examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + CreateKnowledgeBaseEntryResponse400Example: value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Invalid input + message: The 'name' field is required. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionRequest: + value: + create: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + delete: + ids: + - '789' + update: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + schema: + type: object + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array + responses: + '200': content: application/json: examples: - notFound: + PerformKnowledgeBaseEntryBulkActionResponse200Example: value: - message: 'list id: \"foo\" not found' - status_code: 404 + attributes: + results: + created: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '456' + kbResource: user + name: New Entry + namespace: default + source: manual + text: This is the content of the new entry. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + deleted: + - '789' + skipped: [] + updated: + - createdAt: '2024-01-14T09:00:00.000Z' + createdBy: user@example.com + global: false + id: '123' + kbResource: user + name: Updated Entry + namespace: default + source: manual + text: Updated content. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + summary: + failed: 0 + skipped: 0 + succeeded: 3 + total: 3 + knowledgeBaseEntriesCount: 3 + message: Bulk action completed successfully. + statusCode: 200 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request + '400': content: application/json: examples: - serverError: + PerformKnowledgeBaseEntryBulkActionResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid request body. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Applies a bulk action to multiple Knowledge Base Entries tags: - - Security Lists API - /api/lists/_find: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries parameters: - - description: The page number to return. + - description: A list of fields to include in the response. If not provided, all fields will be included. in: query - name: page + name: fields required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + example: + - name + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. in: query - name: per_page + name: filter required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. in: query name: sort_field required: false schema: - example: name - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. in: query name: sort_order required: false schema: - enum: - - desc - - asc + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: asc - type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + - description: Page number for paginated results. Defaults to 1. in: query - name: cursor + name: page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query - name: filter + name: per_page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + default: 20 + example: 10 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - ipList: + FindKnowledgeBaseEntriesResponse200Example: value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com page: 1 - per_page: 20 - total: 1 + perPage: 20 + total: 100 schema: type: object properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: + description: The list of Knowledge Base Entries for the current page. items: - $ref: '#/components/schemas/Security_Lists_API_List' + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: - minimum: 0 + description: The current page number. + example: 1 type: integer - per_page: - minimum: 0 + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 type: integer total: - minimum: 0 + description: The total number of Knowledge Base Entries available. + example: 100 type: integer required: - - data - page - - per_page + - perPage - total - - cursor - description: Successful response + - data + description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: examples: - badRequest: + FindKnowledgeBaseEntriesResponse400Example: value: error: Bad Request - message: '[request query]: page: Expected number, received nan' + message: 'Invalid query parameter: sort_order' statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + type: object + properties: + error: + description: A short description of the error. + example: Bad Request + type: string + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' + type: string + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Bad Request response. + summary: Finds Knowledge Base Entries that match the given query. tags: - - Security Lists API - /api/lists/index: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - acknowledged: + DeleteKnowledgeBaseEntryResponse200Example: value: - acknowledged: true + id: '12345' + message: Knowledge Base Entry successfully deleted. schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json: - examples: - serverError: + DeleteKnowledgeBaseEntryResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Deletes a single Knowledge Base Entry using the `id` field tags: - - Security Lists API + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - bothExist: + ReadKnowledgeBaseEntryResponse200Example: value: - list_index: true - list_item_index: true + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: Value list backing indices were not found for this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: + ReadKnowledgeBaseEntryResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Read a Knowledge Base Entry tags: - - Security Lists API - post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space - - are now created as part of supported workflows; calling this explicitly - is rarely required. - - **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - indices exist with `GET /api/lists/index`. +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex - responses: - '200': - content: - application/json: - examples: - acknowledged: - value: - acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateKnowledgeBaseEntryRequest: + value: + kbResource: user + name: How to reset a password (updated) + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + required: true + responses: + '200': content: application/json: examples: - unauthorized: + UpdateKnowledgeBaseEntryResponse200Example: value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password (updated) + namespace: default + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + updatedAt: '2024-01-15T10:05:00.000Z' + updatedBy: user@example.com schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. + '400': content: application/json: examples: - forbidden: + UpdateKnowledgeBaseEntryResponse400Example: value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Invalid input + message: The 'text' field cannot be empty. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + examples: + PerformPromptsBulkActionRequest: + value: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array + responses: + '200': content: application/json: examples: - alreadyExists: + success: value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + '400': content: application/json: examples: - serverError: + PerformPromptsBulkActionResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid prompt ID or missing required fields. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + type: object + properties: + error: + description: A short error message. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Bad Request response. + summary: Apply a bulk action to prompts tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"delete":{"query":"name: test","ids":[]}}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. + - description: List of specific fields to include in each returned prompt. in: query - name: id + name: fields required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. + example: + - id + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. in: query - name: list_id + name: filter required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + example: error handling + type: string + - description: Field to sort prompts by. in: query - name: value + name: sort_field required: false schema: - example: 255.255.255.255 - type: string - - description: >- - Determines when changes made by the request are made visible to - search. + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. in: query - name: refresh + name: sort_order required: false schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - ip: + FindPromptsResponse200Example: value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 + type: object + properties: + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array - description: Successful response + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. '400': content: application/json: examples: - badRequest: + FindPromptsResponse400Example: value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + error: Bad Request + message: Invalid sort order value provided. + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + error: + description: Short error message. + example: Bad Request + type: string + message: + description: Detailed description of the error. + example: Invalid sort order value provided. + type: string + statusCode: + description: HTTP status code for the error. + example: 400 + type: number + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings + value: + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + items: + type: string + type: array + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + enum: + - defer + - drop + type: string + maxTimeWindowSize: + pattern: '[smdh]$' + type: string + required: + - logExtraction + responses: + '200': content: application/json: examples: - unauthorized: + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - forbidden: + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + error: Bad Request + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' + statusCode: 400 + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: The Entity Store has not been installed yet. + summary: Entity Store not installed value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + error: Not Found + message: Entity store is not installed + statusCode: 404 + description: Entity Store not found. + summary: Update the Entity Store tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities: get: - description: Get the details of a value list item. - operationId: ReadListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. + - description: A Kibana Query Language (KQL) filter for the search-after mode. in: query - name: id + name: filter required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. + type: string + - description: Number of entities to return in search-after mode. in: query - name: list_id + name: size required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. in: query - name: value + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. + in: query + name: page + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. + in: query + name: filterQuery required: false schema: - example: 127.0.0.2 type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: false + schema: + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - ip: + emptyResultExample: + description: No entities matched the query. + summary: Empty result value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response + page: 1 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux + total: 1 + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. '400': content: application/json: examples: - badRequest: - value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + error: Bad Request + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ + statusCode: 400 + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - changeValue: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 + entityId: host:web-server-prod-01 schema: + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for + entityId: + description: The identifier of the entity to delete. type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - id - description: Value list item's properties - required: true + - entityId responses: '200': content: application/json: examples: - ipItem: - value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + deleted: true + description: Indicates the entity was successfully deleted. '404': content: application/json: examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/{entityType}: post: - description: > - Create a value list item and associate it with the specified value list. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
- All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. - - > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Before creating a list item, you must create a list. - operationId: CreateListItem + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string requestBody: content: application/json: examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity value: - list_id: keyword_list - value: zeek + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: Value list item's properties - required: true + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - badRequest: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + description: Bad request. '409': content: application/json: examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json: - examples: - serverError: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to update. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - fullReplace: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes value: - id: ip_item - value: 255.255.255.255 + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst schema: - example: - id: ip_item - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + responses: + '200': content: application/json: examples: - badRequest: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + ok: true + description: Indicates the entity was successfully updated. + '400': content: application/json: examples: - unauthorized: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - forbidden: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/bulk: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities + value: + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user + schema: + additionalProperties: false + type: object + properties: + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + type: array + required: + - entities + responses: + '200': content: application/json: examples: - notFound: + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated + value: + errors: [] + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - serverError: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + summary: Bulk update entities tags: - - Security Lists API - /api/lists/items/_export: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/install: post: - description: Export list item values from the specified value list. - operationId: ExportListItems + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install parameters: - - description: Value list's `id` to export. - in: query - name: list_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types + value: + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + frequency: 5m + lookbackPeriod: 12h + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + default: [] + items: + type: string + type: array + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + default: 1m + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 40000 + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + default: 500000 + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + default: drop + enum: + - defer + - drop + type: string + maxTimeWindowSize: + default: 15m + pattern: '[smdh]$' + type: string responses: '200': - content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': content: application/json: examples: - badRequest: + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + ok: true + description: Indicates all requested entity types are already installed. + '201': content: application/json: examples: - unauthorized: + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response + ok: true + description: Indicates the Entity Store was successfully installed. '403': content: application/json: examples: - forbidden: + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges value: error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] + message: User 'analyst' has insufficient privileges statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + description: Insufficient privileges. + summary: Install the Entity Store tags: - - Security Lists API - /api/lists/items/_find: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/group: get: - description: Get all value list items in the specified list. - operationId: FindListItems + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/resolution/group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group parameters: - - description: Parent value list's `id` to page through items for. + - description: The entity identifier to look up the resolution group for. in: query - name: list_id + name: entity_id required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of list items to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - ip: - value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities + value: + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. '400': content: application/json: examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + error: Bad Request + message: Resolution search truncated + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - serverError: + notFoundExample: + description: The specified entity does not exist or has no resolution group. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entity not found. + summary: Get resolution group tags: - - Security Lists API - /api/lists/items/_import: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/link: post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. - + description: |- + **Spaces method and path for this operation:** - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. +
post /s/{space_id}/api/security/entity_store/resolution/link
- Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false + Link one or more entities to a target entity, creating a resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - 'true' - - 'false' - - wait_for - example: true + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - ipLinesFile: + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target value: - file: list_values.txt + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: + additionalProperties: false type: object properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. type: string - required: true + required: + - target_id + - entity_ids responses: '200': content: application/json: examples: - ip: + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. '400': content: application/json: examples: - badRequest: + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + error: Bad Request + message: Cannot link entities of different types + statusCode: 400 + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error + value: + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - unauthorized: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Link entities + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/unlink: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove one or more entities from their resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group + value: + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids + responses: + '200': content: application/json: examples: - forbidden: + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': content: application/json: examples: - conflict: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink + { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines + value: + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - serverError: + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines tags: - - Security Lists API - /api/lists/privileges: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/status: get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` + description: |- + **Spaces method and path for this operation:** - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list +
get /s/{space_id}/api/security/entity_store/status
- APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false responses: '200': content: application/json: examples: - privileges: + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running + value: + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/stop: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines + value: + entityTypes: + - user + - host + - service + - generic + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - badRequest: + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': content: application/json: examples: - unauthorized: + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/role: + get: + description: Retrieve all Kibana roles. + operationId: get-security-role + parameters: + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - forbidden: + getAllRolesResponse: value: - error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + getRolesResponse1: + $ref: '#/components/examples/get_roles_response1' schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + description: Indicates a successful call. + summary: Get all roles + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/_query: + post: + description: Query Kibana roles with optional filters, paging, and sorting. + operationId: post-security-role-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + queryRolesRequest: + value: + from: 0 + query: kibana + size: 25 + sort: + direction: asc + field: name + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body' + responses: + '200': content: application/json: examples: - serverError: + queryRolesResponse: value: - message: Internal Server Error - status_code: 500 + count: 1 + roles: + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + total: 1 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges - tags: - - Security Lists API - /api/logstash/pipeline/{id}: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/{name}: delete: - description: > - Delete a centrally-managed Logstash pipeline. - - If your Elasticsearch cluster is protected with basic authentication, - you must have either the `logstash_admin` built-in role or a customized - Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: delete-logstash-pipeline + description: Delete a Kibana role by its name. + operationId: delete-security-role-name parameters: - - description: An identifier for the pipeline. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The role name. in: path - name: id + name: name required: true schema: + minLength: 1 type: string responses: '204': - description: Indicates a successful call - summary: Delete a Logstash pipeline + description: Indicates a successful call. + summary: Delete a role tags: - - logstash - x-state: Technical Preview + - roles + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Get information for a centrally-managed Logstash pipeline. - - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipeline + description: Retrieve a Kibana role by its name. + operationId: get-security-role-name parameters: - - description: An identifier for the pipeline. + - description: The role name. in: path - name: id + name: name required: true schema: + minLength: 1 type: string + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getLogstashPipelineResponseExample1: - value: |- - { - "id": "hello-world", - "description": "Just a simple pipeline", - "username": "elastic", - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persistent" - } - } + getRoleResponse: + value: + _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + getRoleResponse1: + $ref: '#/components/examples/get_role_response1' schema: - type: object - description: Indicates a successful call - summary: Get a Logstash pipeline + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + description: Indicates a successful call. + summary: Get a role tags: - - logstash - x-state: Technical Preview + - roles + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Create a centrally-managed Logstash pipeline or update a pipeline. - - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: put-logstash-pipeline + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name parameters: - - description: > - An identifier for the pipeline. Pipeline ID must begin with a letter - or underscore and can contain only letters, underscores, dashes, - hyphens, and numbers. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The role name. in: path - name: id + name: name required: true schema: + maxLength: 1024 + minLength: 1 type: string + - description: When true, a role is not overwritten if it already exists. + in: query + name: createOnly + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putLogstashPipelineRequestExample1: + createOrUpdateRoleRequest: + value: + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default + createRoleRequest1: + $ref: '#/components/examples/create_role_request1' + createRoleRequest2: + $ref: '#/components/examples/create_role_request2' + createRoleRequest3: + $ref: '#/components/examples/create_role_request3' + createRoleRequest4: + $ref: '#/components/examples/create_role_request4' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + responses: + '204': + description: Indicates a successful call. + summary: Create or update a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/roles: + post: + description: Create or update multiple Kibana roles in a single request. + operationId: post-security-roles + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkCreateOrUpdateRoles: + value: + roles: + my_kibana_role: + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload' + responses: + '200': + content: + application/json: + examples: + bulkCreateOrUpdateRolesResponse: + value: + created: + - my_kibana_role + noop: [] + updated: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' + description: Indicates a successful call. + summary: Create or update roles + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/session/_invalidate: + post: + description: | + Invalidate user sessions that match a query. To use this API, you must be a superuser. + operationId: post-security-session-invalidate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + invalidateRequestExample1: + description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. + summary: Invalidate all sessions value: |- { - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persisted" + "match" : "all" + } + invalidateRequestExample2: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. + summary: Invalidate all SAML sessions + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml" } + } + } + invalidateRequestExample3: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. + summary: Invalidate sessions for a provider + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml", "name": "saml1" } + } + } + invalidateRequestExample4: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. + summary: Invalidate sessions for a user + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "oidc" }, + "username": "user@my-oidc-sso.com" } } schema: type: object properties: - description: - description: A description of the pipeline. - type: string - pipeline: - description: A definition for the pipeline. + match: + description: | + The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. + enum: + - all + - query + type: string + query: + description: | + The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. + type: object + properties: + provider: + description: The authentication providers that will have their user sessions invalidated. + type: object + properties: + name: + description: The authentication provider name. + type: string + type: + description: | + The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. + type: string + required: + - type + username: + description: The username that will have its sessions invalidated. + type: string + required: + - provider + required: + - match + responses: + '200': + content: + application/json: + schema: + type: object + properties: + total: + description: The number of sessions that were successfully invalidated. + type: integer + description: Indicates a successful call + '403': + description: Indicates that the user may not be authorized to invalidate sessions for other users. + summary: Invalidate user sessions + tags: + - user session + x-metaTags: + - content: Kibana + name: product_name + /api/short_url: + post: + description: | + Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. + Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. + operationId: post-url + requestBody: + content: + application/json: + examples: + createShortUrlRequest: + description: Request a short URL that resolves to a dashboard with a preset time range. + summary: Create a short URL for a dashboard locator + value: + locatorId: DASHBOARD_APP_LOCATOR + params: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + slug: my-dashboard + schema: + type: object + properties: + humanReadableSlug: + description: | + When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. + type: boolean + locatorId: + description: The identifier for the locator. type: string - settings: - description: > - Supported settings, represented as object keys, include the - following: - - - - `pipeline.workers` - - - `pipeline.batch.size` - - - `pipeline.batch.delay` - - - `pipeline.ecs_compatibility` - - - `pipeline.ordered` - - - `queue.type` - - - `queue.max_bytes` - - - `queue.checkpoint.writes` + params: + description: | + An object which contains all necessary parameters for the given locator to resolve to a Kibana location. + > warn + > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object + slug: + description: | + A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. + type: string required: - - pipeline - responses: - '204': - description: Indicates a successful call - summary: Create or update a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - /api/logstash/pipelines: - get: - description: > - Get a list of all centrally-managed Logstash pipelines. - - - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - - > info - - > Limit the number of pipelines to 10,000 or fewer. As the number of - pipelines nears and surpasses 10,000, you may see performance issues on - Kibana. - - - The `username` property appears in the response when security is enabled - and depends on when the pipeline was created or last updated. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipelines + - locatorId + - params + required: true responses: '200': content: application/json: examples: - getLogstashPipelinesResponseExample1: - value: |- - { - "pipelines": [ - { - "id": "hello-world", - "description": "Just a simple pipeline", - "last_modified": "2018-04-14T12:23:29.772Z", - "username": "elastic" - }, - { - "id": "sleepy-pipeline", - "description": "", - "last_modified": "2018-03-24T03:41:30.554Z" - } - ] - } + createShortUrlResponse: + description: The created short URL record. + summary: Short URL created + value: + accessCount: 0 + accessDate: 1767225600000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard schema: - type: object - description: Indicates a successful call - summary: Get all Logstash pipelines + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Create a short URL tags: - - logstash + - short url x-state: Technical Preview - /api/ml/saved_objects/sync: + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/_slug/{slug}: get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync + description: | + Resolve a Kibana short URL by its slug. + operationId: resolve-url parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - description: The slug of the short URL. + in: path + name: slug + required: true + schema: + type: string responses: '200': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + resolveShortUrlResponse: + description: The short URL record matching the given slug. + summary: Short URL resolved by slug + value: + accessCount: 12 + accessDate: 1767744000000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Resolve a short URL tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: - post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces - requestBody: - content: - application/json: - examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: - value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/{id}: + delete: + description: | + Delete a Kibana short URL. + operationId: delete-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + '200': + description: Indicates a successful call. + summary: Delete a short URL + tags: + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + Get a single Kibana short URL. + operationId: get-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: examples: - successADResponse: - value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: + getShortUrlResponse: + description: The short URL record matching the given identifier. + summary: Short URL retrieved by ID value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces + accessCount: 12 + accessDate: 1767744000000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Get a short URL tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_copy_saved_objects: post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces + description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-copy-saved-objects + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: + schema: + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. + type: boolean + createNewCopies: + default: true + description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. + type: boolean + includeReferences: + default: false + description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to copy. + type: string + type: + description: The type of the saved object to copy. + type: string + required: + - type + - id + maxItems: 1000 + type: array + overwrite: + default: false + description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. + type: boolean + spaces: + items: + description: The identifiers of the spaces where you want to copy the specified objects. + type: string + maxItems: 100 + type: array + required: + - spaces + - objects examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' + copySavedObjectsRequestExample1: + $ref: '#/components/examples/copy_saved_objects_request1' + copySavedObjectsRequestExample2: + $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - successTMResponse: - value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + copySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + copySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + copySavedObjectsResponseExample3: + $ref: '#/components/examples/copy_saved_objects_response3' + copySavedObjectsResponseExample4: + $ref: '#/components/examples/copy_saved_objects_response4' + summary: Copy saved objects between spaces tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. - - - The response has HTTP 200 with an empty body on success. - - - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_disable_legacy_url_aliases: + post: + description: Disable one or more legacy URL aliases so that they no longer resolve to their target saved objects. + operationId: post-spaces-disable-legacy-url-aliases + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - examples: - deleteOne: - summary: Delete a single note by id - value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: + additionalProperties: false + type: object + properties: + aliases: + items: + additionalProperties: false + type: object + properties: + sourceId: + description: The alias source object identifier. This is the legacy object identifier. type: string - nullable: true - type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + targetSpace: + description: The space where the alias target object exists. + type: string + targetType: + description: 'The type of alias target object. ' + type: string + required: + - targetSpace + - targetType + - sourceId + maxItems: 1000 + type: array + required: + - aliases + examples: + disableLegacyURLRequestExample1: + $ref: '#/components/examples/disable_legacy_url_request1' responses: - '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + '204': + description: Indicates a successful call. + summary: Disable legacy URL aliases tags: - - Security Timeline API - - access:securitySolution - get: - description: > - Returns Security Timeline notes as saved objects. - - - **Query modes (mutually exclusive branches on the server):** - - - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). - - - 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. - - - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. - - - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_get_shareable_references: + post: + description: Collect references and space contexts for saved objects. + operationId: post-spaces-get-shareable-references parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page - schema: - nullable: true - type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage - schema: - nullable: true - type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search - schema: - nullable: true - type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField - schema: - nullable: true - type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc - in: query - name: sortOrder - schema: - nullable: true - type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). - in: query - name: filter - schema: - nullable: true - type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 - in: query - name: createdByFilter + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - nullable: true + example: 'true' type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json: - examples: - notesPage: - summary: Paged notes for a timeline - value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes - tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. - - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute requestBody: content: application/json: - examples: - addNote: - summary: Add a note on an event - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: + additionalProperties: false type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true - type: string + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 + type: array required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. - required: true + - objects + examples: + getShareableReferencesRequestExample1: + $ref: '#/components/examples/get_shareable_references_request1' responses: '200': + description: Indicates a successful call. content: application/json: examples: - persisted: - summary: Persisted note wrapper - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + getShareableReferencesResponseExample1: + $ref: '#/components/examples/get_shareable_references_response1' + summary: Get shareable references tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_resolve_copy_saved_objects_errors: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. - - - It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete + description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-resolve-copy-saved-objects-errors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample schema: + additionalProperties: false type: object properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. - type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. + compatibilityMode: + default: false type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string + retries: + additionalProperties: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. + type: boolean + destinationId: + description: Specifies the destination identifier that the copied object should have, if different from the current identifier. + type: string + id: + description: The saved object identifier. + type: string + ignoreMissingReferences: + description: When set to true, any missing references errors are ignored. + type: boolean + overwrite: + default: false + description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. + type: boolean + type: + description: The saved object type. + type: string + required: + - type + - id + maxItems: 1000 + type: array + type: object required: - - messages - - connectorId - - persist + - retries + - objects + examples: + resolveCopySavedObjectsRequestExample1: + $ref: '#/components/examples/resolve_copy_saved_objects_request1' + resolveCopySavedObjectsRequestExample2: + $ref: '#/components/examples/resolve_copy_saved_objects_request2' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample - schema: - type: object - description: Successful response - summary: Generate a chat completion - tags: - - observability_ai_assistant - x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - - { - - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - - "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] - - }' - x-state: Technical Preview - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + resolveCopySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + resolveCopySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + summary: Resolve conflicts copying saved objects + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_update_objects_spaces: + post: + description: Update one or more saved objects to add or remove them from some spaces. + operationId: post-spaces-update-objects-spaces parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' + example: 'true' type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to update. + type: string + type: + description: The type of the saved object to update. + type: string + required: + - type + - id + maxItems: 1000 + type: array + spacesToAdd: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + spacesToRemove: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + required: + - objects + - spacesToAdd + - spacesToRemove + examples: + updateObjectSpacesRequestExample1: + $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response - value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse - description: Indicates a successful call. - summary: Get unified query history + updateObjectSpacesResponseExample1: + $ref: '#/components/examples/update_saved_objects_spaces_response1' + summary: Update saved objects in spaces tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space: get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query - name: sort + name: purpose required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query - name: sortOrder + name: include_authorized_purposes required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - liveQueriesList: - summary: A list of recent live queries - value: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - user_id: elastic - total: 1 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse - description: Indicates a successful call. - summary: Get live queries + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces tags: - - Security Osquery API + - spaces + x-metaTags: + - content: Kibana + name: product_name post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery + description: Create a new Kibana space. + operationId: post-spaces-space + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - examples: - singleQueryAllAgents: - summary: Run a single query on all agents - value: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; - targetedQuery: - summary: Run a query against specific agents - value: - agent_ids: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - query: select * from processes; schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' responses: '200': content: application/json: - examples: - liveQueryCreated: - summary: Live query created - value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' description: Indicates a successful call. - summary: Create a live query + summary: Create a space tags: - - Security Osquery API - /api/osquery/live_queries/{id}: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space/{id}: + delete: + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '404': + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id parameters: - - description: The ID of the live query. + - description: The space identifier. in: path name: id required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: examples: - liveQueryDetails: - summary: Live query details with execution status + getSpaceResponse: + description: A response that contains the full configuration for a single Kibana space. + summary: Get details about a marketing space value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 1 - failed: 0 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - status: completed - successful: 1 - status: completed - user_id: elastic + color: '#aabbcc' + description: This is the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name description: Indicates a successful call. - summary: Get live query details + summary: Get a space tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults + - spaces + x-metaTags: + - content: Kibana + name: product_name + put: + description: Update an existing Kibana space. + operationId: put-spaces-space-id parameters: - - description: The ID of the live query. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 + example: 'true' type: string - - description: The ID of the query action. + - description: The space identifier. You are unable to change the ID with the update operation. in: path - name: actionId + name: id required: true schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' responses: '200': content: application/json: examples: - liveQueryResults: - summary: Result rows from a live query execution + updateSpaceResponse: + description: A response that contains the updated configuration of the Kibana space. + summary: Update the marketing space value: - data: - edges: - - _id: doc1 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '12345' - - _id: doc2 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '67890' - total: 2 + color: '#aabbcc' + description: An updated description for the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name description: Indicates a successful call. - summary: Get live query results + summary: Update a space tags: - - Security Osquery API - /api/osquery/packs: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/status: get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks + description: Returns Kibana's overall operational status and a per-service breakdown for Elasticsearch, Saved Objects, and registered plugins. The endpoint is intended for liveness and readiness checks (for example, by Kubernetes probes) and for operators monitoring a Kibana deployment. Unauthenticated callers receive a redacted response that exposes only the overall status level. + operationId: get-status parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + - description: Set to "true" to get the response in v7 format. in: query - name: sort + name: v7format required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + type: boolean + - description: Set to "true" to get the response in v8 format. in: query - name: sortOrder + name: v8format required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: boolean responses: '200': content: application/json: examples: - packsList: - summary: A list of query packs + statusAvailableResponse: + description: A successful response when Kibana and its core services are operating normally. + summary: Kibana is available value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - queries: - - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 4 + totalIdleSockets: 2 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: available + summary: Elasticsearch is available + savedObjects: + level: available + summary: SavedObjects service has completed migrations and is available + overall: + level: available + summary: All services are available + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + statusRedactedResponse: + description: A redacted response returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + summary: Kibana is available (redacted) + value: + status: + overall: + level: available schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json: + examples: + statusUnavailableResponse: + description: A response when one or more core services are unavailable. + summary: Kibana is unavailable + value: + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 0 + totalIdleSockets: 0 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: unavailable + summary: Unable to connect to Elasticsearch + savedObjects: + level: unavailable + summary: SavedObjects service depends on Elasticsearch + overall: + level: unavailable + summary: Some services are unavailable + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of its essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status tags: - - Security Osquery API - post: - description: Create a query pack. - operationId: OsqueryCreatePacks + - system + x-metaTags: + - content: Kibana + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] requestBody: content: application/json: - examples: - createPack: - summary: Create a pack with a single query - value: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 + examples: {} schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - packCreated: - summary: Pack created - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack + listStreams: + value: + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + description: A list of all streams. + summary: Get stream list tags: - - Security Osquery API - /api/osquery/packs/{id}: - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable parameters: - - description: The pack ID. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - packDeleted: - summary: Pack deleted (empty response body) - value: {} - schema: - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack + description: Streams were disabled successfully. + summary: Disable streams tags: - - Security Osquery API - get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable parameters: - - description: The pack ID. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - packDetails: - summary: Pack details - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details + description: Streams were enabled successfully. + summary: Enable streams tags: - - Security Osquery API - put: - description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync parameters: - - description: The pack ID. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 'true' + type: string requestBody: content: application/json: - examples: - renamePack: - summary: Rename a pack and update its description - value: - description: Updated pack description - enabled: true - name: my_pack_renamed + examples: {} schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - packUpdated: - summary: Pack updated - value: - data: - description: Updated pack description - enabled: true - name: my_pack_renamed - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack + description: Streams were resynced successfully. + summary: Resync streams tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name parameters: - - description: The ID of the pack to copy. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - copyPackExample: - summary: Example response for copying a pack - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack + description: The stream was deleted successfully. + summary: Delete a stream tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false + - description: The name of the stream. + in: path + name: name + required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - savedQueriesList: - summary: A list of saved queries - value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries + getWiredStream: + value: + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + description: Stream definition and associated metadata. + summary: Get a stream tags: - - Security Osquery API - post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - createSavedQuery: - summary: Create a saved query + createQueryStream: value: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' responses: '200': - content: - application/json: - examples: - savedQueryCreated: - summary: Saved query created - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse - description: Indicates a successful call. - summary: Create a saved query + description: The stream was created or updated successfully. + summary: Create or update a stream tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_fork: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork parameters: - - description: The saved query ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the parent stream to fork from. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - stream + - where responses: '200': - content: - application/json: - examples: - savedQueryDeleted: - summary: Saved query deleted (empty response body) - value: {} - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: Indicates a successful call. - summary: Delete a saved query + description: The stream was forked successfully. + summary: Fork a stream tags: - - Security Osquery API + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_ingest: get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest parameters: - - description: The saved query ID. + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - savedQueryDetails: - summary: Saved query details - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse - description: Indicates a successful call. - summary: Get saved query details + getWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + description: Ingest settings for the stream. + summary: Get ingest stream settings tags: - - Security Osquery API + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name put: - description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest parameters: - - description: The saved query ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string requestBody: content: application/json: examples: - updateSavedQuery: - summary: Update a saved query + upsertWiredIngest: value: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - timeout: 60 + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true + additionalProperties: false + type: object + properties: + ingest: + anyOf: + - additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest responses: '200': - content: - application/json: - examples: - savedQueryUpdated: - summary: Saved query updated - value: - data: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 60 - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse - description: Indicates a successful call. - summary: Update a saved query + description: The ingest settings were updated successfully. + summary: Update ingest stream settings tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_query: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query parameters: - - description: The ID of the saved query to copy. + - description: The name of the query stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - copySavedQueryExample: - summary: Example response for copying a saved query - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query + description: Query settings for the stream. + summary: Get query stream settings tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults + - streams + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime + example: 'true' type: string - - description: The execution count for this scheduled query run. + - description: The name of the query stream. in: path - name: executionCount + name: name required: true schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: string + requestBody: + content: + application/json: + examples: + upsertQueryStream: + value: + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level + schema: + additionalProperties: false + type: object + properties: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql + required: + - query responses: '200': - content: - application/json: - examples: - scheduledActionResultsExample: - summary: Example scheduled action results response - value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + description: The query stream settings were updated successfully. + summary: Upsert query stream settings tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + - streams + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export parameters: - - description: The schedule ID of the scheduled query. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to export content from. in: path - name: scheduleId + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + exportContent: + value: + description: Nginx stream content pack + include: + objects: + all: {} + name: nginx-pack + version: 1.0.0 + schema: + additionalProperties: false + type: object + properties: + description: + type: string + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + name: + type: string + version: + type: string + required: + - name + - description + - version + - include + responses: + '200': + description: Content pack archive for the stream. + summary: Export stream content + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime + example: 'true' type: string - - description: The execution count for this scheduled query run. + - description: The name of the stream to import content into. in: path - name: executionCount + name: name required: true schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' type: string - responses: - '200': - content: - application/json: - examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute requestBody: content: - application/json: + multipart/form-data: examples: - pinEvent: - summary: Pin an event + importContent: value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + content: + include: '{"objects":{"all":{}}}' schema: + additionalProperties: false type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true - type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + content: {} + include: type: string required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true + - include + - content responses: '200': - content: - application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - description: Indicates a successful call. - summary: Pin/unpin an event + description: Content was imported into the stream successfully. + summary: Import content into a stream tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - cleanupFailed: - summary: Cleanup failed + listQueries: value: - cleanup_successful: false - errors: - - error: Risk engine is disabled or deleted already. - seq: 1 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine + queries: + - description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + severity_score: 75 + title: Error count by host + type: match + - description: Requests with response time above 2 seconds + esql: + query: FROM logs.nginx | WHERE http.response_time > 2000 + id: high-latency-requests + severity_score: 50 + title: High latency requests + type: match + description: List of queries linked to the stream. + summary: Get stream queries tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object + bulkQueries: value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d + operations: + - index: + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + title: Error count by host + - delete: + id: old-query-id schema: + additionalProperties: false type: object properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: + operations: items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete type: array - page_size: - description: > - Number of entities to score per page. Higher values reduce - total scoring time by reducing the number of alert-index - scans, but cannot exceed the ES|QL result limit (10,000 by - default). - maximum: 10000 - minimum: 100 - type: integer - range: - type: object - properties: - end: - type: string - start: - type: string - required: true + required: + - operations responses: '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - configureError: - summary: Configure saved object failed - value: - errors: - - error: Internal server error - seq: 1 - risk_engine_saved_object_configured: false - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object + description: Bulk operation completed successfully. + summary: Bulk update queries tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query to remove. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: - examples: - emptyRequest: - summary: No request body - value: {} + examples: {} schema: - type: object + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - scheduleNowError: - summary: Schedule now failed - value: - full_error: '{}' - message: Internal server error - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine + description: The query was removed successfully. + summary: Remove a query from a stream tags: - - Security Entity Analytics API - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: examples: - PerformAnonymizationFieldsBulkActionRequest: + upsertQuery: value: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + title: Error count by host schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + additionalProperties: false type: object properties: - create: - description: Array of anonymization fields to create. + description: + default: '' + type: string + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + evidence: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: string type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + responses: + '200': + description: The query was added or updated successfully. + summary: Upsert a query to a stream + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. + in: query + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + type: string + - description: Query string to filter significant events on metadata fields + in: query + name: query + required: false + schema: + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' + in: query + name: searchMode + required: false + schema: + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - PerformAnonymizationFieldsBulkActionResponse200Example: - value: - anonymization_fields_count: 4 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 0 - skipped: 1 - succeeded: 3 - total: 4 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionResponse400Example: + significantEvents: value: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Bad Request response. - summary: Apply a bulk action to anonymization fields + aggregated_occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + significant_events: + - change_points: + type: + spike: + change_point: 1 + p_value: 0.002 + description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + rule_backed: false + severity_score: 75 + stream_name: logs.nginx + title: Error count by host + type: match + description: Significant events for the stream. + summary: Read the significant events tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: fields + name: connectorId required: false schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: filter - required: false + name: from + required: true schema: type: string - - description: Field to sort by - example: created_at + - description: End of the time range as an ISO 8601 date string. in: query - name: sort_field - required: false + name: to + required: true schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc + type: string + - description: Number of sample documents to use for generation from the current data of stream in: query - name: sort_order + name: sampleDocsSize required: false schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 + type: number + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Generated significant event query definitions. + summary: Generate significant events + tags: + - streams + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: page + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + previewSignificantEvents: + value: + query: + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + schema: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: + '200': + description: Significant event preview results. + summary: Preview significant events + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: Search query to filter attachments by title + in: query + name: query required: false schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 + type: string + - description: Filter by attachment types (single value or array) in: query - name: per_page + name: attachmentTypes required: false schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) in: query - name: all_data + name: tags required: false schema: - type: boolean + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - FindAnonymizationFieldsResponse200Example: - value: - aggregations: - field_status: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - FindAnonymizationFieldsResponse400Example: + listAttachmentsResponse: value: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Get anonymization fields + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments tags: - - Security AI Assistant API - - AnonymizationFields API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/chat/complete: + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/_bulk: post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - type: boolean + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string requestBody: content: application/json: examples: - ChatCompleteRequest: + bulkAttachmentsExample: value: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete + type: array + required: + - operations responses: '200': - content: - application/octet-stream: - examples: - ChatCompleteResponse200Example: - value: (streaming binary response) - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': content: application/json: examples: - ChatCompleteResponse400Example: + bulkAttachmentsResponse: value: - error: Bad Request - message: Invalid request payload. - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Bad Request response. - summary: Create a model response + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments tags: - - Security AI Assistant API - - Chat Complete API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' - /api/security_ai_assistant/current_user/conversations: + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string requestBody: content: application/json: examples: - DeleteAllConversationsRequest: - value: - excludedIds: - - abc123 - - def456 + unlinkAttachmentExample: + value: {} schema: - type: object - properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - DeleteAllConversationsResponse200Example: - value: - failures: [] - success: true - totalDeleted: 10 - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': - content: - application/json: - examples: - DeleteAllConversationsResponse400Example: + unlinkAttachmentResponse: value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete conversations + acknowledged: true + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"excludedIds":["abc123"]}' - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string requestBody: content: application/json: examples: - CreateConversationRequest: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion + linkAttachmentExample: + value: {} schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - CreateConversationResponse200Example: + linkAttachmentResponse: value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. - '400': + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream + tags: + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitor/test/{monitorId}: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. + operationId: post-synthetics-monitor-test + parameters: + - description: The ID (config_id) of the monitor to test. + in: path + name: monitorId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - CreateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required parameter: title' - statusCode: 400 + testNowMonitorResponseExample1: + value: |- + { + "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", + "errors": [ + { + "locationId": "us_central_staging", + "error": { + "status": 401, + "reason": "no auth credentials provided", + "failed_monitors": null + } + } + ] + } schema: type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' + errors: + description: Array of errors encountered while triggering the test, one per service location. + items: + type: object + properties: + error: + type: object + properties: + failed_monitors: + description: Optional list of monitors that failed at the location. + items: + type: object + nullable: true + type: array + reason: + description: Human-readable explanation of the failure. + type: string + status: + description: HTTP status code returned by the agent. + type: integer + required: + - status + - reason + - failed_monitors + locationId: + description: Identifier of the service location where the error occurred. + type: string + required: + - locationId + - error + type: array + testRunId: + description: Unique identifier for the triggered test run. type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Create a conversation + required: + - testRunId + description: Test run triggered successfully. + '404': + description: Monitor not found. + summary: Trigger an on-demand test run for a monitor tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' - /api/security_ai_assistant/current_user/conversations/_find: + - synthetics + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors: get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of monitors. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-synthetic-monitors parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. + - description: Additional filtering criteria. in: query name: filter - required: false schema: - example: Security Issue type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. + - description: The locations to filter by. in: query - name: sort_field - required: false + name: locations schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. + oneOf: + - type: string + - items: + type: string + type: array + - description: The monitor types to filter. in: query - name: sort_order - required: false + name: monitorTypes schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. + oneOf: + - enum: + - browser + - http + - icmp + - tcp + type: string + - items: + enum: + - browser + - http + - icmp + - tcp + type: string + type: array + - description: The page number for paginated results. in: query name: page - required: false schema: - default: 1 - example: 1 - minimum: 1 type: integer - - description: The number of conversations to return per page. Default is 20. + - description: The number of items to return per page. in: query name: per_page - required: false schema: - default: 20 - example: 20 - minimum: 0 type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. + - description: The projects to filter by. in: query - name: is_owner - required: false + name: projects schema: - default: false - example: true - type: boolean + oneOf: + - type: string + - items: + type: string + type: array + - description: A free-text query string. + in: query + name: query + schema: + type: string + - description: The schedules to filter by. + in: query + name: schedules + schema: + oneOf: + - items: + type: string + type: array + - type: string + - description: The field to sort the results by. + in: query + name: sortField + schema: + enum: + - name + - createdAt + - updatedAt + - status + type: string + - description: The sort order. + in: query + name: sortOrder + schema: + enum: + - asc + - desc + type: string + - description: The status to filter by. + in: query + name: status + schema: + oneOf: + - items: + type: string + type: array + - type: string + - description: Tags to filter monitors. + in: query + name: tags + schema: + oneOf: + - type: string + - items: + type: string + type: array + - description: | + Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. + in: query + name: useLogicalAndFor + schema: + oneOf: + - enum: + - tags + - locations + type: string + - items: + enum: + - tags + - locations + type: string + type: array responses: '200': content: application/json: examples: - FindConversationsResponse200Example: - value: - data: - - category: assistant - createdAt: '2023-10-31T12:00:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: conv-abc123 - messages: [] - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:05:00Z' - users: - - id: user1 - name: John Doe - page: 1 - perPage: 20 - total: 5 + getSyntheticMonitorsResponseExample1: + description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. + value: |- + { + "page": 1, + "total": 24, + "monitors": [ + { + "type": "icmp", + "enabled": false, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "timeout": "16", + "name": "8.8.8.8:80", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "max_attempts": 2, + "wait": "7", + "revision": 3, + "mode": "all", + "ipv4": true, + "ipv6": true, + "created_at": "2023-11-07T09:57:04.152Z", + "updated_at": "2023-12-04T19:19:34.039Z", + "host": "8.8.8.8:80" + } + ], + "absoluteTotal": 24, + "perPage": 10, + } + schema: + type: object + description: A successful response. + summary: Get monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-synthetic-monitors + requestBody: + content: + application/json: + examples: + postSyntheticMonitorsRequestExample1: + description: Create an HTTP monitor to check a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample2: + description: Create a TCP monitor to monitor a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + postSyntheticMonitorsRequestExample3: + description: Create an ICMP monitor to perform ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample4: + description: Create a browser monitor to check a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: | + The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + required: true + responses: + '200': + content: + application/json: + examples: + postSyntheticMonitorsResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } schema: type: object properties: - data: - description: A list of conversations. + warnings: + description: | + An optional array of warnings about the monitor configuration. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse + $ref: '#/components/schemas/Synthetics_monitorWarning' type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect. '400': content: application/json: examples: - FindConversationsResponse400Example: - value: - error: Bad Request - message: Invalid filter parameter. - statusCode: 400 + invalidBrowserTimeout: + description: A 400 error when a browser monitor timeout is below 30 seconds. + summary: Invalid browser timeout + value: |- + { + "statusCode": 400, + "error": "Bad Request", + "message": "Browser Monitor timeout is invalid", + "attributes": { + "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." + } + } schema: type: object properties: + attributes: + type: object + properties: + details: + example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds. + type: string error: example: Bad Request type: string message: - example: Invalid filter query parameter + example: Browser Monitor timeout is invalid type: string statusCode: example: 400 - type: number - description: Bad Request response. - summary: Get conversations + type: integer + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Create a monitor tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/current_user/conversations/{id}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple monitors by sending a list of config IDs. + operationId: delete-synthetic-monitors + requestBody: + content: + application/json: + examples: + bulkDeleteRequestExample1: + description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. + value: |- + { + "ids": [ + "monitor1-id", + "monitor2-id" + ] + } + schema: + type: object + properties: + ids: + description: An array of monitor IDs to delete. + items: + type: string + type: array + required: + - ids + required: true + responses: + '200': + content: + application/json: + examples: + deleteMonitorsResponseExample1: + description: A response from successfully deleting multiple monitors. + value: |- + [ + { + "id": "monitor1-id", + "deleted": true + }, + { + "id": "monitor2-id", + "deleted": true + } + ] + schema: + items: + description: The API response includes information about the deleted monitors. + type: object + properties: + deleted: + description: | + If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. + type: boolean + ids: + description: The unique identifier of the deleted monitor. + type: string + type: array + description: A successful response. + summary: Delete monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/{id}: delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a monitor from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-synthetic-monitor parameters: - - description: The conversation's `id` value. - example: abc123 + - description: The identifier for the monitor that you want to delete. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string + responses: + '200': + description: OK + summary: Delete a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-synthetic-monitor + parameters: + - description: The ID of the monitor. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - DeleteConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - namespace: default - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. - '400': - content: - application/json: - examples: - DeleteConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 + getSyntheticMonitorResponseExample1: + description: A successful response from `GET /api/synthetics/monitors/`. + value: |- + { + "type": "http", + "enabled": true, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "timeout": "16", + "name": "am i something", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "max_attempts": 2, + "__ui": { + "is_tls_enabled": false + }, + "max_redirects": "0", + "response.include_body": "on_error", + "response.include_headers": true, + "check.request.method": "GET", + "mode": "any", + "response.include_body_max_bytes": "1024", + "ipv4": true, + "ipv6": true, + "ssl.verification_mode": "full", + "ssl.supported_protocols": [ + "TLSv1.1", + "TLSv1.2", + "TLSv1.3" + ], + "revision": 13, + "created_at": "2023-11-08T08:45:29.334Z", + "updated_at": "2023-12-18T20:31:44.770Z", + "url": "https://fast.com" + } schema: type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete a conversation + description: A successful response. + '404': + description: If the monitor is not found, the API returns a 404 error. + summary: Get a monitor tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation + - synthetics + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. + operationId: put-synthetic-monitor parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 + - description: The identifier for the monitor that you want to update. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string + requestBody: + content: + application/json: + examples: + putSyntheticMonitorsRequestExample1: + description: Update an HTTP monitor that checks a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample2: + description: Update a TCP monitor that monitors a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + putSyntheticMonitorsRequestExample3: + description: Update an ICMP monitor that performs ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample4: + description: Update a browser monitor that checks a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: | + The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + required: true responses: '200': content: application/json: examples: - ReadConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe + putSyntheticMonitorResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. + type: object + properties: + warnings: + description: | + An optional array of warnings about the monitor configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. '400': + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Update a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameters + responses: + '200': content: application/json: examples: - ReadConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 + getParametersResponseExample1: + description: A successful response for a user with read-only permissions to get a list of parameters. + summary: Read access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"] + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"] + } + ] + getParametersResponseExample2: + description: A successful response for a user with write permissions to get a list of parameters. + summary: Write access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"], + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"], + "value": "value2" + } + ] schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get a conversation + items: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + type: array + description: A successful response. + summary: Get parameters tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add one or more parameters to the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-parameters requestBody: content: application/json: examples: - UpdateConversationRequest: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion + postParametersRequestExample1: + description: Add a single parameter. + summary: Single parameter + value: |- + { + "key": "your-key-name", + "value": "your-parameter-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersRequestExample2: + description: Add multiple parameters. + summary: Multiple parameters + value: |- + [ + { + "key": "param1", + "value": "value1" + }, + { + "key": "param2", + "value": "value2" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_parameterRequest' + type: array + - $ref: '#/components/schemas/Synthetics_parameterRequest' + description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: examples: - UpdateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - namespace: default - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. - '400': - content: - application/json: - examples: - UpdateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required field: title' - statusCode: 400 + postParametersResponseExample1: + description: A successful response for a single added parameter. + summary: Single parameter + value: |- + { + "id": "unique-parameter-id", + "key": "your-key-name", + "value": "your-param-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersResponseExample2: + description: A successful response for multiple added parameters. + summary: Multiple parameters + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "value": "value2" + } + ] schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Update a conversation + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_postParameterResponse' + type: array + - $ref: '#/components/schemas/Synthetics_postParameterResponse' + description: A successful response. + summary: Add parameters tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete parameters from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameters + requestBody: + content: + application/json: + examples: + deleteParametersRequestExample1: + description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. + value: |- + { + "ids": ["param1-id", "param2-id"] + } + schema: + type: object + properties: + ids: + description: An array of parameter IDs to delete. + items: + type: string + type: array + required: true responses: '200': content: application/json: examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - GetKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 + deleteParametersResponseExample1: + value: |- + [ + { + "id": "param1-id", + "deleted": true + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase + items: + type: object + properties: + deleted: + description: | + Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. + type: boolean + id: + description: The unique identifier for the deleted parameter. + type: string + type: array + description: A successful response. + summary: Delete parameters tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ - --header "Authorization: $API_KEY" - post: - description: >- - Create a knowledge base. Use this endpoint when no specific resource - identifier is needed. - operationId: PostKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a parameter from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameter parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false + - description: The ID for the parameter to delete. + in: path + name: id + required: true schema: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean responses: '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase + description: OK + summary: Delete a parameter tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/{resource}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a parameter from the Synthetics app. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameter parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 + - description: The unique identifier for the parameter. in: path - name: resource + name: id required: true schema: type: string @@ -42651,1825 +67658,1313 @@ paths: content: application/json: examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 + getParameterResponseExample1: + description: A successful response for a user with read-only permissions to get a single parameter. + summary: Read access + value: |- + { + "id": "unique-parameter-id", + "key": "your-api-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"] + } + getParameterResponseExample2: + description: A successful response for a user with write permissions to get a single parameter. + summary: Write access + value: |- + { + "id": "unique-parameter-id", + "key": "your-param-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"], + "value": "your-param-value" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase for a resource + $ref: '#/components/schemas/Synthetics_getParameterResponse' + description: A successful response. + summary: Get a parameter tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ - --header "Authorization: $API_KEY" - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a parameter in the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: put-parameter parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 + - description: The unique identifier for the parameter. in: path - name: resource + name: id required: true schema: type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries: - post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: examples: - CreateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document + putParameterRequestExample1: + value: |- + { + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + type: object + properties: + description: + description: The updated description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + tags: + description: An array of updated tags to categorize the parameter. + items: + type: string + type: array + value: + description: The updated value associated with the parameter. + type: string + description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: examples: - CreateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com + putParameterResponseExample1: + value: |- + { + "id": "param_id1", + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries - '400': + type: object + description: A successful response. + summary: Update a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of private locations. + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-locations + responses: + '200': content: application/json: examples: - CreateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'name' field is required. + getPrivateLocationsResponseExample1: + value: |- + [ + { + "label": "Test private location", + "id": "fleet-server-policy", + "agentPolicyId": "fleet-server-policy", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + }, + { + "label": "Test private location 2", + "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "test" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + items: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + type: array + description: A successful response. + summary: Get private locations + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: post-private-location requestBody: content: application/json: examples: - PerformKnowledgeBaseEntryBulkActionRequest: - value: - create: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - delete: - ids: - - '789' - update: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document + postPrivateLocationRequestExample1: + description: Run `POST /api/private_locations` to create a private location. + value: |- + { + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + "spaces": ["default"] + } schema: type: object properties: - create: - description: List of Knowledge Base Entries to create. - example: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. type: object properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + label: + description: A label for the private location. + type: string + spaces: + description: | + An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps + type: string type: array + tags: + description: An array of tags to categorize the private location. + items: + type: string + type: array + required: + - agentPolicyId + - label + required: true responses: '200': content: application/json: examples: - PerformKnowledgeBaseEntryBulkActionResponse200Example: - value: - attributes: - results: - created: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '456' - kbResource: user - name: New Entry - namespace: default - source: manual - text: This is the content of the new entry. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - deleted: - - '789' - skipped: [] - updated: - - createdAt: '2024-01-14T09:00:00.000Z' - createdBy: user@example.com - global: false - id: '123' - kbResource: user - name: Updated Entry - namespace: default - source: manual - text: Updated content. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - summary: - failed: 0 - skipped: 0 - succeeded: 3 - total: 3 - knowledgeBaseEntriesCount: 3 - message: Bulk action completed successfully. - statusCode: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request - '400': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - name - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse200Example: - value: - data: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and - click 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - page: 1 - perPage: 20 - total: 100 + postPrivateLocationResponseExample1: + value: |- + { + "id": "abcd1234", + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + } schema: type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. + description: A successful response. '400': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse400Example: - value: - error: Bad Request - message: 'Invalid query parameter: sort_order' - statusCode: 400 - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Bad Request response. - summary: Finds Knowledge Base Entries that match the given query. + description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. + summary: Create a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries/{id}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations/{id}: delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. + A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. + operationId: delete-private-location parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' + - description: The unique identifier of the private location to be deleted. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + maxLength: 1024 + minLength: 1 + type: string responses: '200': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse200Example: - value: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Deletes a single Knowledge Base Entry using the `id` field + description: OK + summary: Delete a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" + - synthetics + x-metaTags: + - content: Kibana + name: product_name get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-location parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' + - description: A private location identifier or label. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string responses: '200': content: application/json: examples: - ReadKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. + getPrivateLocationResponseExample1: + value: |- + { + "label": "Test private location", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Read a Knowledge Base Entry + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + summary: Get a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" + - synthetics + x-metaTags: + - content: Kibana + name: product_name put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing private location's label. + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. + operationId: put-private-location parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' + - description: The unique identifier of the private location to be updated. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string requestBody: content: application/json: examples: - UpdateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password (updated) - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document + putPrivateLocationRequestExample1: + description: Update a private location's label. + value: |- + { + "label": "Updated Private Location Name" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps + type: object + properties: + label: + description: A new label for the private location. Must be at least 1 character long. + minLength: 1 + type: string + required: + - label required: true responses: '200': content: application/json: examples: - UpdateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password (updated) - namespace: default - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - updatedAt: '2024-01-15T10:05:00.000Z' - updatedBy: user@example.com + putPrivateLocationResponseExample1: + value: |- + { + "label": "Updated Private Location Name", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "tags": ["private", "testing", "updated"], + "geo": { + "lat": 37.7749, + "lon": -122.4194 + }, + "spaces": ["*"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. '400': - content: - application/json: - examples: - UpdateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'text' field cannot be empty. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Update a Knowledge Base Entry + description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. + '404': + description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. + summary: Update a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': + content: + application/json: + examples: + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_APIs_health_200response' + schema: + $ref: '#/components/schemas/Task_manager_health_APIs_health_response' + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + x-metaTags: + - content: Kibana + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines requestBody: content: application/json: examples: - PerformPromptsBulkActionRequest: + deleteByIds: + summary: Delete timelines by saved object id value: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 schema: type: object properties: - create: - description: List of prompts to be created. + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: string + maxItems: 100 type: array - delete: - description: Criteria for deleting prompts in bulk. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. + searchIds: + description: Saved search IDs that should be deleted alongside the timelines items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: string + maxItems: 100 type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true responses: '200': content: application/json: examples: success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - examples: - PerformPromptsBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid prompt ID or missing required fields. - statusCode: 400 + summary: Success + value: {} schema: + additionalProperties: true type: object - properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. - type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Bad Request response. - summary: Apply a bulk action to prompts + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"delete":{"query":"name: test","ids":[]}}' - /api/security_ai_assistant/prompts/_find: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. + - description: The `savedObjectId` of the Timeline template to retrieve. in: query - name: filter - required: false + name: template_timeline_id schema: - example: error handling type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. + - description: The `savedObjectId` of the Timeline to retrieve. in: query - name: per_page - required: false + name: id schema: - default: 20 - example: 20 - minimum: 0 - type: integer + type: string responses: '200': content: application/json: examples: - FindPromptsResponse200Example: + timelineDetail: + summary: Timeline detail value: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': content: application/json: examples: - FindPromptsResponse400Example: + patched: + summary: Updated timeline value: - error: Bad Request - message: Invalid sort order value provided. - statusCode: 400 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 schema: type: object properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. + body: + description: The error message. + example: update timeline error type: string statusCode: - description: HTTP status code for the error. - example: 400 + example: 405 type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline tags: - - Security AI Assistant API - - Prompts API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security/session/_invalidate: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Invalidate user sessions that match a query. To use this API, you must - be a superuser. - operationId: post-security-session-invalidate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Timeline or Timeline template. + operationId: CreateTimelines requestBody: content: application/json: examples: - invalidateRequestExample1: - description: >- - Run `POST api/security/session/_invalidate` to invalidate all - existing sessions. - summary: Invalidate all sessions - value: |- - { - "match" : "all" - } - invalidateRequestExample2: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any SAML authentication - provider. - summary: Invalidate all SAML sessions - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml" } - } - } - invalidateRequestExample3: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by the SAML authentication provider - named `saml1`. - summary: Invalidate sessions for a provider - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml", "name": "saml1" } - } - } - invalidateRequestExample4: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any OpenID Connect - authentication provider for the user with the username - `user@my-oidc-sso.com`. - summary: Invalidate sessions for a user - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "oidc" }, - "username": "user@my-oidc-sso.com" - } - } + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment schema: type: object properties: - match: - description: > - The method Kibana uses to determine which sessions to - invalidate. If it is `all`, all existing sessions will be - invalidated. If it is `query`, only the sessions that match - the query will be invalidated. - enum: - - all - - query + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true type: string - query: - description: > - The query that Kibana uses to match the sessions to - invalidate when the `match` parameter is set to `query`. - type: object - properties: - provider: - description: >- - The authentication providers that will have their user - sessions invalidated. - type: object - properties: - name: - description: The authentication provider name. - type: string - type: - description: > - The authentication provide type. For example: - `basic`, `token`, `saml`, `oidc`, `kerberos`, or - `pki`. - type: string - required: - - type - username: - description: The username that will have its sessions invalidated. - type: string - required: - - provider required: - - match + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true responses: '200': content: application/json: + examples: + created: + summary: Created timeline + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': + content: + application/json: + examples: + error: + summary: Error body + value: + body: update timeline error + statusCode: 405 schema: type: object properties: - total: - description: The number of sessions that were successfully invalidated. - type: integer - description: Indicates a successful call - '403': - description: >- - Indicates that the user may not be authorized to invalidate sessions - for other users. - summary: Invalidate user sessions + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template tags: - - user session - /api/short_url: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_copy: post: - description: > - Kibana URLs may be long and cumbersome, short URLs are much easier to - remember and share. + description: | + **Spaces method and path for this operation:** - Short URLs are created by specifying the locator ID and locator - parameters. When a short URL is resolved, the locator ID and locator - parameters are used to redirect user to the right Kibana page. - operationId: post-url +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline requestBody: content: application/json: examples: - createShortUrlRequest: - description: >- - Request a short URL that resolves to a dashboard with a preset - time range. - summary: Create a short URL for a dashboard locator + copyWithTitle: + summary: Copy with a new title value: - locatorId: DASHBOARD_APP_LOCATOR - params: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - slug: my-dashboard + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: - humanReadableSlug: - description: > - When the `slug` parameter is omitted, the API will generate - a random human-readable slug if `humanReadableSlug` is set - to true. - type: boolean - locatorId: - description: The identifier for the locator. - type: string - params: - description: > - An object which contains all necessary parameters for the - given locator to resolve to a Kibana location. - - > warn - - > When you create a short URL, locator params are not - validated, which allows you to pass arbitrary and ill-formed - data into the API that can break Kibana. Make sure any data - that you send to the API is properly formed. - type: object - slug: - description: > - A custom short URL slug. The slug is the part of the short - URL that identifies it. You can provide a custom slug which - consists of latin alphabet letters, numbers, and `-._` - characters. The slug must be at least 3 characters long, but - no longer than 255 characters. + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. type: string required: - - locatorId - - params + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. required: true responses: '200': content: application/json: examples: - createShortUrlResponse: - description: The created short URL record. - summary: Short URL created + copied: + summary: Newly saved timeline value: - accessCount: 0 - accessDate: 1767225600000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Create a short URL + summary: Copies timeline or timeline template tags: - - short url - x-state: Technical Preview - /api/short_url/_slug/{slug}: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_draft: get: - description: | - Resolve a Kibana short URL by its slug. - operationId: resolve-url + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines parameters: - - description: The slug of the short URL. - in: path - name: slug + - description: Which draft to load (`default` investigation timeline or `template` timeline template). + in: query + name: timelineType required: true schema: - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: examples: - resolveShortUrlResponse: - description: The short URL record matching the given slug. - summary: Short URL resolved by slug + draftPayload: + summary: Draft timeline payload value: - accessCount: 12 - accessDate: 1767744000000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Resolve a short URL - tags: - - short url - x-state: Technical Preview - /api/short_url/{id}: - delete: - description: | - Delete a Kibana short URL. - operationId: delete-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Delete a short URL + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details tags: - - short url - x-state: Technical Preview - get: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + post: description: | - Get a single Kibana short URL. - operationId: get-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. + required: true responses: '200': content: application/json: examples: - getShortUrlResponse: - description: The short URL record matching the given identifier. - summary: Short URL retrieved by ID + draftResponse: + summary: Draft after reset or creation value: - accessCount: 12 - accessDate: 1767744000000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Get a short URL + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - short url - x-state: Technical Preview - /api/synthetics/monitor/test/{monitorId}: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_export: post: - description: > - Trigger an immediate test execution for the specified monitor. The - response includes the generated `testRunId`. If the test encounters - issues in one or more service locations, an `errors` array is also - returned with details about the failures. - operationId: post-synthetics-monitor-test + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines parameters: - - description: The ID (config_id) of the monitor to test. - in: path - name: monitorId + - description: The name of the file to export + in: query + name: file_name required: true schema: type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true responses: '200': content: - application/json: + application/ndjson: examples: - testNowMonitorResponseExample1: - value: |- - { - "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", - "errors": [ - { - "locationId": "us_central_staging", - "error": { - "status": 401, - "reason": "no auth credentials provided", - "failed_monitors": null - } - } - ] - } + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 schema: type: object properties: - errors: - description: >- - Array of errors encountered while triggering the test, one - per service location. - items: - type: object - properties: - error: - type: object - properties: - failed_monitors: - description: >- - Optional list of monitors that failed at the - location. - items: - type: object - nullable: true - type: array - reason: - description: Human-readable explanation of the failure. - type: string - status: - description: HTTP status code returned by the agent. - type: integer - required: - - status - - reason - - failed_monitors - locationId: - description: >- - Identifier of the service location where the error - occurred. - type: string - required: - - locationId - - error - type: array - testRunId: - description: Unique identifier for the triggered test run. + body: type: string - required: - - testRunId - description: Test run triggered successfully. - '404': - description: Monitor not found. - summary: Trigger an on-demand test run for a monitor + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines tags: - - synthetics - x-state: Generally available; added in 9.2.0 - /api/synthetics/monitors: - get: - description: > - Get a list of monitors. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-synthetic-monitors - parameters: - - description: Additional filtering criteria. - in: query - name: filter - schema: - type: string - - description: The locations to filter by. - in: query - name: locations - schema: - oneOf: - - type: string - - items: - type: string - type: array - - description: The monitor types to filter. - in: query - name: monitorTypes - schema: - oneOf: - - enum: - - browser - - http - - icmp - - tcp - type: string - - items: - enum: - - browser - - http - - icmp - - tcp - type: string - type: array - - description: The page number for paginated results. - in: query - name: page - schema: - type: integer - - description: The number of items to return per page. - in: query - name: per_page - schema: - type: integer - - description: The projects to filter by. - in: query - name: projects - schema: - oneOf: - - type: string - - items: - type: string - type: array - - description: A free-text query string. - in: query - name: query - schema: - type: string - - description: The schedules to filter by. - in: query - name: schedules - schema: - oneOf: - - items: - type: string - type: array - - type: string - - description: The field to sort the results by. - in: query - name: sortField - schema: - enum: - - name - - createdAt - - updatedAt - - status - type: string - - description: The sort order. - in: query - name: sortOrder - schema: - enum: - - asc - - desc - type: string - - description: The status to filter by. - in: query - name: status - schema: - oneOf: - - items: - type: string - type: array - - type: string - - description: Tags to filter monitors. - in: query - name: tags - schema: - oneOf: - - type: string - - items: +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: + type: object + properties: + templateTimelineId: + nullable: true type: string - type: array - - description: > - Specifies whether to apply logical AND filtering for specific - fields. Accepts either a string with values "tags" or "locations" or - an array containing both. - in: query - name: useLogicalAndFor - schema: - oneOf: - - enum: - - tags - - locations - type: string - - items: - enum: - - tags - - locations + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string - type: array + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true responses: '200': content: application/json: examples: - getSyntheticMonitorsResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. - value: |- - { - "page": 1, - "total": 24, - "monitors": [ - { - "type": "icmp", - "enabled": false, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "timeout": "16", - "name": "8.8.8.8:80", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "max_attempts": 2, - "wait": "7", - "revision": 3, - "mode": "all", - "ipv4": true, - "ipv6": true, - "created_at": "2023-11-07T09:57:04.152Z", - "updated_at": "2023-12-04T19:19:34.039Z", - "host": "8.8.8.8:80" - } - ], - "absoluteTotal": 24, - "perPage": 10, - } + favoriteResponse: + summary: Favorite metadata updated + value: + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Forbidden + value: + body: Forbidden + statusCode: 403 schema: type: object - description: A successful response. - summary: Get monitors + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - synthetics + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_import: post: - description: > - Create a new monitor with the specified attributes. A monitor can be one - of the following types: HTTP, TCP, ICMP, or Browser. The required and - default fields may vary based on the monitor type. + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-synthetic-monitors +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - postSyntheticMonitorsRequestExample1: - description: Create an HTTP monitor to check a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample2: - description: Create a TCP monitor to monitor a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - postSyntheticMonitorsRequestExample3: - description: Create an ICMP monitor to perform ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample4: - description: Create a browser monitor to check a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) + value: + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: - description: > - The request body should contain the attributes of the monitor - you want to create. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + properties: + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - postSyntheticMonitorsResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + importSummary: + summary: Import summary + value: + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 + schema: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Invalid import + value: + body: Invalid file extension + statusCode: 400 schema: type: object properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. For example, - if a browser monitor specifies a timeout but has no private - locations configured, a warning is returned indicating the timeout - will have no effect. - '400': + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + '404': content: application/json: examples: - invalidBrowserTimeout: - description: >- - A 400 error when a browser monitor timeout is below 30 - seconds. - summary: Invalid browser timeout - value: |- - { - "statusCode": 400, - "error": "Bad Request", - "message": "Browser Monitor timeout is invalid", - "attributes": { - "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." - } - } + notFound: + summary: Saved objects client missing + value: + body: Unable to find saved object client + statusCode: 404 schema: type: object properties: - attributes: - type: object - properties: - details: - example: >- - Invalid timeout 20 seconds supplied. Minimum timeout - for browser monitors is 30 seconds. - type: string - error: - example: Bad Request + body: + description: The error message + example: Unable to find saved object client type: string - message: - example: Browser Monitor timeout is invalid + statusCode: + example: 404 + type: number + description: Not found response. + '409': + content: + application/json: + examples: + conflict: + summary: Import conflict + value: + body: Could not import timelines + statusCode: 409 + schema: + type: object + properties: + body: + description: The error message + example: Could not import timelines type: string statusCode: - example: 400 - type: integer - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Create a monitor + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - synthetics - /api/synthetics/monitors/_bulk_delete: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_prepackaged: post: - description: | - Delete multiple monitors by sending a list of config IDs. - operationId: delete-synthetic-monitors + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - bulkDeleteRequestExample1: - description: >- - Run `POST /api/synthetics/monitors/_bulk_delete` to delete a - list of monitors. - value: |- - { - "ids": [ - "monitor1-id", - "monitor2-id" - ] - } + emptyArrays: + summary: Installer payload shape + value: + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: type: object properties: - ids: - description: An array of monitor IDs to delete. + prepackagedTimelines: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true type: array required: - - ids + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - deleteMonitorsResponseExample1: - description: A response from successfully deleting multiple monitors. - value: |- - [ - { - "id": "monitor1-id", - "deleted": true - }, - { - "id": "monitor2-id", - "deleted": true - } - ] + installResult: + summary: Install result counts + value: + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 schema: - items: - description: >- - The API response includes information about the deleted - monitors. - type: object - properties: - deleted: - description: > - If it is `true`, the monitor was successfully deleted If - it is `false`, the monitor was not deleted. - type: boolean - ids: - description: The unique identifier of the deleted monitor. - type: string - type: array - description: A successful response. - summary: Delete monitors + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '500': + content: + application/json: + examples: + serverError: + summary: Server error + value: + body: Internal error + statusCode: 500 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines tags: - - synthetics - /api/synthetics/monitors/{id}: - delete: - description: > - Delete a monitor from the Synthetics app. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-synthetic-monitor +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline parameters: - - description: The identifier for the monitor that you want to delete. - in: path - name: id - required: true + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id schema: type: string - responses: - '200': - description: OK - summary: Delete a monitor - tags: - - synthetics - get: - operationId: get-synthetic-monitor - parameters: - - description: The ID of the monitor. - in: path + - description: The ID of the timeline to resolve + in: query name: id - required: true schema: type: string responses: @@ -44477,2063 +68972,2842 @@ paths: content: application/json: examples: - getSyntheticMonitorResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors/`. - value: |- - { - "type": "http", - "enabled": true, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "timeout": "16", - "name": "am i something", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "max_attempts": 2, - "__ui": { - "is_tls_enabled": false - }, - "max_redirects": "0", - "response.include_body": "on_error", - "response.include_headers": true, - "check.request.method": "GET", - "mode": "any", - "response.include_body_max_bytes": "1024", - "ipv4": true, - "ipv6": true, - "ssl.verification_mode": "full", - "ssl.supported_protocols": [ - "TLSv1.1", - "TLSv1.2", - "TLSv1.3" - ], - "revision": 13, - "created_at": "2023-11-08T08:45:29.334Z", - "updated_at": "2023-12-18T20:31:44.770Z", - "url": "https://fast.com" - } + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome + value: + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Bad request + value: {} schema: + additionalProperties: true type: object - description: A successful response. + description: Bad Request response. '404': - description: If the monitor is not found, the API returns a 404 error. - summary: Get a monitor + content: + application/json: + examples: + notFound: + summary: Not found + value: {} + schema: + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template tags: - - synthetics - put: - description: > - Update a monitor with the specified attributes. The required and default - fields may vary based on the monitor type. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. +
get /s/{space_id}/api/timelines
- You can also partially update a monitor. This will only update the - fields that are specified in the request body. All other fields are left - unchanged. The specified fields should conform to the monitor type. For - example, you can't update the `inline_scipt` field of a HTTP monitor. - operationId: put-synthetic-monitor + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines parameters: - - description: The identifier for the monitor that you want to update. - in: path - name: id - required: true + - description: If `true`, only Timelines that the current user has marked as favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order schema: + enum: + - asc + - desc type: string - requestBody: - content: - application/json: - examples: - putSyntheticMonitorsRequestExample1: - description: Update an HTTP monitor that checks a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample2: - description: Update a TCP monitor that monitors a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - putSyntheticMonitorsRequestExample3: - description: Update an ICMP monitor that performs ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample4: - description: Update a browser monitor that checks a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } - schema: - description: > - The request body should contain the attributes of the monitor - you want to update. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' - type: object - required: true + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true responses: '200': content: application/json: examples: - putSyntheticMonitorResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + timelineList: + summary: Example list response + value: + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 schema: type: object properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: items: - $ref: '#/components/schemas/Synthetics_monitorWarning' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. '400': - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Update a monitor + content: + application/json: + examples: + badRequest: + summary: Error response body + value: + body: get timeline error + statusCode: 400 + schema: + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - synthetics - /api/synthetics/params: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/upgrade_assistant/status: get: - description: > - Get a list of all parameters. You must have `read` privileges for the - Synthetics feature in the Observability section of the Kibana feature - privileges. - operationId: get-parameters + description: Check the status of your cluster. + operationId: get-upgrade-status responses: '200': content: application/json: examples: - getParametersResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a list of parameters. - summary: Read access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"] - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"] - } - ] - getParametersResponseExample2: - description: >- - A successful response for a user with write permissions to - get a list of parameters. - summary: Write access + getUpgradeStatusResponseExample1: value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"], - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"], - "value": "value2" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - type: array - description: A successful response. - summary: Get parameters - tags: - - synthetics - post: - description: > - Add one or more parameters to the Synthetics app. - - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-parameters - requestBody: - content: - application/json: - examples: - postParametersRequestExample1: - description: Add a single parameter. - summary: Single parameter - value: |- - { - "key": "your-key-name", - "value": "your-parameter-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersRequestExample2: - description: Add multiple parameters. - summary: Multiple parameters - value: |- - [ - { - "key": "param1", - "value": "value1" - }, { - "key": "param2", - "value": "value2" + "readyForUpgrade": false, + "cluster": [ + { + "message": "Cluster deprecated issue", + "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." + } + ] } - ] - schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_parameterRequest' - type: array - - $ref: '#/components/schemas/Synthetics_parameterRequest' - description: >- - The request body can contain either a single parameter object or an - array of parameter objects. - required: true + description: Indicates a successful call. + summary: Get the upgrade readiness status + tags: + - upgrade + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/uptime/settings: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-uptime-settings responses: '200': content: application/json: examples: - postParametersResponseExample1: - description: A successful response for a single added parameter. - summary: Single parameter + getUptimeSettingsResponseExample1: value: |- { - "id": "unique-parameter-id", - "key": "your-key-name", - "value": "your-param-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersResponseExample2: - description: A successful response for multiple added parameters. - summary: Multiple parameters - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "value": "value2" + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] } - ] + } schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_postParameterResponse' - type: array - - $ref: '#/components/schemas/Synthetics_postParameterResponse' - description: A successful response. - summary: Add parameters + type: object + description: Indicates a successful call + summary: Get uptime settings tags: - - synthetics - /api/synthetics/params/_bulk_delete: - post: - description: > - Delete parameters from the Synthetics app. + - uptime + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameters +
put /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. + operationId: put-uptime-settings requestBody: content: application/json: examples: - deleteParametersRequestExample1: - description: >- - Run `POST /api/synthetics/params/_bulk_delete` to delete - multiple parameters. + putUptimeSettingsRequestExample1: + description: Run `PUT api/uptime/settings` to update multiple Uptime settings. + summary: Update multiple settings value: |- { - "ids": ["param1-id", "param2-id"] + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + putUptimeSettingsRequestExample2: + description: Run `PUT api/uptime/settings` to update a single Uptime setting. + summary: Update a setting + value: |- + { + "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: - ids: - description: An array of parameter IDs to delete. + certAgeThreshold: + default: 730 + description: The number of days after a certificate is created to trigger an alert. + type: number + certExpirationThreshold: + default: 30 + description: The number of days before a certificate expires to trigger an alert. + type: number + defaultConnectors: + default: [] + description: A list of connector IDs to be used as default connectors for new alerts. items: type: string type: array - required: true + defaultEmail: + description: | + The default email configuration for new alerts. + type: object + properties: + bcc: + default: [] + items: + type: string + type: array + cc: + default: [] + items: + type: string + type: array + to: + default: [] + items: + type: string + type: array + heartbeatIndices: + default: heartbeat-* + description: | + An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. + type: string responses: '200': content: application/json: examples: - deleteParametersResponseExample1: + putUptimeSettingsResponseExample1: + description: A successful response from `PUT api/uptime/settings`. value: |- - [ - { - "id": "param1-id", - "deleted": true - } - ] + { + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } schema: - items: - type: object - properties: - deleted: - description: > - Indicates whether the parameter was successfully - deleted. It is `true` if it was deleted. It is `false` - if it was not deleted. - type: boolean - id: - description: The unique identifier for the deleted parameter. - type: string - type: array - description: A successful response. - summary: Delete parameters + type: object + description: Indicates a successful call + summary: Update uptime settings tags: - - synthetics - /api/synthetics/params/{id}: - delete: - description: > - Delete a parameter from the Synthetics app. - - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameter - parameters: - - description: The ID for the parameter to delete. - in: path - name: id - required: true - schema: - type: string + - uptime + x-metaTags: + - content: Kibana + name: product_name + /api/visualizations: + get: + tags: + - Visualizations + summary: Get visualizations + operationId: get-visualizations-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': - description: OK - summary: Delete a parameter + description: See the full Visualizations API reference for detailed response schemas. + post: tags: - - synthetics - get: - description: > - Get a parameter from the Synthetics app. - - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string + - Visualizations + summary: Create a visualization + operationId: create-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': - content: - application/json: - examples: - getParameterResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a single parameter. - summary: Read access - value: |- - { - "id": "unique-parameter-id", - "key": "your-api-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"] - } - getParameterResponseExample2: - description: >- - A successful response for a user with write permissions to - get a single parameter. - summary: Write access - value: |- - { - "id": "unique-parameter-id", - "key": "your-param-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"], - "value": "your-param-value" - } - schema: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - description: A successful response. - summary: Get a parameter + description: See the full Visualizations API reference for detailed response schemas. + /api/visualizations/{id}: + get: tags: - - synthetics + - Visualizations + summary: Get a visualization + operationId: get-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. put: - description: > - Update a parameter in the Synthetics app. + tags: + - Visualizations + summary: Update a visualization + operationId: update-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + delete: + tags: + - Visualizations + summary: Delete a visualization + operationId: delete-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/workflows: + delete: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: put-parameter +
delete /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows parameters: - - description: The unique identifier for the parameter. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putParameterRequestExample1: - value: |- - { - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows + value: + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: + additionalProperties: false type: object properties: - description: - description: The updated description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - tags: - description: An array of updated tags to categorize the parameter. + ids: + description: Array of workflow IDs to delete. items: + description: Workflow ID to delete. type: string + maxItems: 1000 type: array - value: - description: The updated value associated with the parameter. - type: string - description: The request body cannot be empty; at least one attribute is required. - required: true + required: + - ids responses: '200': content: application/json: examples: - putParameterResponseExample1: - value: |- - { - "id": "param_id1", - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } - schema: - type: object - description: A successful response. - summary: Update a parameter + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows + value: + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows tags: - - synthetics - /api/synthetics/private_locations: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Get a list of private locations. + description: |- + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-locations +
get /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by managed status. Defaults to "unmanaged". + in: query + name: managed + required: false + schema: + enum: + - all + - managed + - unmanaged + type: string responses: '200': content: application/json: examples: - getPrivateLocationsResponseExample1: - value: |- - [ - { - "label": "Test private location", - "id": "fleet-server-policy", - "agentPolicyId": "fleet-server-policy", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - }, - { - "label": "Test private location 2", - "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "test" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - type: array - description: A successful response. - summary: Get private locations + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows + value: + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows tags: - - synthetics + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: post-private-location + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postPrivateLocationRequestExample1: - description: >- - Run `POST /api/private_locations` to create a private - location. - value: |- - { - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - "spaces": ["default"] - } + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once + value: + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" schema: + additionalProperties: false type: object properties: - agentPolicyId: - description: >- - The ID of the agent policy associated with the private - location. - type: string - geo: - description: Geographic coordinates (WGS84) for the location. - type: object - properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - label: - description: A label for the private location. - type: string - spaces: - description: > - An array of space IDs where the private location is - available. If it is not provided, the private location is - available in all spaces. - items: - type: string - type: array - tags: - description: An array of tags to categorize the private location. + workflows: items: - type: string + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 type: array required: - - agentPolicyId - - label - required: true + - workflows responses: '200': content: application/json: examples: - postPrivateLocationResponseExample1: - value: |- - { - "id": "abcd1234", - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - } - schema: - type: object - description: A successful response. - '400': - description: >- - If the `agentPolicyId` is already used by an existing private - location or if the `label` already exists, the API will return a 400 - Bad Request response with a corresponding error message. - summary: Create a private location + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows + value: + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows tags: - - synthetics - /api/synthetics/private_locations/{id}: - delete: - description: > - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/aggs: + get: + description: |- + **Spaces method and path for this operation:** - The API does not return a response body for deletion, but it will return - an appropriate status code upon successful deletion. +
get /s/{space_id}/api/workflows/aggs
- A location cannot be deleted if it has associated monitors in use. You - must delete all monitors associated with the location before deleting - the location. - operationId: delete-private-location + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs parameters: - - description: The unique identifier of the private location to be deleted. - in: path - name: id + - description: Field or fields to aggregate on. + in: query + name: fields required: true schema: - maxLength: 1024 - minLength: 1 - type: string + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + minItems: 1 + type: array responses: '200': - description: OK - summary: Delete a private location + content: + application/json: + examples: + getAggsResponseExample: + description: Example response with tag and createdBy aggregations + value: + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations tags: - - synthetics + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/connectors: get: - description: > - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-location - parameters: - - description: A private location identifier or label. - in: path - name: id - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] responses: '200': content: application/json: examples: - getPrivateLocationResponseExample1: - value: |- - { - "label": "Test private location", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - summary: Get a private location + getConnectorsResponseExample: + description: Example response with available connector types and their instances + value: + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors tags: - - synthetics - put: - description: > - Update an existing private location's label. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. +
get /s/{space_id}/api/workflows/executions/{executionId}
- When a private location's label is updated, all monitors using this - location will also be updated to maintain data consistency. - operationId: put-private-location + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid parameters: - - description: The unique identifier of the private location to be updated. + - description: Workflow execution ID in: path - name: id + name: executionId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putPrivateLocationRequestExample1: - description: Update a private location's label. - value: |- - { - "label": "Updated Private Location Name" - } - schema: - type: object - properties: - label: - description: >- - A new label for the private location. Must be at least 1 - character long. - minLength: 1 - type: string - required: - - label - required: true + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - putPrivateLocationResponseExample1: - value: |- - { - "label": "Updated Private Location Name", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "tags": ["private", "testing", "updated"], - "geo": { - "lat": 37.7749, - "lon": -122.4194 - }, - "spaces": ["*"] - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - '400': - description: >- - If the `label` is shorter than 1 character the API will return a 400 - Bad Request response with a corresponding error message. - '404': - description: >- - If the private location with the specified ID does not exist, the - API will return a 404 Not Found response. - summary: Update a private location + getExecutionResponseExample: + description: Example response returning a workflow execution with step details + value: + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution tags: - - synthetics - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_APIs_health_200response - schema: - $ref: '#/components/schemas/Task_manager_health_APIs_health_response' - description: Indicates a successful call - summary: Get the task manager health + description: Indicates a successful response + summary: Cancel a workflow execution tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: - type: object - properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines - items: - type: string - maxItems: 100 - type: array - required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/children: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps + value: + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/logs: get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Filter logs by a specific step execution ID. in: query - name: template_timeline_id + name: stepExecutionId + required: false schema: type: string - - description: The `savedObjectId` of the Timeline to retrieve. + - description: Number of log entries per page. in: query - name: id + name: size + required: false + schema: + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: Field to sort by. + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order. + in: query + name: sortOrder + required: false schema: + enum: + - asc + - desc type: string responses: '200': content: application/json: examples: - timelineDetail: - summary: Timeline detail + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' + page: 1 + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/resume: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string requestBody: content: application/json: examples: - patchTitle: - summary: Update title + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd + input: + approved: true + comment: Approved by analyst schema: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true - type: string + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true + - input responses: '200': content: application/json: examples: - patched: - summary: Updated timeline + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid + parameters: + - description: Workflow execution ID. + in: path + name: executionId + required: true + schema: + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline + getStepExecutionResponseExample: + description: Example response returning a single step execution + value: + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/export: post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createDefault: - summary: Create a default timeline + exportWorkflowsRequestExample: + description: Example request to export workflows value: - timeline: - status: active - timelineType: default - title: Malware containment + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 schema: + additionalProperties: false type: object properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true + - ids responses: '200': content: application/json: examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/mget: post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/mget
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - copyWithTitle: - summary: Copy with a new title + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. - type: string + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true + - ids responses: '200': content: application/json: examples: - copied: - summary: Newly saved timeline + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/schema: get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. in: query - name: timelineType + name: loose required: true schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + type: boolean responses: '200': content: application/json: examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema tags: - - Security Timeline API - - access:securitySolution - post: - description: > - Create a clean draft Timeline or Timeline template for the current user. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/workflows/stats
- > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': + '200': content: application/json: examples: - conflict: - summary: Draft conflict + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/step/test: post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/step/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test parameters: - - description: The name of the file to export - in: query - name: file_name + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - exportIds: - summary: Export by timeline ids + testStepRequestExample: + description: Example request to test a single workflow step value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml responses: '200': content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: + application/json: examples: - badRequest: - summary: Export error + testStepResponseExample: + description: Example response returning the step test execution ID value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - favoriteDefault: - summary: Favorite a default timeline + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - templateTimelineId: - nullable: true + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true + workflowYaml: + description: YAML definition to test. type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true + - inputs responses: '200': content: application/json: examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow: post: - description: Import Timelines. - operationId: ImportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 type: string required: - - file - description: The Timelines to import as a readable stream. - required: true + - yaml responses: '200': content: application/json: examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing + createWorkflowResponseExample: + description: Example response returning the created workflow value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow + { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id + parameters: + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflict: - summary: Import conflict + getWorkflowResponseExample: + description: Example response returning a single workflow value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines - type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: - post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - emptyArrays: - summary: Installer payload shape + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields + value: + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true + type: string type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true + yaml: + type: string responses: '200': content: application/json: examples: - installResult: - summary: Install result counts + updateWorkflowResponseExample: + description: Example response returning the updated workflow value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/clone: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: - summary: Server error + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: - get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/run: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: The ID of the timeline to resolve - in: query + - description: Workflow ID + in: path name: id + required: true schema: type: string + requestBody: + content: + application/json: + examples: + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs + value: + inputs: + message: hello from the API + schema: + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the workflow execution. + type: object + metadata: + additionalProperties: + nullable: true + description: Optional metadata for the execution. + type: object + required: + - inputs responses: '200': content: application/json: examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome + runWorkflowResponseExample: + description: Example response returning the execution ID value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timelines: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by execution status. in: query - name: only_user_favorite + name: statuses + required: false + schema: + items: + enum: + - pending + - waiting + - waiting_for_input + - waiting_for_child + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 10 + type: array + - description: Filter by execution type. + in: query + name: executionTypes + required: false + schema: + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. + in: query + name: executedBy + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: Filter by evaluated concurrency group key. + in: query + name: concurrencyGroupKey + required: false schema: - enum: - - 'true' - - 'false' - nullable: true type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. + - description: Whether to exclude step-level execution data. in: query - name: timeline_type + name: omitStepRuns + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). + type: boolean + - description: Datemath lower bound for filtering executions by finishedAt (inclusive when parsed). in: query - name: sort_field + name: finishedAfter + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` + type: string + - description: Datemath upper bound for filtering executions by finishedAt (inclusive when parsed with roundUp). in: query - name: sort_order + name: finishedBefore + required: false + schema: + type: string + - description: Field to sort executions by. + in: query + name: sortField + required: false + schema: + enum: + - createdAt + - finishedAt + type: string + - description: Sort order. + in: query + name: sortOrder + required: false schema: enum: - asc - desc type: string - - description: How many results should returned at once + - description: Page number. in: query - name: page_size + name: page + required: false schema: - nullable: true - type: string - - description: How many pages should be skipped + minimum: 1 + type: number + - description: Number of results per page. in: query - name: page_index + name: size + required: false schema: - nullable: true - type: string - - description: Allows to search for timelines by their title + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering executions by startedAt (inclusive when parsed). in: query - name: search + name: startedAfter + required: false schema: - nullable: true type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). + - description: Datemath upper bound for filtering executions by startedAt (inclusive when parsed with roundUp). in: query - name: status + name: startedBefore + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true + type: string responses: '200': content: application/json: examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: - type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow value: - body: get timeline error - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions tags: - - Security Timeline API - - access:securitySolution - /api/upgrade_assistant/status: - get: - description: Check the status of your cluster. - operationId: get-upgrade-status + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20&startedAfter=now-1d&startedBefore=now + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string responses: '200': - content: - application/json: - examples: - getUpgradeStatusResponseExample1: - value: |- - { - "readyForUpgrade": false, - "cluster": [ - { - "message": "Cluster deprecated issue", - "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." - } - ] - } - description: Indicates a successful call. - summary: Get the upgrade readiness status + description: Indicates a successful response + summary: Cancel all active workflow executions tags: - - upgrade - x-state: Technical Preview - /api/uptime/settings: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: get: - description: > - You must have `read` privileges for the uptime feature in the - Observability section of the Kibana feature privileges. - operationId: get-uptime-settings - responses: - '200': - content: - application/json: - examples: - getUptimeSettingsResponseExample1: - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Get uptime settings - tags: - - uptime - put: - description: > - Update uptime setting attributes like `heartbeatIndices`, - `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or - `defaultEmail`. You must have `all` privileges for the uptime feature in - the Observability section of the Kibana feature privileges. A partial - update is supported, provided settings keys will be merged with existing - settings. - operationId: put-uptime-settings - requestBody: - content: - application/json: - examples: - putUptimeSettingsRequestExample1: - description: >- - Run `PUT api/uptime/settings` to update multiple Uptime - settings. - summary: Update multiple settings - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - putUptimeSettingsRequestExample2: - description: >- - Run `PUT api/uptime/settings` to update a single Uptime - setting. - summary: Update a setting - value: |- - { - "heartbeatIndices": "heartbeat-8*", - } - schema: - type: object - properties: - certAgeThreshold: - default: 730 - description: >- - The number of days after a certificate is created to trigger - an alert. - type: number - certExpirationThreshold: - default: 30 - description: >- - The number of days before a certificate expires to trigger - an alert. - type: number - defaultConnectors: - default: [] - description: >- - A list of connector IDs to be used as default connectors for - new alerts. - items: - type: string - type: array - defaultEmail: - description: | - The default email configuration for new alerts. - type: object - properties: - bcc: - default: [] - items: - type: string - type: array - cc: - default: [] - items: - type: string - type: array - to: - default: [] - items: - type: string - type: array - heartbeatIndices: - default: heartbeat-* - description: > - An index pattern string to be used within the Uptime app and - alerts to query Heartbeat data. - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps + parameters: + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by step ID. + in: query + name: stepId + required: false + schema: + type: string + - description: Include step input data. + in: query + name: includeInput + required: false + schema: + type: boolean + - description: Include step output data. + in: query + name: includeOutput + required: false + schema: + type: boolean + - description: Page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering step executions by startedAt (inclusive when parsed). + in: query + name: startedAfter + required: false + schema: + type: string + - description: Datemath upper bound for filtering step executions by startedAt (inclusive when parsed with roundUp). + in: query + name: startedBefore + required: false + schema: + type: string responses: '200': content: application/json: examples: - putUptimeSettingsResponseExample1: - description: A successful response from `PUT api/uptime/settings`. - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Update uptime settings + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow + value: + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions tags: - - uptime + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46544,18 +71818,14 @@ paths: name: kqlQuery schema: type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: @@ -46599,9 +71869,7 @@ paths: - asc - desc type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: @@ -46625,9 +71893,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name - : "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -46682,9 +71948,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46697,9 +71961,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -46720,10 +71982,12 @@ paths: summary: Get a paginated list of SLOs tags: - slo + x-metaTags: + - content: Kibana + name: product_name post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46736,14 +72000,10 @@ paths: summary: Create an SLO with a KQL indicator value: budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses + description: Availability of my web service measured by successful HTTP responses indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -46797,9 +72057,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46812,9 +72070,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -46835,13 +72091,13 @@ paths: summary: Create an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46892,9 +72148,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46907,24 +72161,21 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46984,9 +72235,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46999,9 +72248,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47009,12 +72256,13 @@ paths: summary: Retrieve the status of the bulk deletion tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47076,9 +72324,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47091,9 +72337,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47101,12 +72345,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_delete_instances: post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47150,9 +72395,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47165,9 +72408,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47175,11 +72416,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}: delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47209,9 +72452,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47224,9 +72465,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47247,10 +72486,12 @@ paths: summary: Delete an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47278,9 +72519,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47334,9 +72573,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47349,9 +72586,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47372,10 +72607,12 @@ paths: summary: Get an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47416,9 +72653,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47463,9 +72698,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47478,9 +72711,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47501,11 +72732,13 @@ paths: summary: Update an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47527,9 +72760,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47574,9 +72805,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47589,9 +72818,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47612,11 +72839,13 @@ paths: summary: Reset an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/disable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47646,9 +72875,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47661,9 +72888,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47684,11 +72909,13 @@ paths: summary: Disable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/enable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47718,9 +72945,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47733,9 +72958,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47756,18 +72979,18 @@ paths: summary: Enable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/internal/observability/slos/_definitions: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions + - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query name: includeOutdatedOnly schema: @@ -47831,23 +73054,22 @@ paths: summary: Get the SLO definitions tags: - slo + x-metaTags: + - content: Kibana + name: product_name components: examples: Alerting_401_health_response: summary: Unauthorized response for the get alerting health API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_401_rule_types_response: summary: Unauthorized response for the get rule types API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. @@ -48086,9 +73308,7 @@ components: name: Recovered rule_task_timeout: 5m APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. value: environments: - alreadyConfigured: true @@ -48098,23 +73318,17 @@ components: - alreadyConfigured: false name: ALL_OPTION_VALUE APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. value: result: deleted APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: service: environment: production name: frontend APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: - '@timestamp': 1581934104843 agent_name: go @@ -48146,15 +73360,10 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. value: {} APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: agent_name: nodejs service: @@ -48165,9 +73374,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: _id: CIaqXXABmQCdPphWj8EJ _index: .apm-agent-configuration @@ -48182,18 +73389,14 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: frontend APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. value: '@timestamp': 1582031336265 agent_name: nodejs @@ -48208,9 +73411,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: agentKey: api_key: PjGloCGOTzaZr8ilUPvkjA @@ -48218,19 +73419,14 @@ components: id: 3DCLmn0B3ZMhLUa7WBG9 name: apm-key APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: name: apm-key privileges: - event:write - config_agent:read APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: _id: Lc9I93EBh6DbmkeV7nFX _index: observability-annotations @@ -48253,9 +73449,7 @@ components: _version: 1 found: true APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. value: '@timestamp': '2024-01-15T12:00:00.000Z' message: Deployment 1.2.0 @@ -48266,10 +73460,7 @@ components: - apm - deployment APM_UI_annotation_search_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/services/{serviceName}/annotation/search`, which returns the - annotations associated with a service over the given time range. + description: An example of a successful response from `GET /api/apm/services/{serviceName}/annotation/search`, which returns the annotations associated with a service over the given time range. value: annotations: - '@timestamp': 1735689600000 @@ -48281,77 +73472,50 @@ components: text: opbeans-node@2.1.0 type: version APM_UI_error_400_response: - description: >- - An example of a 400 Bad Request response, returned when the request - payload or query parameters fail validation. + description: An example of a 400 Bad Request response, returned when the request payload or query parameters fail validation. value: error: Bad Request message: '[request body]: expected value of type [string] but got [undefined]' statusCode: 400 APM_UI_error_401_response: - description: >- - An example of a 401 Unauthorized response, returned when the request is - missing valid authentication credentials. + description: An example of a 401 Unauthorized response, returned when the request is missing valid authentication credentials. value: error: Unauthorized - message: >- - [security_exception]: missing authentication credentials for REST - request + message: '[security_exception]: missing authentication credentials for REST request' statusCode: 401 APM_UI_error_403_response: - description: >- - An example of a 403 Forbidden response, returned when the authenticated - user lacks the required APM and User Experience privileges. + description: An example of a 403 Forbidden response, returned when the authenticated user lacks the required APM and User Experience privileges. value: error: Forbidden - message: >- - Insufficient privileges to perform this action. The APM and User - Experience feature requires `all` privileges. + message: Insufficient privileges to perform this action. The APM and User Experience feature requires `all` privileges. statusCode: 403 APM_UI_error_404_response: - description: >- - An example of a 404 Not Found response, returned when the requested - resource does not exist or the feature is not available on the current - deployment. + description: An example of a 404 Not Found response, returned when the requested resource does not exist or the feature is not available on the current deployment. value: error: Not Found message: Not Found statusCode: 404 APM_UI_error_500_response: - description: >- - An example of a 500 Internal Server Error response, returned when an - unexpected error occurs while processing the request. + description: An example of a 500 Internal Server Error response, returned when an unexpected error occurs while processing the request. value: error: Internal Server Error - message: >- - An internal server error occurred. Check the Kibana server logs for - details. + message: An internal server error occurred. Check the Kibana server logs for details. statusCode: 500 APM_UI_error_501_response: - description: >- - An example of a 501 Not Implemented response, returned when the source - map feature is not available on the current deployment. + description: An example of a 501 Not Implemented response, returned when the source map feature is not available on the current deployment. value: error: Not Implemented message: Not Implemented statusCode: 501 APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. value: {} APM_UI_service_agent_name_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/agent_name`, which returns the - detected APM agent name for a service. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/agent_name`, which returns the detected APM agent name for a service. value: agentName: nodejs APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. value: {} APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. @@ -48381,18 +73545,15 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 @@ -48400,26 +73561,20 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_request1: - description: > - An example of a multipart/form-data request body for `POST - /api/apm/sourcemaps`. - - Each field is a separate form part; `sourcemap` is the source map file - content (typically uploaded as a file). + description: | + An example of a multipart/form-data request body for `POST /api/apm/sourcemaps`. + Each field is a separate form part; `sourcemap` is the source map file content (typically uploaded as a file). value: bundle_filepath: /test/e2e/general-usecase/bundle.js.map service_name: opbeans-node service_version: 1.0.0 - sourcemap: >- - {"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log('hello');"]} + sourcemap: '{"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log(''hello'');"]}' Cases_add_comment_request: summary: Adds a comment to a case. value: @@ -48427,9 +73582,7 @@ components: owner: cases type: user Cases_add_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -48517,9 +73670,7 @@ components: - tag-1 title: Case title 1 Cases_create_case_response: - summary: >- - The create case API returns a JSON object that contains details about - the case. + summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null @@ -48665,9 +73816,7 @@ components: per_page: 20 total: 1 Cases_find_case_response: - summary: >- - Retrieve the first five cases with the `tag-1` tag, in ascending order - by last update time. + summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] @@ -48798,9 +73947,7 @@ components: updated_by: null version: WzEyLDNd Cases_get_case_observability_response: - summary: >- - Get case response (Observability). Comments are not included; use the - find case comments API. totalComment reflects the actual count. + summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 @@ -48845,9 +73992,7 @@ components: username: elastic version: WzI0NywyXQ== Cases_get_case_response: - summary: >- - Get case response. Comments are not included; use the find case comments - API. totalComment reflects the actual count. + summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 @@ -48935,9 +74080,7 @@ components: - tag 1 - tag 2 Cases_push_case_response: - summary: >- - The push case API returns a JSON object with details about the case and - the external service. + summary: The push case API returns a JSON object with details about the case and the external service. value: assignees: [] category: null @@ -49001,9 +74144,7 @@ components: message: Unable to authenticate with the provided credentials. statusCode: 401 Cases_set_case_configuration_request: - summary: >- - Set the closure type, custom fields, and default connector for Stack - Management cases. + summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: @@ -49191,9 +74332,7 @@ components: - tag-1 version: WzIzLDFd Cases_update_case_response: - summary: >- - This is an example response when the case description, tags, and - connector were updated. + summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null @@ -49265,9 +74404,7 @@ components: type: user version: Wzk1LDFd Cases_update_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -49334,9 +74471,7 @@ components: username: elastic version: WzIwNjM2LDFd Data_views_create_data_view_request: - description: >- - Create a data view for logstash indices that includes a runtime field - which extracts the shape name from a source field. + description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field. summary: Create a data view with runtime fields. value: data_view: @@ -49348,12 +74483,8 @@ components: type: keyword title: logstash-* Data_views_create_data_view_response: - description: >- - The response includes the full data view specification, including - auto-generated fields such as the unique identifier and version. - summary: >- - The create data view API returns a JSON object that contains details - about the new data view. + description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version. + summary: The create data view API returns a JSON object that contains details about the new data view. value: data_view: allowNoIndex: false @@ -49391,9 +74522,7 @@ components: typeMeta: {} version: WzQ5LDJd Data_views_create_runtime_field_request: - description: >- - Create a long-type runtime field that emits a value derived from the foo - source field. + description: Create a long-type runtime field that emits a value derived from the foo source field. summary: Create a runtime field. value: name: runtimeFoo @@ -49402,46 +74531,30 @@ components: source: emit(doc["foo"].value) type: long Data_views_create_runtime_field_response: - description: >- - The response includes the newly created runtime field as an array and - the full updated data view object. - summary: >- - The API returns created runtime field object array and updated data view - object. + description: The response includes the newly created runtime field as an array and the full updated data view object. + summary: The API returns created runtime field object array and updated data view object. value: data_view: ...: null fields: - ... Data_views_error_400_response: - description: >- - The request was rejected because the payload or query parameters are - missing required fields or contain invalid values. + description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values. summary: A bad request response. value: error: Bad Request - message: >- - [request body.data_view.title]: expected value of type [string] but - got [undefined] + message: '[request body.data_view.title]: expected value of type [string] but got [undefined]' statusCode: 400 Data_views_error_404_response: - description: >- - The requested data view or runtime field was not found in the current - Kibana space. + description: The requested data view or runtime field was not found in the current Kibana space. summary: A not found response. value: error: Not Found - message: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not - found + message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found statusCode: 404 Data_views_get_data_view_response: - description: >- - A complete data view object including all fields, runtime fields, and - metadata. - summary: >- - The get data view API returns a JSON object that contains information - about the data view. + description: A complete data view object including all fields, runtime fields, and metadata. + summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false @@ -50368,9 +75481,7 @@ components: typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: - description: >- - A list of available data views including their identifiers, names, and - index patterns. + description: A list of available data views including their identifiers, names, and index patterns. summary: The get all data views API returns a list of data views. value: data_view: @@ -50397,10 +75508,7 @@ components: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: description: The runtime field definition along with the parent data view. - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false @@ -50899,17 +76007,13 @@ components: shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: - description: >- - Preview the saved objects that would be affected by swapping references - from one data view to another. + description: Preview the saved objects that would be affected by swapping references from one data view to another. summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_preview_swap_data_view_response: - description: >- - The result array lists every saved object that references the source - data view. No saved objects are modified by the preview endpoint. + description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint. summary: A preview of saved objects that would be affected by a data view swap. value: result: @@ -50918,35 +76022,25 @@ components: - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b type: dashboard Data_views_set_default_data_view_request: - description: >- - Set the default data view, using the force flag to overwrite an existing - default. + description: Set the default data view, using the force flag to overwrite an existing default. summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_set_default_data_view_response: - description: >- - The acknowledged flag confirms that the default data view for the - current Kibana space was updated. + description: The acknowledged flag confirms that the default data view for the current Kibana space was updated. summary: The default data view was set successfully. value: acknowledged: true Data_views_swap_data_view_request: - description: >- - Swap all saved object references from one data view to another and - delete the source data view afterward. - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. + description: Swap all saved object references from one data view to another and delete the source data view afterward. + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_swap_data_view_response: - description: >- - The list of saved objects whose references were updated, along with the - delete status of the source. + description: The list of saved objects whose references were updated, along with the delete status of the source. summary: The swap references API returns a list of the affected saved objects. value: deleteStatus: @@ -50956,9 +76050,7 @@ components: - id: '123' type: visualization Data_views_update_data_view_request: - description: >- - Update the title, time field, and other properties of an existing data - view. + description: Update the title, time field, and other properties of an existing data view. summary: Update some properties for a data view. value: data_view: @@ -50968,9 +76060,7 @@ components: title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: - description: >- - Update the popularity count, custom label, and custom description for - specific fields in a data view. + description: Update the popularity count, custom label, and custom description for specific fields in a data view. summary: Update metadata for multiple fields. value: fields: @@ -50981,9 +76071,7 @@ components: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_field_metadata_response: - description: >- - The acknowledged flag confirms that the field metadata changes were - applied to the data view. + description: The acknowledged flag confirms that the field metadata changes were applied to the data view. summary: Field metadata was updated successfully. value: acknowledged: true @@ -51047,10 +76135,8 @@ components: } Observability_AI_Assistant_API_ChatCompleteResponseExample: summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} data: [DONE] Saved_objects_key_rotation_response: @@ -52290,6 +77376,893 @@ components: } } } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_roles_response1: + summary: Get all role details + value: + - name: my_kibana_role + description: My kibana role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + indices: [] + cluster: [] + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - '*' + - name: my_admin_role + description: My admin role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + field_security: + grant: + - title + - body + query: '{\"match\": {\"title\": \"foo\"}}' + kibana: [] + get_role_response1: + summary: Get role details + value: + name: my_kibana_role + description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + remote_cluster: + - privileges: + - monitor_enrich + clusters: + - remote_cluster1 + indices: + - names: + - index1 + - index2 + privileges: + - all + allow_restricted_indices: false + remote_indices: + - names: + - remote_index1 + - remote_index2 + privileges: + - all + allow_restricted_indices: false + clusters: + - remote_cluster1 + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + _transform_error: [] + _unrecognized_applications: [] + create_role_request1: + summary: Feature privileges in multiple spaces + description: Grant access to various features in some spaces. + value: + description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + discover: + - all + dashboard: + - all + spaces: + - default + - base: + - read + spaces: + - marketing + - sales + create_role_request2: + summary: Dashboard privileges in a space + description: Grant access to dashboard features in a Marketing space. + value: + description: Grant dashboard access in the Marketing space. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + dashboard: + - read + spaces: + - marketing + create_role_request3: + summary: Feature privileges in a space + description: Grant full access to all features in the default space. + value: + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + create_role_request4: + summary: Elasticsearch and Kibana feature privileges + description: Grant Elasticsearch and Kibana feature privileges. + value: + description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. + metadata: + version: 1 + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + remote_indices: + - clusters: + - remote_cluster1 + names: + - remote_index1 + - remote_index2 + privileges: + - all + remote_cluster: + - clusters: + - remote_cluster1 + privileges: + - monitor_enrich + kibana: + - base: + - all + feature: {} + spaces: + - default + copy_saved_objects_request1: + summary: Copy with createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + copy_saved_objects_request2: + summary: Copy without createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + createNewCopies: false + copy_saved_objects_response1: + summary: Copy with createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response2: + summary: Copy without createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response3: + summary: Failed copy response with conflict errors + description: | + A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. + value: + marketing: + success: true + successCount: 4 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + sales: + success: false + successCount: 1, + errors: + - id: my-pattern + type: index-pattern + title: my-pattern-* + error: + type: conflict + meta: + icon: indexPatternApp + title: my-pattern-* + - id: my-visualization + type: my-vis + title: Look at my visualization + error: + type: conflict + destinationId: another-vis + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + title: Look at my canvas + error: + type: ambiguous_conflict + destinations: + - id: another-canvas + title: Look at another canvas + updatedAt: '2020-07-08T16:36:32.377Z' + - id: yet-another-canvas + title: Look at yet another canvas + updatedAt: '2020-07-05T12:29:54.849Z' + meta: + icon: canvasApp + title: Look at my canvas + successResults": + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + copy_saved_objects_response4: + summary: Failed copy with missing reference errors + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. + value: + marketing: + success: false + successCount: 2 + errors: + - id: my-vis + type: visualization + title: Look at my visualization + error: + type: missing_references + references: + - type: index-pattern + id: my-pattern-* + meta: + icon: visualizeApp + title: Look at my visualization + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + disable_legacy_url_request1: + summary: Disable legacy URL aliases + description: | + This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. + value: + aliases: + - targetSpace: bills-space + targetType: dashboard + sourceId: 123 + get_shareable_references_request1: + summary: Get shareable references + description: | + Collect references and space contexts for a dashboard saved object. + value: + objects: + - type: dashboard + id: my-dashboard-id + get_shareable_references_response1: + summary: Get shareable references response + description: | + A response that includes the collected references and the spaces where the objects exist. + value: + objects: + - type: dashboard + id: my-dashboard-id + spaces: + - default + - marketing + inboundReferences: [] + resolve_copy_saved_objects_request1: + summary: Resolve conflict errors + description: | + Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + sales: + - type: index-pattern + id: my-pattern + overwrite: true + - type: visualization + id: my-vis + overwrite: true, + destinationId: another-vis + - type: canvas + id: my-canvas + overwrite: true + destinationId: yet-another-canvas + - type: dashboard + id: my-dashboard + resolve_copy_saved_objects_request2: + summary: Resolve missing reference errors + description: | + Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + marketing: + - type: visualization + id: my-vis + ignoreMissingReferences: true + - type: canvas + id: my-canvas + - type: dashboard + id: my-dashboard + update_saved_objects_spaces_request1: + summary: Update saved object spaces + description: Update the spaces of each saved object and all its references. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spacesToAdd: + - test + spacesToRemove: [] + update_saved_objects_spaces_response1: + summary: Update saved object spaces + description: | + The response from updating the spaces of saved objects. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spaces: + - default + - test + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use @@ -52318,10 +78291,8 @@ components: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: - description: > - Filters the returned cases by assignees. Valid values are `none` or - unique identifiers for the user profiles. These identifiers can be found - by using the suggest user profile API. + description: | + Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: @@ -52329,9 +78300,7 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: - description: >- - The identifier for the case. To retrieve case IDs, use the search cases - (`_find)` API. All non-ASCII characters must be URL encoded. + description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true @@ -52347,9 +78316,8 @@ components: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - case or search cases (`_find`) APIs. + description: | + The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs. in: path name: commentId required: true @@ -52364,7018 +78332,33639 @@ components: schema: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string - Cases_connector_id: - description: >- - An identifier for the connector. To retrieve connector IDs, use the find - connectors API. - in: path - name: connectorId - required: true - schema: - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + Cases_connector_id: + description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: | + Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: | + The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` + in: query + name: ids + required: true + schema: + items: + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner_filter: + description: | + A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owner' + - $ref: '#/components/schemas/Cases_owners' + Cases_page_index: + description: The page number to return. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + example: 20 + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_search: + description: An Elasticsearch simple_query_string query that filters the objects in the response. + example: Case title 1 + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' + Cases_severity: + description: The severity of the case. + example: low + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + example: desc + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_to: + description: | + Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + example: create_case + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Short_URL_APIs_idParam: + description: The identifier for the short URL. + in: path + name: id + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response + type: object + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: | + Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: | + Details about the object properties. This property is applicable when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: | + The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. + type: integer + type: + description: Specifies the data type for the field. + example: scaled_float + type: string + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: + type: object + properties: + title: + type: string + type: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object + properties: + body: + type: object + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_case_file_request: + description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. + type: object + properties: + file: + description: The file being attached to the case. + format: binary + type: string + filename: + description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** + type: string + required: + - file + title: Add case file request properties + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object + properties: + alertId: + items: + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string + type: array + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + example: alert + type: string + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: | + The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-state: Technical preview + Cases_alert_indices: + description: | + The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-state: Technical preview + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_attachment_totals: + description: Counts of alerts, events, and user comments attached to a case. + properties: + alerts: + description: Number of alert attachments on the case. + type: integer + events: + description: Number of event attachments on the case. + type: integer + userComments: + description: Number of user comment attachments on the case. + type: integer + required: + - alerts + - events + - userComments + title: Attachment totals + type: object + Cases_case_categories: + items: + $ref: '#/components/schemas/Cases_case_category' + maxItems: 100 + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_close_sync_reason: + description: | + The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user. + oneOf: + - enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + - type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_observable: + description: A single observable attached to a case. + properties: + createdAt: + description: When the observable was created. + example: '2024-11-14T10:00:00.000Z' + format: date-time + type: string + description: + description: An optional description for the observable. + example: Source IP + nullable: true + type: string + id: + description: The observable identifier. + example: df927ab8-54ed-47d6-be07-9948c255c097 + type: string + typeKey: + description: The observable type key. + example: observable-type-ipv4 + type: string + updatedAt: + description: When the observable was last updated. + example: '2024-11-14T10:00:00.000Z' + format: date-time + nullable: true + type: string + value: + description: The observable value. + example: 10.0.0.8 + type: string + required: + - id + - typeKey + - value + - description + - createdAt + - updatedAt + title: Case observable + type: object + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_get_case: + description: | + Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + description: The number of user comments on the case. Use the find case comments API to retrieve comment content. + example: 1 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + title: Get case response + type: object + Cases_case_response_properties: + title: Case response properties + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + alert: '#/components/schemas/Cases_alert_comment_response_properties' + event: '#/components/schemas/Cases_event_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_event_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: | + The words and phrases that help categorize cases. It can be an empty array. + items: + maxLength: 256 type: string - Cases_defaultSearchOperator: - description: he default operator to use for the simple_query_string. - example: OR - in: query - name: defaultSearchOperator - schema: - default: OR + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + issueType: + description: The type of issue. + nullable: true + type: string + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + priority: + description: The priority of the issue. + nullable: true + type: string + required: + - issueType + - parent + - priority + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + nullable: true + type: object + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. + type: string + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + impact: + description: The effect an incident had on business. + nullable: true + type: string + severity: + description: The severity of the incident. + nullable: true + type: string + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs. + nullable: true + type: boolean + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: The create case API request body varies depending on the type of connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_event_comment_response_properties: + title: Case response properties for event comments + type: object + properties: + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + eventId: + items: + example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f + type: string + type: array + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - event + example: event + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + Cases_find_comments_response: + title: Find case comments response + type: object + properties: + comments: + description: Paginated list of user comments for the case. + items: + $ref: '#/components/schemas/Cases_user_comment_response_properties' + type: array + page: + description: The current page index. + type: integer + per_page: + description: The number of items per page. + type: integer + total: + description: The total number of comments. + type: integer + required: + - comments + - page + - per_page + - total + Cases_owner: + description: | + The application that owns the cases: Stack Management, Observability, or Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_owners: + items: + $ref: '#/components/schemas/Cases_owner' + type: array + Cases_payload_alert_comment: + type: object + properties: + comment: + type: object + properties: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: + type: string + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + type: string + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + type: string + Cases_payload_delete: + description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + enum: + - user + type: string + Cases_related_case: + description: | + Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response. + properties: + createdAt: + description: When the case was created. + format: date-time + type: string + description: + description: The case description. + type: string + id: + description: The case identifier. + type: string + status: + $ref: '#/components/schemas/Cases_case_status' + title: + description: The case title. + type: string + totals: + $ref: '#/components/schemas/Cases_attachment_totals' + required: + - id + - title + - description + - status + - createdAt + - totals + title: Related case + type: object + Cases_response_4xx: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_rule: + description: | + The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-state: Technical preview + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_searchFieldsTypeArray: + items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_set_case_configuration_request: + description: External connection details, such as the closure type and default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + extractObservables: + description: | + When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted. + example: false + type: boolean + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_string: + type: string + Cases_string_array: + items: + $ref: '#/components/schemas/Cases_string' + maxItems: 100 + type: array + Cases_template_tags: + description: | + The words and phrases that help categorize templates. It can be an empty array. + items: + maxLength: 256 type: string - Cases_from: - description: > - Returns only cases that were created after a specific date. The date - must be specified as a KQL data range or date match expression. - in: query - name: from - schema: - example: now-1d + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: | + The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-state: Technical preview + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: | + A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-state: Technical preview + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: The update case comment API request body varies depending on whether you are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: | + You can update settings such as the closure type, custom fields, templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: | + The version of the connector. To retrieve the version value, use the get configuration API. + example: WzIwMiwxXQ== + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: The update case API request body varies depending on the type of connector. + properties: + cases: + description: An array containing one or more case objects. + items: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + closeReason: + $ref: '#/components/schemas/Cases_case_close_sync_reason' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: | + The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs. + type: string + required: + - id + - version + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - category + - comment + - connector + - create_case + - customFields + - delete_case + - description + - extended_fields + - observables + - pushed + - settings + - severity + - status + - tags + - title + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + example: user + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default type: string - Cases_ids: - description: > - The cases that you want to removed. To get the case identifiers, use the - search cases (`_find`) API. In the Dev Console, you can specify the - array of cases in the following format: - `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII - characters must be URL encoded. For example: - `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` - in: query - name: ids - required: true - schema: + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Defaults to `false`. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the `?full=true` parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object + Kibana_HTTP_APIs_aiops_change_point_chart: + additionalProperties: false + description: Change point detection chart embeddable schema + properties: + aggregation_function: + default: avg + description: The aggregation function used to calculate the metric values. + enum: + - avg + - sum + - min + - max + type: string + data_view_id: + description: The data view ID used to run change point detection. + minLength: 1 + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + max_series_to_plot: + default: 6 + description: The maximum number of change points to visualize. Defaults to 6. + maximum: 50 + minimum: 1 + type: number + metric_field: + description: The metric field used by the aggregation function. + minLength: 1 + type: string + partitions: + description: Optional split field values to include in the panel. + items: + minLength: 1 + type: string + maxItems: 10000 + type: array + split_field: + description: The optional field used to split change point results. + minLength: 1 + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + view_type: + default: charts + description: The type of change point detection view to display. + enum: + - charts + - table + type: string + required: + - data_view_id + - metric_field + title: aiops_change_point_chart + type: object + Kibana_HTTP_APIs_alerts_filter_query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + title: alerts_filter_query + type: object + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-service-map-embeddable: + additionalProperties: false + description: APM service map embeddable schema + properties: + description: + type: string + environment: + default: ENVIRONMENT_ALL + type: string + hide_border: + type: boolean + hide_title: + type: boolean + kuery: + type: string + service_group_id: + type: string + service_name: + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + title: apm-service-map-embeddable + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_autoColor: + additionalProperties: false + description: Coloring determined at runtime based on chart defaults + properties: + type: + enum: + - auto + type: string + required: + - type + title: Auto Color + type: object + Kibana_HTTP_APIs_backfill_error_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + title: backfill_error_response + type: object + Kibana_HTTP_APIs_backfill_response: + additionalProperties: false + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + title: backfill_response + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object + Kibana_HTTP_APIs_byteFormat: + additionalProperties: false + description: Data size format in bits or bytes, with optional decimal places and suffix. + properties: + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Data size unit: `bits` or `bytes`.' + enum: + - bits + - bytes + type: string + required: + - type + title: Byte Format + type: object + Kibana_HTTP_APIs_categoricalColorMapping: + additionalProperties: false + description: Palette color assignment for specific categorical values. Unmapped values receive the unassigned color. + properties: + mapping: + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 1000 + type: array + required: + - values + - color + maxItems: 1000 + type: array + mode: + enum: + - categorical + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + - mapping + title: Categorical Color Mapping + type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_collapseBy: + description: Aggregation function used to collapse a breakdown dimension into a single value. + enum: + - avg + - sum + - max + - min + title: collapseBy + type: string + Kibana_HTTP_APIs_color_code: + additionalProperties: false + description: A color specified as a hex or CSS color code string. + properties: + type: + enum: + - color_code + type: string + value: + description: The static color value to use. + type: string + required: + - type + - value + title: Color Code + type: object + Kibana_HTTP_APIs_colorByValue: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValuePercentage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValue' + description: Dynamic color mapping by numeric range, with support for absolute and percentage-based ranges. + title: Color By Value + Kibana_HTTP_APIs_colorByValueAbsolute: + additionalProperties: false + description: Color by absolute value configuration + properties: + range: + enum: + - absolute + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Absolute) + type: object + Kibana_HTTP_APIs_colorByValuePercentage: + additionalProperties: false + description: Color by percentage value configuration + properties: + range: + enum: + - percentage + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Percentage) + type: object + Kibana_HTTP_APIs_colorFromPalette: + additionalProperties: false + description: Color at a fixed index position in a named palette. + properties: + index: + description: The index of the color in the palette. + type: number + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + type: + enum: + - from_palette + type: string + required: + - type + - index + title: Color From Palette + type: object + Kibana_HTTP_APIs_colorMapping: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_categoricalColorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gradientColorMapping' + description: Color mapping for dimension values, either categorical (for specific values) or as a gradient. + title: Color Mapping + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: + items: + type: object + properties: + id: + type: string + required: + - id + type: array + routing: + items: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination + type: array + required: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_counterRateOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_countMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object + Kibana_HTTP_APIs_cumulativeSumOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_customFormat: + additionalProperties: false + description: Custom format using a Kibana field format pattern string. + properties: + pattern: + description: Kibana field format pattern string. + type: string + type: + enum: + - custom + type: string + required: + - type + - pattern + title: Custom Format + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + index: + type: string + required: + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_datatableDensity: + additionalProperties: false + description: Density configuration for the datatable. + properties: + height: + additionalProperties: false + type: object + properties: + header: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + max_lines: + default: 3 + maximum: 5 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines before the header is truncated. + value: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + lines: + default: 1 + maximum: 20 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines to display per table body cell. + mode: + description: Display density mode. + enum: + - compact + - default + - expanded + type: string + title: datatableDensity + type: object + Kibana_HTTP_APIs_datatableESQL: + additionalProperties: false + description: Datatable state configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQLMetric' + maxItems: 1000 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + additionalProperties: false + type: object + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for ESQL datatable rows. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + title: Datatable (ES|QL) + type: object + Kibana_HTTP_APIs_datatableESQLMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + title: Datatable Metric (ES|QL) + type: object + Kibana_HTTP_APIs_datatableMetricCounterRate: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_datatableMetricCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricCumulativeSum: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_datatableMetricDifferences: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_datatableMetricFormula: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_datatableMetricLastValue: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_datatableMetricMovingAverage: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentile: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentileRanks: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_datatableMetricStatsMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricSumMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricUniqueCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableNoESQL: + additionalProperties: false + description: Datatable state configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricFormula' + maxItems: 1000 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowFilters' + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + - metrics + title: Datatable (DSL) + type: object + Kibana_HTTP_APIs_datatableRowDateHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowFilters: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_datatableRowHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowRanges: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_datatableRowTerms: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_datatableStyling: + additionalProperties: false + description: Visual chart styling options + properties: + density: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableDensity' + paging: + description: Rows per page. When set, pagination is enabled with the specified number of rows. + enum: + - 10 + - 20 + - 30 + - 50 + - 100 + type: integer + row_numbers: + additionalProperties: false + description: Configuration for row numbers + type: object + properties: + visible: + description: When `true`, displays row numbers. + type: boolean + required: + - visible + sort_by: + anyOf: + - additionalProperties: false + description: Sort by a metric or row column + type: object + properties: + column_type: + description: Type of column to sort by. + enum: + - metric + - row + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: Index of the column or row to sort by (0-based). + minimum: 0 + type: number + required: + - column_type + - index + - direction + - additionalProperties: false + description: Sort by a pivoted metric column (created when metrics are pivoted by split_metrics_by) + type: object + properties: + column_type: + enum: + - pivoted_metric + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: 0-based index into the "metrics" array for the metric to sort; use "values" to identify the pivoted column + minimum: 0 + type: number + values: + description: Array of pivot values, one for each split_metrics_by column in order + items: + type: string + maxItems: 20 + minItems: 1 + type: array + required: + - column_type + - index + - values + - direction + description: Sorting configuration. Only one column can be sorted at a time. Use "column_type" to specify the column type. + title: Datatable styling + type: object + Kibana_HTTP_APIs_dateHistogramOperation: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + Kibana_HTTP_APIs_differencesOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + title: dry_run_package_policy + type: object + Kibana_HTTP_APIs_durationFormat: + additionalProperties: false + description: Duration format between time units. + properties: + from: + description: Source time unit for conversion, for example `milliseconds`, `seconds`, `minutes`, `hours`, or `days`. + type: string + suffix: + description: Suffix appended to the formatted value. + type: string + to: + description: Display time unit after conversion, for example `seconds`, `minutes`, `hours`, or `days`. + type: string + type: + enum: + - duration + type: string + required: + - type + - from + - to + title: Duration Format + type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_esqlDataSource: + additionalProperties: false + description: Uses an ES|QL query as the data source. The query is executed at render time; resulting columns are available as fields. + properties: + query: + description: 'An ES|QL query that drives the data source. The query must produce a tabular result set; column names are used as field references. Example: "FROM logs-* | STATS count = COUNT(*) BY host.name".' + type: string + type: + enum: + - esql + type: string + required: + - type + - query + title: ES|QL Data Source + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_fieldMetricOperations: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_sumMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + title: Field Metric Operations + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_filterSimple: + additionalProperties: false + description: A KQL or Lucene query that filters panel data. Applied on top of any dashboard-level filters. + properties: + expression: + description: A query expression in KQL or Lucene syntax + type: string + language: + default: kql + description: 'Query language: `kql` (Kibana Query Language) or `lucene`. Defaults to `kql`.' + enum: + - kql + - lucene + type: string + required: + - expression + title: Filter + type: object + Kibana_HTTP_APIs_filtersOperation: + additionalProperties: false + properties: + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_filterWithLabel: + additionalProperties: false + description: A KQL or Lucene filter with an optional display label. + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + label: + description: Label for the filter + type: string + required: + - filter + title: Filter with Label + type: object + Kibana_HTTP_APIs_find_backfill_response: + additionalProperties: false + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + title: find_backfill_response + type: object + Kibana_HTTP_APIs_formatType: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_numericFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_byteFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_durationFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_customFormat' + description: Number display format for the dimension value. + title: Format Type + Kibana_HTTP_APIs_formulaOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object + Kibana_HTTP_APIs_gaugeESQL: + additionalProperties: false + description: Gauge configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + label: + description: Label for the operation + type: string + max: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + min: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (ES|QL) + type: object + Kibana_HTTP_APIs_gaugeMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_gaugeMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_gaugeMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_get_agent_policy_outputs_response: + additionalProperties: false + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + title: get_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_agent_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + required: + - inputs + title: get_inputs_response + type: object + Kibana_HTTP_APIs_get_installed_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number + required: + - items + - total + title: get_installed_packages_response + type: object + Kibana_HTTP_APIs_get_k8s_manifest_response: + additionalProperties: false + properties: + item: + type: string + required: + - item + title: get_k8s_manifest_response + type: object + Kibana_HTTP_APIs_get_limited_packages_response: + additionalProperties: false + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + title: get_limited_packages_response + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: + nullable: true + type: string + required: + - id + title: get_verification_key_id_response + type: object + Kibana_HTTP_APIs_gradientColorMapping: + additionalProperties: false + description: Gradient color mapping across categorical values. + properties: + gradient: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + maxItems: 3 + type: array + mapping: + items: + additionalProperties: false + type: object + properties: + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 100 + type: array + required: + - values + maxItems: 100 + type: array + mode: + enum: + - gradient + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + sort: + description: Sort direction + enum: + - asc + - desc + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + title: Gradient Color Mapping + type: object + Kibana_HTTP_APIs_heatmapAxes: + additionalProperties: false + description: Axis configuration for X and Y axes + properties: + x: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapXAxis' + 'y': + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapYAxis' + title: Axes + type: object + Kibana_HTTP_APIs_heatmapCells: + additionalProperties: false + description: Cells configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show cell labels + type: boolean + title: Cells + type: object + Kibana_HTTP_APIs_heatmapESQL: + additionalProperties: false + description: Heatmap configuration using an ES|QL query. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_heatmapLegend: + additionalProperties: false + description: Legend configuration + properties: + position: + enum: + - top + - bottom + - left + - right + type: string + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_heatmapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_heatmapMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_heatmapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_heatmapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_heatmapMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_heatmapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapNoESQL: + additionalProperties: false + description: Heatmap configuration using a data view. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + 'y': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (DSL) + type: object + Kibana_HTTP_APIs_heatmapStyling: + additionalProperties: false + description: Visual chart styling options + properties: + cells: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapCells' + title: Heatmap styling + type: object + Kibana_HTTP_APIs_heatmapXAxis: + additionalProperties: false + description: X axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + visible: + description: Show axis labels + type: boolean + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - scale + title: X Axis + type: object + Kibana_HTTP_APIs_heatmapYAxis: + additionalProperties: false + description: Y axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show axis labels + type: boolean + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + title: Y Axis + type: object + Kibana_HTTP_APIs_histogramOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided, assets are installed in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name items: - example: d4e7abb0-b462-11ec-9a8d-698504725a43 + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: + additionalProperties: false + description: A filter that evaluates a single field condition such as equality, range, or existence. + properties: + condition: + description: A filter condition with strict operator/value type matching. + discriminator: + mapping: + exists: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + is: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + is_one_of: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + range: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + propertyName: operator + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - condition + type: string + required: + - type + - condition + title: condition + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema: + additionalProperties: false + description: A filter expressed as a raw [Elasticsearch Query DSL](https://www.elastic.co/docs/reference/query-languages/querydsl) object, used for queries that cannot be represented by condition or group filters. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch Query DSL object passed directly to the query. + type: object + field: + description: Field name for scripted filters where the field cannot be extracted from the DSL query. + type: string + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + params: + description: Filter parameters metadata. May contain display values, formats, and parameters for scripted filters. + nullable: true + type: + enum: + - dsl + type: string + required: + - type + - dsl + - params + title: dsl + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema: + additionalProperties: false + description: A filter that combines multiple conditions or nested groups using a logical `and` or `or` operator. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + group: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - group + type: string + required: + - type + - group + title: group + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema: + additionalProperties: false + description: A filter that applies an Elasticsearch geo query, used for geographic boundary and shape matching. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch geo query DSL object. + type: object + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - spatial + type: string + required: + - type + - dsl + title: spatial + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists: + additionalProperties: false + description: Matches documents where `field` exists and contains a non-null value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - exists + type: string + required: + - field + - operator + title: exists + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is: + additionalProperties: false + description: Matches documents where `field` equals a single specified value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is + type: string + value: + anyOf: + - title: value + type: string + - title: value + type: number + - title: value + type: boolean + description: Single value to compare against the field. + required: + - field + - operator + - value + title: is + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of: + additionalProperties: false + description: Matches documents where `field` equals any value in a provided list. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is_one_of + type: string + value: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - items: + type: number + maxItems: 10000 + type: array + - items: + type: boolean + maxItems: 10000 + type: array + description: Homogeneous array of values to match against the field. + required: + - field + - operator + - value + title: is_one_of + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range: + additionalProperties: false + description: Matches documents where `field` falls within a specified numeric or date range. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - range + type: string + value: + additionalProperties: false + description: Boundary values for a range comparison. + type: object + properties: + format: + description: Elasticsearch [date format](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/mapping-date-format) string applied when parsing date boundary values. For example, `strict_date_optional_time` or `epoch_millis`. + type: string + gt: + anyOf: + - type: number + - type: string + description: Greater than. + gte: + anyOf: + - type: number + - type: string + description: Greater than or equal to. + lt: + anyOf: + - type: number + - type: string + description: Less than. + lte: + anyOf: + - type: number + - type: string + description: Less than or equal to. + required: + - field + - operator + - value + title: range + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter: + additionalProperties: false + description: Logical group that combines one or more conditions or nested groups. + properties: + conditions: + description: Ordered list of conditions or nested groups combined by the group `operator`. + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + description: A filter condition with strict operator/value type matching. + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + type: array + operator: + description: Logical operator applied across all entries in `conditions`. Use `and` to require all conditions, or `or` to require at least one. + enum: + - and + - or + type: string + required: + - operator + - conditions + title: kbn-as-code-filters-schema_groupFilter + type: object + Kibana_HTTP_APIs_kbn-as-code-meta: + additionalProperties: false + properties: + created_at: + description: Timestamp when the object was created (ISO 8601). + type: string + created_by: + description: User profile ID of the user who created the object. + type: string + managed: + description: When `true`, the object is managed by Kibana and cannot be edited by users. + type: boolean + owner: + description: Identifier of the plugin or team that owns this object. + type: string + updated_at: + description: Timestamp when the object was last updated (ISO 8601). + type: string + updated_by: + description: User profile ID of the user who last updated the object. + type: string + version: + description: Internal version identifier for optimistic concurrency control. + type: string + title: kbn-as-code-meta + type: object + Kibana_HTTP_APIs_kbn-as-code-query: + additionalProperties: false + description: A search query consisting of an expression and its language. Supports KQL and Lucene syntax. + properties: + expression: + description: A query expression in KQL or Lucene syntax. + type: string + language: + description: Query language. Use `kql` for Kibana Query Language (KQL) or `lucene` for Lucene query syntax. + enum: + - kql + - lucene + type: string + required: + - expression + - language + title: Query + type: object + Kibana_HTTP_APIs_kbn-composite-runtime-field-schema: + additionalProperties: false + properties: + fields: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + type: object + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + enum: + - composite + type: string + required: + - type + - fields + title: Composite runtime field + type: object + Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema: + additionalProperties: false + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + title: kbn-content-management-utils-referenceSchema + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control: + additionalProperties: false + description: An ES|QL variable control whose selected value is injected into ES|QL visualizations using the `?variable_name` syntax. Options can come from a fixed list or an ES|QL query. Define the options source in `config`. + properties: + config: + discriminator: + mapping: + STATIC_VALUES: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + VALUES_FROM_QUERY: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + propertyName: control_type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - esql_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: esql_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control: + additionalProperties: false + description: A dropdown control that filters data by selecting field values from a data view. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - options_list_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: options_list_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control: + additionalProperties: false + description: A slider control that filters data by selecting a numeric range for the configured field. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - range_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: range_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control: + additionalProperties: false + description: A control panel that filters a time field to a selected sub-range of the global time range. Define the start and end positions in `config` as fractions of the global range (0 to 1). + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - time_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: time_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values: + additionalProperties: false + description: An ES|QL variable control with a fixed list of selectable options defined directly in `available_options`. + properties: + available_options: + description: A fixed list of option strings displayed in the control. + items: + type: string + maxItems: 1000 + type: array + control_type: + enum: + - STATIC_VALUES + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - available_options + title: STATIC_VALUES + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query: + additionalProperties: false + description: An ES|QL variable control whose selectable options are dynamically retrieved by running an ES|QL query. + properties: + control_type: + enum: + - VALUES_FROM_QUERY + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + esql_query: + description: An ES|QL query whose results populate the list of available options in the control popover. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - esql_query + title: VALUES_FROM_QUERY + type: object + Kibana_HTTP_APIs_kbn-dashboard-access-control: + additionalProperties: false + description: Access control settings for the dashboard. + properties: + access_mode: + description: Controls edit access to the dashboard. Set to `write_restricted` to prevent edits by users without explicit write permission. Defaults to `default` (all viewers can edit). + enum: + - write_restricted + - default + type: string + title: Access control + type: object + Kibana_HTTP_APIs_kbn-dashboard-data: + additionalProperties: false + properties: + access_control: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-access-control' + description: + description: A short description of the dashboard. + type: string + filters: + description: Filters applied across all panels, including pinned panels. + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + options: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-options' + panels: + default: [] + description: Panels and sections in the dashboard. Each entry is either a panel (with a `type` and `config`) or a collapsible section (with a `title`, `collapsed` state, and nested `panels`). + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-section' + maxItems: 100 + type: array + pinned_panels: + default: [] + description: An array of control panels and their state in the control group. + items: + discriminator: + mapping: + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + maxItems: 100 + type: array + project_routing: + description: Controls [cross-project search](https://www.elastic.co/docs/explore-analyze/cross-project-search/cross-project-search-project-routing) behavior for this dashboard (Serverless only). Set to `_alias:_origin` to scope data to the current project, or `_alias:*` to search across all projects. When omitted, the space default applies. + type: string + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + refresh_interval: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema' + tags: + description: Tag IDs to associate with this dashboard. + items: + type: string + maxItems: 100 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + description: A human-readable title for the dashboard. + minLength: 1 + type: string + required: + - title + title: kbn-dashboard-data + type: object + Kibana_HTTP_APIs_kbn-dashboard-dropped-panel-warning: + additionalProperties: false + description: A panel that was excluded from the response because its type is not supported by the API. + properties: + message: + description: Human-readable explanation of why the panel was dropped. + type: string + panel_config: + additionalProperties: true + description: The original configuration of the dropped panel. + type: object + properties: {} + panel_references: + description: Saved object references used by the dropped panel. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + maxItems: 100 + type: array + panel_type: + description: The type identifier of the dropped panel. + type: string + type: + enum: + - dropped_panel + type: string + required: + - type + - message + - panel_type + - panel_config + title: Dropped panel + type: object + Kibana_HTTP_APIs_kbn-dashboard-options: + additionalProperties: false + default: + auto_apply_filters: true + hide_panel_borders: false + hide_panel_titles: false + sync_colors: false + sync_cursor: true + sync_tooltips: false + use_margins: true + description: Display and behavior settings for the dashboard. + properties: + auto_apply_filters: + default: true + description: When `true`, control filter changes are applied automatically. When `false`, control filter changes are applied manually through the dashboard's search update button. Defaults to `true`. + type: boolean + hide_panel_borders: + default: false + description: When `true`, panel borders are hidden. Defaults to `false`. + type: boolean + hide_panel_titles: + default: false + description: When `true`, panel titles are hidden. Defaults to `false`. + type: boolean + sync_colors: + default: false + description: When `true`, colors are synchronized across panels that share a data source. Defaults to `false`. + type: boolean + sync_cursor: + default: true + description: When `true`, the cursor position is synchronized across panels. Defaults to `true`. + type: boolean + sync_tooltips: + default: false + description: When `true`, tooltips are synchronized across panels. Defaults to `false`. + type: boolean + use_margins: + default: true + description: When `true`, panels are separated by a margin. Defaults to `true`. + type: boolean + title: Options + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-grid: + additionalProperties: false + description: The position and size of the panel on the dashboard grid. + properties: + h: + default: 15 + description: The height of the panel in grid units. Minimum `1`. Defaults to `15`. + minimum: 1 + type: number + w: + default: 24 + description: The width of the panel in grid units. Minimum `1`, maximum `48`. Defaults to `24`. + maximum: 48 + minimum: 1 + type: number + x: + description: The x coordinate of the panel in grid units. + type: number + 'y': + description: The y coordinate of the panel in grid units. + type: number + required: + - x + - 'y' + title: Panel grid + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_aiops_change_point_chart' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - aiops_change_point_chart + type: string + required: + - grid + - type + - config + title: Change point detection chart + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-service-map-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - apm_service_map + type: string + required: + - grid + - type + - config + title: APM Service map + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + tabs: + description: Inline tab configuration. Used when no `ref_id` is set. Currently supports one tab. + items: + anyOf: + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + discriminator: + mapping: + data_view_reference: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + data_view_spec: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + filters: + default: [] + description: List of filters to apply to the data in the tab. + items: + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + discriminator: + mapping: + condition: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + dsl: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + group: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + spatial: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + maxItems: 100 + type: array + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + rows_per_page: + description: The number of rows to display per page in the data table. If omitted, defaults to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: The number of documents to sample for the data table. If omitted, defaults to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + view_mode: + default: documents + description: Discover view mode. Choose "documents" (search hits), "patterns" (pattern analysis), or "aggregated" (field statistics). + enum: + - documents + - patterns + - aggregated + type: string + required: + - data_source + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + required: + - data_source + maxItems: 1 + minItems: 1 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - tabs + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + overrides: + additionalProperties: false + default: {} + type: object + properties: + column_order: + description: When set, overrides column order for the data table relative to the referenced saved object (`ref_id`) or the inline tab in `tabs`. If omitted, the source configuration is used. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation overrides (e.g. widths) keyed by field name. When set, merges with the source configuration for the referenced session or inline tab. + type: object + density: + description: 'Data grid row spacing: `compact`, `expanded`, or `normal`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Header row height: number (1–5) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Data row height: number (1–20) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:rowHeightOption".' + rows_per_page: + description: Number of rows per page. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: Number of documents to sample. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + description: Sort configuration (field and direction) for the data table. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used. + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + ref_id: + type: string + selected_tab_id: + description: Tab to select from the referenced saved object. If omitted, defaults to the first tab. + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - discover_session + type: string + required: + - grid + - type + - config + title: Discover session + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control: + additionalProperties: false + properties: + config: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - esql_control + type: string + required: + - grid + - type + - config + title: ES|QL variable control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-image: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Image embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_click_image + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_image + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + image_config: + additionalProperties: false + type: object + properties: + alt_text: + type: string + background_color: + type: string + object_fit: + default: contain + description: How the image should be sized within its container + enum: + - fill + - contain + - cover + - none + type: string + src: + anyOf: + - additionalProperties: false + properties: + file_id: + type: string + type: + enum: + - file + type: string + required: + - type + - file_id + title: file + type: object + - additionalProperties: false + properties: + type: + enum: + - url + type: string + url: + description: URL of the image + type: string + required: + - type + - url + title: url + type: object + description: Image source + required: + - src + title: + type: string + required: + - image_config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - image + type: string + required: + - grid + - type + - config + title: Image + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-links: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + layout: + description: Denote whether to display the links in a horizontal or vertical layout + enum: + - horizontal + - vertical + type: string + links: + description: The list of links to display + items: + discriminator: + mapping: + dashboardLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + externalLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + maxItems: 100 + type: array + title: + type: string + required: + - links + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the Links library item + title: Reference ID + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Links embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - links + type: string + required: + - grid + - type + - config + title: Links + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + content: + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + settings: + additionalProperties: false + type: object + properties: + open_links_in_new_tab: + default: true + type: boolean + title: + type: string + required: + - content + - settings + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the markdown library item. + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Markdown panel config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - markdown + type: string + required: + - grid + - type + - config + title: Markdown + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - options_list_control + type: string + required: + - grid + - type + - config + title: Options list control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - range_slider_control + type: string + required: + - grid + - type + - config + title: Range slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-alerts-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_alerts + type: string + required: + - grid + - type + - config + title: SLO alerts + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-burn-rate-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_burn_rate + type: string + required: + - grid + - type + - config + title: SLO burn rate + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-error-budget-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_error_budget + type: string + required: + - grid + - type + - config + title: SLO error budget + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview: + additionalProperties: false + properties: + config: + description: SLO Overview embeddable schema + discriminator: + mapping: + groups: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + single: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + propertyName: overview_mode + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_overview + type: string + required: + - grid + - type + - config + title: SLO overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics monitors embeddable schema + type: object + properties: + description: + type: string + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + view: + description: View mode for the monitors embeddable (defaults to cardView) + enum: + - cardView + - compactView + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_monitors + type: string + required: + - grid + - type + - config + title: Synthetics monitors + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics stats overview embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_stats_overview + type: string + required: + - grid + - type + - config + title: Synthetics stats overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - time_slider_control + type: string + required: + - grid + - type + - config + title: Time slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis: + additionalProperties: false + properties: + config: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleESQL' + description: Panel configuration stored inline + title: By value + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + type: string + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Lens embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - vis + type: string + required: + - grid + - type + - config + title: Visualization + type: object + Kibana_HTTP_APIs_kbn-dashboard-section: + additionalProperties: false + description: A collapsible group of panels. + properties: + collapsed: + default: false + description: When `true`, the section is collapsed and its panels are not rendered until expanded. Useful for improving initial load time on large dashboards. Defaults to `false`. + type: boolean + grid: + additionalProperties: false + type: object + properties: + 'y': + description: The y coordinate of the section in grid units. + type: number + required: + - 'y' + id: + description: The unique ID of the section. + type: string + panels: + default: [] + description: The panels that belong to the section. + items: + discriminator: + mapping: + aiops_change_point_chart: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + apm_service_map: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + discover_session: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + image: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + links: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + markdown: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + slo_alerts: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + slo_burn_rate: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + slo_error_budget: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + slo_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + synthetics_monitors: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + synthetics_stats_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + vis: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + maxItems: 100 + type: array + title: + description: The title of the section. + type: string + required: + - title + - grid + title: Section + type: object + Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema: + additionalProperties: false + description: Specifies the auto-refresh interval for the object. + properties: + pause: + description: When `true`, auto-refresh is paused. + type: boolean + value: + description: The refresh interval in milliseconds. + type: number + required: + - pause + - value + title: Refresh interval + type: object + Kibana_HTTP_APIs_kbn-data-view-field-setting: + additionalProperties: false + description: Display overrides for a field. These settings can define a custom label, description, and format. + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + title: Field settings + type: object + Kibana_HTTP_APIs_kbn-data-view-reference-schema: + additionalProperties: false + properties: + ref_id: + description: 'The id of the Kibana data view to use as the data source. Example: "my-data-view".' + type: string + type: + enum: + - data_view_reference + type: string + required: + - type + - ref_id + title: Data view reference + type: object + Kibana_HTTP_APIs_kbn-data-view-spec-schema: + additionalProperties: false + properties: + field_settings: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-settings-entry' + type: object + index_pattern: + description: 'The index pattern (Elasticsearch index expression) to use as the data source. Example: "my-index-*".' + title: Index pattern + type: string + time_field: + description: 'The name of the time field in the index. Used for time-based filtering. Example: "@timestamp".' + title: Time field + type: string + type: + enum: + - data_view_spec + type: string + required: + - type + - index_pattern + title: Data view inline spec + type: object + Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema: + additionalProperties: false + description: Specifies the time range for a query. + properties: + from: + description: The start of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now-7d`) or ISO 8601 timestamps. + type: string + mode: + description: The time range mode. Use `absolute` for fixed start and end timestamps. Use `relative` for [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions that are re-evaluated at query time (for example, `now-7d`). + enum: + - absolute + - relative + type: string + to: + description: The end of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now`) or ISO 8601 timestamps. + type: string + required: + - from + - to + title: Time range + type: object + Kibana_HTTP_APIs_kbn-field-format: + additionalProperties: false + description: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. + properties: + params: + nullable: true + type: + type: string + required: + - type + - params + title: Format + type: object + Kibana_HTTP_APIs_kbn-field-settings-entry: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-composite-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + description: Display overrides for an indexed field, or a runtime field definition when `type` is set to a runtime field kind. + title: Field settings or runtime field + Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink: + additionalProperties: false + properties: + destination: + description: Linked dashboard saved object id + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + type: object + properties: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + type: + enum: + - dashboardLink + type: string + required: + - type + - destination + title: kbn-link-panel-type-dashboardLink + type: object + Kibana_HTTP_APIs_kbn-link-type-externalLink: + additionalProperties: false + properties: + destination: + description: The external URL to link to + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + encode_url: true + open_in_new_tab: true + type: object + properties: + encode_url: + default: true + description: Whether to escape the URL with percent encoding + type: boolean + open_in_new_tab: + default: true + description: Whether to open this link in a new tab when clicked + type: boolean + type: + enum: + - externalLink + type: string + required: + - type + - destination + title: kbn-link-type-externalLink + type: object + Kibana_HTTP_APIs_kbn-runtime-field-schema: + additionalProperties: false + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-type' + required: + - type + title: Runtime field + type: object + Kibana_HTTP_APIs_kbn-runtime-field-type: + description: The type of the runtime field (e.g., "keyword", "long", "date"). + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + title: Type + type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object + Kibana_HTTP_APIs_lastValueOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyColorByValue: + additionalProperties: false + deprecated: true + description: Legacy color by value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + description: Determines whether the range is interpreted as absolute or as a percentage of the data. + enum: + - absolute + - percentage + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value + type: object + Kibana_HTTP_APIs_legacyColorByValueAbsolute: + additionalProperties: false + deprecated: true + description: Legacy color by absolute value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + enum: + - absolute + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value (absolute) + type: object + Kibana_HTTP_APIs_legacyMetricCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_legacyMetricLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyMetricNoESQL: + additionalProperties: false + description: Legacy Metric configuration using a data view. Superseded by the Metric chart type. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - legacy_metric + type: string + required: + - type + - data_source + - metric + title: Legacy Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_legacyMetricPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_legacyMetricPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_legacyMetricStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricSumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_legendSize: + description: Legend size. + enum: + - auto + - s + - m + - l + - xl + title: Legend Size + type: string + Kibana_HTTP_APIs_lensApiConfigNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + title: Visualizations (DSL) + Kibana_HTTP_APIs_lensPanelFilters: + description: Filters applied to the panel + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 100 + title: lensPanelFilters + type: array + Kibana_HTTP_APIs_lensResponseItem: + additionalProperties: false + properties: + data: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensApiConfigNoESQL' + id: + type: string + meta: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-meta' + required: + - id + - data + - meta + title: Visualization Response + type: object + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_metricBarBackgroundChart: + additionalProperties: false + description: Bar chart shown as background context behind the primary metric value. + properties: + max_value: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_differencesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_movingAverageOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_cumulativeSumOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_counterRateOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + description: Metric dimension configuration, supporting field-based aggregations (count, sum, average, median, standard deviation, unique count, last value), percentile operations, time-series operations (differences, moving average, cumulative sum, counter rate), and mathematical formulas. + title: Metric Operation + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Bar Background Chart + type: object + Kibana_HTTP_APIs_metricBreakdownDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_metricBreakdownHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_metricBreakdownTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_metricCompareToBaseline: + additionalProperties: false + properties: + baseline: + default: 0 + description: Baseline value. + type: number + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - baseline + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Baseline + type: object + Kibana_HTTP_APIs_metricCompareToPrimary: + additionalProperties: false + properties: + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - primary + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Primary + type: object + Kibana_HTTP_APIs_metricComplementaryBar: + additionalProperties: false + properties: + max_value: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Complementary Bar + type: object + Kibana_HTTP_APIs_metricComplementaryViz: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBarBackgroundChart' + - additionalProperties: false + type: object + properties: + type: + enum: + - trend + type: string + required: + - type + description: Secondary visualization displayed behind the primary metric value, either a bar chart (with optional max value) or a trend line. + title: Complementary Visualization + Kibana_HTTP_APIs_metricESQL: + additionalProperties: false + description: Metric chart configuration for ES|QL queries + properties: + breakdown_by: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + column: + description: Column to use + type: string + columns: + default: 3 + description: Number of columns. + type: number + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - additionalProperties: false + type: object + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryBar' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + type: + enum: + - primary + type: string + required: + - column + - type + - additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + column: + description: Column to use + type: string + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + type: + enum: + - secondary + type: string + required: + - column + - type + maxItems: 2 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (ES|QL) + type: object + Kibana_HTTP_APIs_metricIconConfig: + additionalProperties: false + description: Icon configuration for the metric chart + properties: + alignment: + description: 'Icon alignment. Accepted values: `left`, `right`. Defaults to `right`.' + enum: + - left + - right + type: string + name: + description: Icon name + enum: + - alert + - asterisk + - bell + - bolt + - bug + - compute + - editor_comment + - flag + - globe + - heart + - map_marker + - pin + - sort_down + - sort_up + - star_empty + - tag + - temperature + type: string + required: + - name + title: Icon Configuration + type: object + Kibana_HTTP_APIs_metricNoESQL: + additionalProperties: false + description: Metric chart configuration for standard queries + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryFormula' + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryFormula' + maxItems: 2 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_metricPrimaryCounterRate: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCumulativeSum: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricPrimaryDifferences: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricPrimaryFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - primary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricPrimaryLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricPrimaryMovingAverage: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricPrimaryStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimarySumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_metricSecondaryCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricSecondaryDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricSecondaryFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - secondary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricSecondaryLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricSecondaryMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricSecondaryStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondarySumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metricStyling: + additionalProperties: false + description: Visual chart styling options + properties: + icon: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricIconConfig' + primary: + additionalProperties: false + type: object + properties: + labels: + additionalProperties: false + description: Labels (title and subtitle) configuration + type: object + properties: + alignment: + description: 'Horizontal alignment for the title and subtitle text. Accepted values: `left`, `center`, `right`. Defaults to `left`.' + enum: + - left + - center + - right + type: string + position: + description: Position of the primary metric value (top, middle, or bottom). + enum: + - top + - middle + - bottom + type: string + value: + additionalProperties: false + description: Primary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for the primary metric value. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + sizing: + description: Controls how the primary value text is sized within the panel. 'auto' selects a font size from predefined breakpoints based on panel height, then shrinks if the text overflows horizontally. 'fill' scales the text to be as large as possible, filling all available space. + enum: + - auto + - fill + type: string + secondary: + additionalProperties: false + type: object + properties: + label: + additionalProperties: false + type: object + properties: + placement: + description: Label placement relative to the secondary metric value (before or after). + enum: + - before + - after + type: string + visible: + description: When `true`, displays the label. + type: boolean + value: + additionalProperties: false + description: Secondary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for secondary values. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + title: metricStyling + type: object + Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + indexPattern: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_mosaicESQL: + additionalProperties: false + description: Mosaic chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + additionalProperties: false + description: Metric configuration for ES|QL mode, combining generic options, primary metric options, and column selection + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (ES|QL) + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicLegend: + additionalProperties: false + description: Legend configuration for mosaic chart appearance and behavior + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_mosaicMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_mosaicMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_mosaicMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_mosaicMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_mosaicMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentile: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentileRanks: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_mosaicMetricStatsMetric: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricSumMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicNoESQL: + additionalProperties: false + description: Mosaic chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters' + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (DSL) + type: object + Kibana_HTTP_APIs_mosaicStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Mosaic styling + type: object + Kibana_HTTP_APIs_movingAverageOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_multi_field_key: + additionalProperties: false + properties: + keys: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - multi_field_key + type: string + required: + - type + - keys + title: Multi Field Key + type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + title: new_agent_policy + type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + title: new_enrollment_api_key + type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_elasticsearch + type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 minItems: 1 + type: array + id: type: string - type: array - Cases_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_owner_filter: - description: > - A filter to limit the response to a specific set of applications. If - this parameter is omitted, the response contains information about all - the cases that the user has access to read. - example: cases - in: query - name: owner - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owner' - - $ref: '#/components/schemas/Cases_owners' - Cases_page_index: - description: The page number to return. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - type: integer - Cases_page_size: - description: The number of items to return. Limited to 100 items. - example: 20 - in: query - name: perPage - required: false - schema: - default: 20 - maximum: 100 - type: integer - Cases_reporters: - description: Filters the returned cases by the user name of the reporter. - example: elastic - in: query - name: reporters - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_search: - description: >- - An Elasticsearch simple_query_string query that filters the objects in - the response. - example: Case title 1 - in: query - name: search - schema: - type: string - Cases_searchFields: - description: The fields to perform the simple_query_string parsed query against. - in: query - name: searchFields - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' - Cases_severity: - description: The severity of the case. - example: low - in: query - name: severity - schema: - enum: - - critical - - high - - low - - medium - type: string - Cases_sort_order: - description: Determines the sort order. - example: desc - in: query - name: sortOrder - required: false - schema: - default: desc - enum: - - asc - - desc - type: string - Cases_sortField: - description: Determines which field is used to sort the results. - example: updatedAt - in: query - name: sortField - schema: - default: createdAt - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - type: string - Cases_status: - description: Filters the returned cases by state. - example: open - in: query - name: status - schema: - enum: - - closed - - in-progress - - open - type: string - Cases_tags: - description: Filters the returned cases by tags. - example: tag-1 - in: query - name: tags - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_to: - description: > - Returns only cases that were created before a specific date. The date - must be specified as a KQL data range or date match expression. - example: now+1d - in: query - name: to - schema: - type: string - Cases_user_action_types: - description: Determines the types of user actions to return. - in: query - name: types - schema: - items: - enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user - example: create_case + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: type: string - type: array - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Short_URL_APIs_idParam: - description: The identifier for the short URL. - in: path - name: id - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - Alerting_401_response: - properties: - error: + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: enum: - - Unauthorized - example: Unauthorized + - random + - round_robin + - hash type: string - message: + password: + nullable: true type: string - statusCode: + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: + type: number + required_acks: enum: - - 401 - example: 401 + - 1 + - 0 + - -1 type: integer - title: Unsuccessful rule API response + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: new_output_kafka type: object - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: new_output_logstash type: object + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false properties: - array: - description: Indicates whether the field is an array. + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false type: boolean - dynamic: - description: Indicates whether it is a dynamic field mapping. + is_default_monitoring: + default: false type: boolean - format: - description: > - Indicates the format of the field. For example, if the `type` is - `date_range`, the `format` can be - `epoch_millis||strict_date_optional_time`. + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true type: string - ignore_above: - description: >- - Specifies the maximum length of a string field. Longer strings are - not indexed or stored. - type: integer - index: - description: Indicates whether field values are indexed. + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: type: boolean - path: - description: TBD - type: string - properties: - additionalProperties: - type: object - properties: - type: - description: The data type for each object property. - type: string - description: > - Details about the object properties. This property is applicable - when `type` is `object`. - type: object - required: - description: Indicates whether the field is required. + sync_uninstalled_integrations: type: boolean - scaling_factor: - description: > - The scaling factor to use when encoding values. This property is - applicable when `type` is `scaled_float`. Values will be multiplied - by this factor at index time and rounded to the closest long value. - type: integer type: - description: Specifies the data type for the field. - example: scaled_float + enum: + - remote_elasticsearch type: string - APM_UI_400_response: + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch type: object + Kibana_HTTP_APIs_new_rule: + additionalProperties: false properties: - error: - description: Error type - example: Not Found - type: string - message: - description: Error message - example: Not Found + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: - type: object - properties: - error: - description: Error type - example: Unauthorized + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - message: - description: Error message + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - statusCode: - description: Error status code - example: 401 - type: number - APM_UI_403_response: - type: object - properties: - error: - description: Error type - example: Forbidden + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. type: string - message: - description: Error message + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: + required: + - name + - consumer + - schedule + - rule_type_id + title: new_rule type: object + Kibana_HTTP_APIs_new_rule_action: + additionalProperties: false + description: An action that runs under defined conditions. properties: - error: - description: Error type - example: Not Found + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string - message: - description: Error message - example: Not Found + id: + description: The identifier for the connector saved object. type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + title: new_rule_action type: object + Kibana_HTTP_APIs_new_rule_action_alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. properties: - error: - description: Error type - example: Internal Server Error - type: string - message: - description: Error message - type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + title: new_rule_action_alerts_filter type: object + Kibana_HTTP_APIs_new_rule_action_frequency: + additionalProperties: false properties: - error: - description: Error type - example: Not Implemented + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval type: string - message: - description: Error message - example: Not Implemented + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: + required: + - summary + - notify_when + - throttle + title: new_rule_action_frequency type: object + Kibana_HTTP_APIs_noColor: + additionalProperties: false + description: Explicitly disables coloring properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + type: + enum: + - none type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - type + title: No Color type: object + Kibana_HTTP_APIs_numericFormat: + additionalProperties: false + description: Number or percentage format with optional decimal places, suffix, and compact notation. properties: - '@timestamp': - description: Timestamp - example: 1730194190636 + compact: + default: false + description: When `true`, uses compact notation (for example, 1.2k instead of 1,200). Defaults to `false`. + type: boolean + decimals: + default: 2 + description: Number of decimal places to display. type: number - agent_name: - description: Agent name + suffix: + description: Suffix appended to the formatted value. type: string - applied_by_agent: - description: Applied by agent - example: true - type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: + description: 'Value format type: `number` for plain numbers, `percent` for percentages.' + enum: + - number + - percent type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + - type + title: Numeric Format type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false properties: - configurations: - description: Agent configuration + actions: + default: [] items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - APM_UI_agent_keys_object: - type: object - properties: + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: - description: The name of the APM agent key. + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. - items: - enum: - - event:write - - config_agent:read - type: string - type: array - required: - - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key - type: object + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData type: string + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: - type: object - properties: - annotations: - description: Annotations - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version - type: string - type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name - type: string - relative_url: - description: Relative URL - type: string - type: - description: Type - type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold type: string - service: - description: The service that identifies the configuration to create or update. + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string required: - - version + - interval tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. + default: [] + description: The tags for the rule. items: type: string type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _source: - description: Response - type: object - properties: - '@timestamp': - type: string - annotation: - type: object - properties: - title: - type: string - type: - type: string - event: - type: object - properties: - created: - type: string - message: - type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags - type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured - type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE - type: string - APM_UI_service_environments_response: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold type: object + Kibana_HTTP_APIs_operationTimeScaleSetting: + description: Time scale + enum: + - s + - m + - h + - d + title: Operation Time Scale Setting + type: string + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true properties: - environments: - description: Service environment list + allow_edit: items: - $ref: '#/components/schemas/APM_UI_service_environment_object' + type: string + maxItems: 1000 type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod + ca_sha256: + nullable: true type: string - name: - description: The name of the service. - example: node + ca_trusted_fingerprint: + nullable: true type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts + config_yaml: + nullable: true + type: string + hosts: items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' + format: uri + type: string + maxItems: 10 + minItems: 1 type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. - type: string - service_name: - description: The name of the service that the service map should apply to. + id: type: string - service_version: - description: The version of the service that the service map should apply to. + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object - properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Cases_actions: - enum: - - add - - create - - delete - - push_to_service - - update - example: create - type: string - Cases_add_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. + preset: enum: - - alert - example: alert - type: string - required: - - alertId - - index - - owner - - rule - - type - title: Add case comment request properties for alerts - Cases_add_case_comment_request: - description: >- - The add comment to case API request body varies depending on whether you - are adding an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - title: Add case comment request - Cases_add_case_file_request: - description: >- - Defines the file that will be attached to the case. Optional parameters - will be generated automatically from the file metadata if not defined. - type: object - properties: - file: - description: The file being attached to the case. - format: binary - type: string - filename: - description: >- - The desired name of the file being attached to the case, it can be - different than the name of the file in the filesystem. **This should - not include the file extension.** + - balanced + - custom + - throughput + - scale + - latency type: string - required: - - file - title: Add case file request properties - Cases_add_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 + proxy_id: + nullable: true type: string - owner: - $ref: '#/components/schemas/Cases_owner' + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true type: - description: The type of comment. enum: - - user - example: user + - elasticsearch type: string + write_to_logs_streams: + nullable: true + type: boolean required: - - comment - - owner + - name - type - title: Add case comment request properties for user comments - type: object - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts + - hosts + title: output_elasticsearch type: object + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true properties: - alertId: + allow_edit: items: - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 type: string + maxItems: 1000 type: array - created_at: - example: '2023-11-06T19:29:38.424Z' - format: date-time + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos type: string - created_by: + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + hash: type: string - required: - - email - - full_name - - username - id: - example: 73362370-ab1a-11ec-985f-97e55adae8b9 - type: string - index: + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: items: - example: .internal.alerts-security.alerts-default-000001 type: string + maxItems: 10 + minItems: 1 type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: nullable: true type: string - pushed_by: + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: nullable: true + type: string + random: + additionalProperties: true type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - rule: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true type: object properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true + group_events: + type: number + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string type: enum: - - alert - example: alert + - kafka type: string - updated_at: - format: date-time + username: nullable: true type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username version: - example: WzMwNDgsMV0= type: string required: + - name - type - Cases_alert_identifiers: - description: > - The alert identifiers. It is required only when `type` is `alert`. You - can use an array of strings to add multiple alerts to a case, provided - that they all relate to the same rule; `index` must also be an array - with the same length or number of elements. Adding multiple alerts in - this manner is recommended rather than calling the API multiple times. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - oneOf: - - type: string - - items: + - hosts + - auth_type + title: output_kafka + type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true + properties: + allow_edit: + items: type: string maxItems: 1000 type: array - title: Alert identifiers - x-state: Technical preview - Cases_alert_indices: - description: > - The alert indices. It is required only when `type` is `alert`. If you - are adding multiple alerts to a case, use an array of strings; the - position of each index name in the array must match the position of the - corresponding alert identifier in the `alertId` array. This - functionality is in technical preview and may be changed or removed in a - future release. Elastic will work to fix any issues, but features in - technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - items: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: type: string - maxItems: 1000 + maxItems: 10 + minItems: 1 type: array - title: Alert indices - x-state: Technical preview - Cases_alert_response_properties: + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: output_logstash type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true properties: - attached_at: - format: date-time + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true type: string - id: - description: The alert identifier. + ca_trusted_fingerprint: + nullable: true type: string - index: - description: The alert index. + config_yaml: + nullable: true type: string - Cases_assignees: - description: An array containing users that are assigned to the case. - items: - type: object - properties: - uid: - description: >- - A unique identifier for the user profile. These identifiers can be - found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + hosts: + items: + format: uri type: string - required: - - uid - maxItems: 10 - nullable: true - type: array - Cases_attachment_totals: - description: Counts of alerts, events, and user comments attached to a case. - properties: - alerts: - description: Number of alert attachments on the case. - type: integer - events: - description: Number of event attachments on the case. - type: integer - userComments: - description: Number of user comment attachments on the case. - type: integer - required: - - alerts - - events - - userComments - title: Attachment totals - type: object - Cases_case_categories: - items: - $ref: '#/components/schemas/Cases_case_category' - maxItems: 100 - type: array - Cases_case_category: - description: A word or phrase that categorizes the case. - maxLength: 50 - type: string - Cases_case_close_sync_reason: - description: > - The close reason to sync to attached alerts when closing the case. Can - be one of following predefined reasons: [false_positive, duplicate, - true_positive, benign_positive, automated_closure, other] or a custom - reason provided by the user. - oneOf: - - enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other + maxItems: 10 + minItems: 1 + type: array + id: type: string - - type: string - Cases_case_description: - description: The description for the case. - maxLength: 30000 - type: string - Cases_case_observable: - description: A single observable attached to a case. - properties: - createdAt: - description: When the observable was created. - example: '2024-11-14T10:00:00.000Z' - format: date-time + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true type: string - description: - description: An optional description for the observable. - example: Source IP + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: nullable: true type: string - id: - description: The observable identifier. - example: df927ab8-54ed-47d6-be07-9948c255c097 - type: string - typeKey: - description: The observable type key. - example: observable-type-ipv4 - type: string - updatedAt: - description: When the observable was last updated. - example: '2024-11-14T10:00:00.000Z' - format: date-time + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch type: string - value: - description: The observable value. - example: 10.0.0.8 - type: string + write_to_logs_streams: + nullable: true + type: boolean required: - - id - - typeKey - - value - - description - - createdAt - - updatedAt - title: Case observable + - name + - type + - hosts + title: output_remote_elasticsearch type: object - Cases_case_response_closed_by_properties: - nullable: true + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true properties: - email: - example: null + compression_level: nullable: true - type: string - full_name: - example: null + type: number + disk_queue_compression_enabled: nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: nullable: true type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number required: - - email - - full_name - - username - title: Case response properties for closed_by - type: object - Cases_case_response_created_by_properties: - title: Case response properties for created_by + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true + certificate: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: type: string - username: - example: elastic - nullable: true + verification_mode: + enum: + - full + - none + - certificate + - strict type: string - required: - - email - - full_name - - username - Cases_case_response_get_case: - description: > - Case details returned by the get case API. The comments property is not - included in the response. Use the find case comments API to retrieve - comments. totalComment reflects the actual number of user comments. + title: output_ssl + type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true + dark_mode: + type: boolean + path: type: string - closed_at: - format: date-time - nullable: true + size: type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + src: type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + title: + type: string + type: + type: string + required: + - src + title: package_icon + type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true + properties: + categories: items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: type: string - - type: boolean + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' description: - example: A case description. type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 - nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + format_version: + type: string + icons: items: - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 type: array - title: - example: Case title 1 + id: type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - description: >- - The number of user comments on the case. Use the find case comments - API to retrieve comment content. - example: 1 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time - nullable: true + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== + internal: + type: boolean + latestVersion: type: string - required: - - closed_at - - closed_by - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - title: Get case response - type: object - Cases_case_response_properties: - title: Case response properties - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true + name: type: string - closed_at: - format: date-time - nullable: true + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - description: An array of comment objects for the case. + policy_templates: items: - discriminator: - mapping: - alert: '#/components/schemas/Cases_alert_comment_response_properties' - event: '#/components/schemas/Cases_event_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_event_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - maxItems: 10000 - title: Case response properties for comments + additionalProperties: + nullable: true + type: object + maxItems: 1000 type: array - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + readme: type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: items: + additionalProperties: true type: object properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle + title: type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean + required: + - name + - title + - selector_title + - options + maxItems: 100 type: array - description: - example: A case description. - type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 - nullable: true - type: integer - observables: - description: Observables attached to the case. + vars: items: - $ref: '#/components/schemas/Cases_case_observable' + additionalProperties: + nullable: true + type: object + maxItems: 1000 type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + version: + type: string + required: + - name + - version + - title + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: items: - type: string + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 type: array - title: - example: Case title 1 + fips_compatible: + type: boolean + name: + description: Package name type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - example: 0 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time - nullable: true + requires_root: + type: boolean + title: type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: - example: WzUzMiwxXQ== + description: Package version type: string required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by + - name - version - Cases_case_response_pushed_by_properties: - nullable: true + title: package_policy_package + type: object + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false properties: - email: - example: null + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 nullable: true - type: string - full_name: - example: null + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 nullable: true type: string - required: - - email - - full_name - - username - title: Case response properties for pushed_by - type: object - Cases_case_response_updated_by_properties: - nullable: true - properties: - email: - example: null - nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - full_name: - example: null - nullable: true + created_at: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + created_by: type: string - username: - example: elastic - nullable: true + description: + description: Package policy description type: string - required: - - email - - full_name - - username - title: Case response properties for updated_by - type: object - Cases_case_severity: - description: The severity of the case. - enum: - - critical - - high - - low - - medium - type: string - Cases_case_status: - description: The status of the case. - enum: - - closed - - in-progress - - open - type: string - Cases_case_tags: - description: > - The words and phrases that help categorize cases. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_case_title: - description: A title for the case. - maxLength: 160 - type: string - Cases_closure_types: - description: >- - Indicates whether a case is automatically closed when it is pushed to - external systems (`close-by-pushing`) or not automatically closed - (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - type: string - Cases_connector_properties_cases_webhook: - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - fields: - example: null + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 nullable: true - type: string + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean name: - description: The name of the connector. + description: Unique name for the package policy. type: string - type: - description: The type of connector. - enum: - - .cases-webhook - example: .cases-webhook + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string - required: - - fields - - id - - name - - type - title: Create or upate case request properties for Cases Webhook connector - Cases_connector_properties_jira: - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true type: object properties: - issueType: - description: The type of issue. - nullable: true - type: string - parent: - description: The key of the parent issue, when the issue type is sub-task. - nullable: true - type: string - priority: - description: The priority of the issue. - nullable: true - type: string - required: - - issueType - - parent - - priority - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .jira - example: .jira + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for a Jira connector - Cases_connector_properties_none: - description: Defines properties for connectors when type is `.none`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case without - a connector, specify null. To update a case to remove the connector, - specify null. - example: null + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. nullable: true type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. To update a case to remove the connector, - specify `none`. - example: none + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: type: string - name: - description: >- - The name of the connector. To create a case without a connector, use - `none`. To update a case to remove the connector, specify `none`. - example: none + updated_by: type: string - type: - description: >- - The type of connector. To create a case without a connector, use - `.none`. To update a case to remove the connector, specify `.none`. - enum: - - .none - example: .none + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. type: string required: - - fields - - id - name - - type - title: Create or update case request properties for no connector - Cases_connector_properties_resilient: - description: Defines properties for connectors when type is `.resilient`. + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response type: object + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - nullable: true + body: + additionalProperties: false type: object properties: - issueTypes: - description: The type of incident. - items: - type: string - type: array - severityCode: - description: The severity code of the incident. + message: type: string required: - - issueTypes - - severityCode + - message id: - description: The identifier for the connector. type: string name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .resilient - example: .resilient type: string + statusCode: + type: number + success: + type: boolean required: - - fields - id - - name - - type - title: Create case request properties for a IBM Resilient connector - Cases_connector_properties_servicenow: - description: Defines properties for connectors when type is `.servicenow`. + - success + title: package_policy_status_response type: object + Kibana_HTTP_APIs_percentileOperation: + additionalProperties: false properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - impact: - description: The effect an incident had on business. - nullable: true - type: string - severity: - description: The severity of the incident. - nullable: true - type: string - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - urgency: - description: The extent to which the incident resolution can be delayed. - nullable: true - type: string - required: - - category - - impact - - severity - - subcategory - - urgency - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + field: + description: Field to be used for the metric type: string - name: - description: The name of the connector. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - type: - description: The type of connector. + operation: enum: - - .servicenow - example: .servicenow - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow ITSM connector - Cases_connector_properties_servicenow_sir: - description: Defines properties for connectors when type is `.servicenow-sir`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs. - nullable: true - type: boolean - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs. - nullable: true - type: boolean - priority: - description: The priority of the issue. - nullable: true - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs. - nullable: true - type: boolean - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + - percentile type: string - name: - description: The name of the connector. + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - type: - description: The type of connector. - enum: - - .servicenow-sir - example: .servicenow-sir + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow SecOps connector - Cases_connector_properties_swimlane: - description: Defines properties for connectors when type is `.swimlane`. + - field + - operation + title: Percentile Operation type: object + Kibana_HTTP_APIs_percentileRanksOperation: + additionalProperties: false properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - nullable: true - type: string - required: - - caseId - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + field: + description: Field to be used for the metric type: string - name: - description: The name of the connector. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - type: - description: The type of connector. + operation: enum: - - .swimlane - example: .swimlane + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - fields - - id - - name - - type - title: Create case request properties for a Swimlane connector - Cases_connector_types: - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - type: string - Cases_create_case_request: - description: >- - The create case API request body varies depending on the type of - connector. + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieESQL: + additionalProperties: false + description: Pie chart configuration for ES|QL queries properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields that are - not specified in the request are set to null. + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: + additionalProperties: false type: object properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean required: - - key - - type - - value - maxItems: 10 - minItems: 0 + - column + maxItems: 100 + minItems: 1 type: array - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - required: - - connector - - description - - owner - - settings - - tags - - title - title: Create case request - type: object - Cases_event_comment_response_properties: - title: Case response properties for event comments - type: object - properties: - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - eventId: + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f - type: string + additionalProperties: false + description: ES|QL column reference for primary metric + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 type: array - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: + references: items: - example: .internal.alerts-security.alerts-default-000001 - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - - event - example: event - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd + - pie type: string required: - type - Cases_external_service: - nullable: true + - data_source + - metrics + title: Pie Chart (ES|QL) type: object + Kibana_HTTP_APIs_pieGroupByDateHistogram: + additionalProperties: false properties: - connector_id: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - connector_name: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - external_id: + operation: + enum: + - date_histogram type: string - external_title: + suggested_interval: + default: auto + description: Suggested time interval. type: string - external_url: + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation type: string - pushed_at: - format: date-time + operation: + enum: + - filters type: string - pushed_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_pieGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto type: string - Cases_find_comments_response: - title: Find case comments response + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation type: object + Kibana_HTTP_APIs_pieGroupByRanges: + additionalProperties: false properties: - comments: - description: Paginated list of user comments for the case. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - $ref: '#/components/schemas/Cases_user_comment_response_properties' + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - page: - description: The current page index. - type: integer - per_page: - description: The number of items per page. - type: integer - total: - description: The total number of comments. - type: integer required: - - comments - - page - - per_page - - total - Cases_owner: - description: > - The application that owns the cases: Stack Management, Observability, or - Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - type: string - Cases_owners: - items: - $ref: '#/components/schemas/Cases_owner' - type: array - Cases_payload_alert_comment: + - operation + - field + - ranges + title: Ranges Operation type: object + Kibana_HTTP_APIs_pieGroupByTerms: + additionalProperties: false properties: - comment: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object properties: - alertId: - oneOf: - - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d - type: string - - items: - type: string - type: array - index: - oneOf: - - example: .alerts-observability.logs.alerts-default - type: string - - items: - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true - type: string - type: - enum: - - alert - type: string - Cases_payload_assignees: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation type: object + Kibana_HTTP_APIs_pieLegend: + additionalProperties: false + description: Legend configuration for pie chart properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend type: object + Kibana_HTTP_APIs_pieMetricCounterRate: + additionalProperties: false properties: - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - items: - type: string - type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation type: object + Kibana_HTTP_APIs_pieMetricCountMetric: + additionalProperties: false properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - items: - type: string - type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - description: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 - items: - type: string - type: array - title: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - Cases_payload_delete: - description: >- - If the `action` is `delete` and the `type` is `delete_case`, the payload - is nullable. - nullable: true + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object - Cases_payload_description: + Kibana_HTTP_APIs_pieMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation type: object + Kibana_HTTP_APIs_pieMetricDifferences: + additionalProperties: false properties: - description: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - Cases_payload_pushed: + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation type: object + Kibana_HTTP_APIs_pieMetricFormula: + additionalProperties: false properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation type: object + Kibana_HTTP_APIs_pieMetricLastValue: + additionalProperties: false properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation type: object + Kibana_HTTP_APIs_pieMetricMovingAverage: + additionalProperties: false properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation type: object + Kibana_HTTP_APIs_pieMetricPercentile: + additionalProperties: false properties: - status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation type: object + Kibana_HTTP_APIs_pieMetricPercentileRanks: + additionalProperties: false properties: - tags: - example: - - tag-1 - items: - type: string - type: array - Cases_payload_title: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation type: object + Kibana_HTTP_APIs_pieMetricStatsMetric: + additionalProperties: false properties: - title: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - Cases_payload_user_comment: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation type: object + Kibana_HTTP_APIs_pieMetricSumMetric: + additionalProperties: false properties: - comment: - type: object - properties: - comment: - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - enum: - - user - type: string - Cases_related_case: - description: > - Summary of a case returned when listing cases that contain a given - alert. This is a subset of the full case response. - properties: - createdAt: - description: When the case was created. - format: date-time + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - description: - description: The case description. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - id: - description: The case identifier. + operation: + enum: + - sum type: string - status: - $ref: '#/components/schemas/Cases_case_status' - title: - description: The case title. + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - totals: - $ref: '#/components/schemas/Cases_attachment_totals' required: - - id - - title - - description - - status - - createdAt - - totals - title: Related case + - field + - operation + title: Sum Metric Operation type: object - Cases_response_4xx: + Kibana_HTTP_APIs_pieMetricUniqueCountMetric: + additionalProperties: false properties: - error: - example: Unauthorized + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - message: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful cases API response - type: object - Cases_rule: - description: > - The rule that is associated with the alerts. It is required only when - `type` is `alert`. This functionality is in technical preview and may be - changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - title: Alerting rule + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation type: object + Kibana_HTTP_APIs_pieNoESQL: + additionalProperties: false + description: Pie chart configuration for standard queries properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: type: string - name: - description: The rule name. - example: security_rule + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - x-state: Technical preview - Cases_searchFieldsType: - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - type: string - Cases_searchFieldsTypeArray: - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - type: array - Cases_set_case_configuration_request: - description: >- - External connection details, such as the closure type and default - connector for cases. + type: + enum: + - pie + type: string + required: + - type + - data_source + - metrics + title: Pie Chart (DSL) + type: object + Kibana_HTTP_APIs_pieStyling: + additionalProperties: false + description: Visual chart styling options properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. + donut_hole: + description: 'Donut hole size. Accepted values: `none` (full pie), `s`, `m`, `l`.' + enum: + - none + - s + - m + - l + type: string + labels: + additionalProperties: false + description: Label configuration for pie chart slice labels inside or outside the pie type: object properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + position: + description: 'Slice label position: `inside` or `outside`.' + enum: + - inside + - outside type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - required: - - key - - label - - required - - type - maxItems: 10 - minItems: 0 - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - required: - - closure_type - - connector - - owner - title: Set case configuration request + visible: + description: When `true`, displays slice labels. + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Pie chart styling type: object - Cases_settings: - description: An object that contains the case settings. + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false type: object properties: - extractObservables: - description: > - When true, observables (e.g. IPs, hashes, URLs) are automatically - extracted from case comments. Optional; defaults to false when - omitted. - example: false - type: boolean - syncAlerts: - description: Turns alert syncing on or off. - example: true - type: boolean - required: - - syncAlerts - Cases_string: - type: string - Cases_string_array: - items: - $ref: '#/components/schemas/Cases_string' - maxItems: 100 - type: array - Cases_template_tags: - description: > - The words and phrases that help categorize templates. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_templates: - items: - type: object - properties: - caseFields: + dashboards: + items: + type: string + type: array + queries: + items: type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: + description: + type: string + esql: type: object properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, therefore - it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector IDs, - use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use - the find connectors API. - example: none + query: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - description: Custom field values in the template. + required: + - query + evidence: + items: + type: string + type: array + features: items: type: object properties: - key: - description: The unique key for the custom field. + id: type: string - type: - description: The type of the custom field. - enum: - - text - - toggle + run_id: type: string - value: - description: > - The default value for the custom field when a case uses - the template. If the `type` is `text`, the default value - must be a string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean + required: + - id type: array - x-state: Technical preview - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number title: - $ref: '#/components/schemas/Cases_case_title' - description: - description: A description for the template. - type: string - key: - description: > - A unique key for the template. Must be lower case and composed - only of a-z, 0-9, '_', and '-' characters. It is used in API calls - to refer to a specific template. - type: string - name: - description: The name of the template. + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: type: string - tags: - $ref: '#/components/schemas/Cases_template_tags' - type: array - x-state: Technical preview - Cases_update_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert - type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd - type: string - required: - - alertId - - id - - index - - owner - - rule - - type - - version - title: Update case comment request properties for alerts - Cases_update_case_comment_request: - description: >- - The update case comment API request body varies depending on whether you - are updating an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - title: Update case comment request - Cases_update_case_configuration_request: - description: > - You can update settings such as the closure type, custom fields, - templates, and the default connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. + type: array + stream: + additionalProperties: false type: object properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + description: type: string + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + view: + type: string + required: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array type: - $ref: '#/components/schemas/Cases_connector_types' + enum: + - query + type: string required: - - fields - - id - - name + - description - type - customFields: - description: Custom fields case configuration. + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_r_rule_response: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + title: r_rule_response + type: object + Kibana_HTTP_APIs_range_key: + additionalProperties: false + properties: + from: + anyOf: + - type: string + - type: number + ranges: items: + additionalProperties: false type: object properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: + from: + anyOf: - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string + - type: number label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean + to: + anyOf: + - type: string + - type: number required: - - key + - from + - to - label - - required - - type + maxItems: 100 type: array - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: > - The version of the connector. To retrieve the version value, use the - get configuration API. - example: WzIwMiwxXQ== + to: + anyOf: + - type: string + - type: number + type: + enum: + - range_key type: string required: - - version - title: Update case configuration request + - type + - from + - to + - ranges + title: Range Key type: object - Cases_update_case_request: - description: >- - The update case API request body varies depending on the type of - connector. + Kibana_HTTP_APIs_rangesOperation: + additionalProperties: false properties: - cases: - description: An array containing one or more case objects. + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: + additionalProperties: false type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - closeReason: - $ref: '#/components/schemas/Cases_case_close_sync_reason' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: >- - #/components/schemas/Cases_connector_properties_cases_webhook - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: >- - #/components/schemas/Cases_connector_properties_servicenow_sir - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields - that are not specified in the request are set to null. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key - value must exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified - in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, - it cannot be explicitly set to null. However, for cases - that existed when the required custom field was added, - the default value stored in Elasticsearch is - `undefined`. The value returned in the API and user - interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - id: - description: The identifier for the case. - maxLength: 30000 - type: string - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: > - The current version of the case. To determine this value, use - the get case or search cases (`_find`) APIs. + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - id - - version + lte: + description: Less than or equal to. + type: number maxItems: 100 - minItems: 1 type: array required: - - cases - title: Update case request + - operation + - field + - ranges + title: Ranges Operation type: object - Cases_update_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 - type: string - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. - enum: - - user - example: user - type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd - type: string + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array required: - - comment - - id - - owner - - type - - version - title: Update case comment request properties for user comments + - transforms + title: reauthorize_transform_request type: object - Cases_user_actions_find_response_properties: + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' type: object + Kibana_HTTP_APIs_regionMapESQL: + additionalProperties: false + description: Region Map configuration using an ES|QL query, mapping metric values to geographic regions by color. properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 - nullable: true - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - created_by: + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false type: object properties: - email: - example: null - nullable: true + column: + description: Column to use type: string - full_name: - example: null - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + additionalProperties: false + type: object + properties: + column: + description: Column to use type: string - username: - example: elastic - nullable: true + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + label: + description: Label for the operation type: string required: - - email - - full_name - - username - id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 + - column + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - owner: - $ref: '#/components/schemas/Cases_owner' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' type: - description: The type of action. enum: - - assignees - - category - - comment - - connector - - create_case - - customFields - - delete_case - - description - - extended_fields - - observables - - pushed - - settings - - severity - - status - - tags - - title - example: create_case - type: string - version: - example: WzM1ODg4LDFd + - region_map type: string required: - - action - - comment_id - - created_at - - created_by - - id - - owner - - payload - type - - version - Cases_user_comment_response_properties: - title: Case response properties for user comments + - data_source + - metric + - region + title: Region Map (ES|QL) type: object + Kibana_HTTP_APIs_regionMapNoESQL: + additionalProperties: false + description: Region Map configuration using a data view, mapping metric values to geographic regions by color. properties: - comment: - example: A new comment. - type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation or a mathematical formula. + title: Field Metric or Formula Operation + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionFilters' + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - - user - example: user - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd + - region_map type: string required: - type - Data_views_400_response: - title: Bad request + - data_source + - metric + - region + title: Region Map (DSL) type: object + Kibana_HTTP_APIs_regionMapRegionDateHistogram: + additionalProperties: false properties: - error: - example: Bad Request + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the date histogram. type: string - message: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: + operation: enum: - - Not Found - example: Not Found + - date_histogram type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found + suggested_interval: + default: auto + description: Suggested time interval. type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation type: object + Kibana_HTTP_APIs_regionMapRegionFilters: + additionalProperties: false properties: - data_view: - description: The data view object. + ems: + additionalProperties: false type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. + boundaries: + description: EMS boundaries type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: + join: + description: EMS join field type: string required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean + - boundaries + - join + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties + - operation + - filters + title: Filters Operation type: object + Kibana_HTTP_APIs_regionMapRegionHistogram: + additionalProperties: false properties: - data_view: + ems: + additionalProperties: false type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + boundaries: + description: EMS boundaries type: string - name: - description: The data view name. + join: + description: EMS join field type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd + required: + - boundaries + - join + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - customLabel: - description: Custom label for the field. + operation: + enum: + - histogram type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. + required: + - operation + - field + title: Histogram Operation type: object + Kibana_HTTP_APIs_regionMapRegionRanges: + additionalProperties: false properties: - script: + ems: + additionalProperties: false type: object properties: - source: - description: Script for the runtime field. + boundaries: + description: EMS boundaries type: string - type: - description: Mapping type of the runtime field. + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - operation + - field + - ranges + title: Ranges Operation type: object + Kibana_HTTP_APIs_regionMapRegionTerms: + additionalProperties: false properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. type: string + maxItems: 100 type: array - forType: - description: Limit the affected saved objects by type. + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation type: string - fromId: - description: The saved object reference to change. + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_review_upgrade_request: + additionalProperties: false + properties: + action: + enum: + - accept + - decline + - pending type: string - toId: - description: New saved object reference value to replace the old value. + target_version: type: string required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + - action + - target_version + title: review_upgrade_request type: object + Kibana_HTTP_APIs_review_upgrade_response: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object + success: + type: boolean required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - success + title: review_upgrade_response type: object + Kibana_HTTP_APIs_rollback_package_response: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object + success: + type: boolean + version: + type: string + required: + - version + - success + title: rollback_package_response + type: object + Kibana_HTTP_APIs_rule_action: + additionalProperties: false + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action_alerts_filter' + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string params: - description: Properties for retrieving rollup fields. + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object - Data_views_update_data_view_request_object: - title: Update data view request + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + title: rule_action type: object + Kibana_HTTP_APIs_rule_action_alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false type: object - name: + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Kibana_HTTP_APIs_action_id_response: + required: + - days + - hours + - timezone + title: rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_rule_action_frequency: additionalProperties: false properties: - actionId: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - actionId - title: action_id_response + - summary + - notify_when + - throttle + title: rule_action_frequency type: object - Kibana_HTTP_APIs_action_message_response: + Kibana_HTTP_APIs_rule_alert_delay: additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. properties: - message: - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - message - title: action_message_response + - active + title: rule_alert_delay type: object - Kibana_HTTP_APIs_agent_policy_response: + Kibana_HTTP_APIs_rule_artifacts: additionalProperties: false properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: + dashboards: items: additionalProperties: false type: object properties: - enabled: - type: boolean - name: + id: type: string required: - - name - - enabled - maxItems: 100 + - id type: array - agentless: + investigation_guide: additionalProperties: false type: object properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: + blob: + description: User-created content that describes alert causes and remdiation. type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: + required: + - blob + title: rule_artifacts + type: object + Kibana_HTTP_APIs_rule_execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: - type: string - data_output_id: - nullable: true - type: string - description: + last_execution_date: + description: The date and time when rule was executed last. type: string - download_source_id: - nullable: true + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown type: string - fips_agents: + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + title: rule_execution_status + type: object + Kibana_HTTP_APIs_rule_flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 type: number - fleet_server_host_id: - nullable: true + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + title: rule_flapping + type: object + Kibana_HTTP_APIs_rule_interval_schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + required: + - interval + title: rule_interval_schedule + type: object + Kibana_HTTP_APIs_rule_last_run: + additionalProperties: false + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 + description: Outcome message generated during last rule run. + type: string + nullable: true type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 + outcome_order: + description: Order of the outcome. type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - min_agent_version: + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution nullable: true type: string - monitoring_diagnostics: + required: + - outcome + - alerts_count + title: rule_last_run + type: object + Kibana_HTTP_APIs_rule_monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: additionalProperties: false + description: Rule run details. type: object properties: - limit: + calculated_metrics: additionalProperties: false + description: Calculation of different percentiles and success ratio. type: object properties: - burst: + p50: type: number - interval: - type: string - uploader: + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: additionalProperties: false type: object properties: - init_dur: - type: string - max_dur: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + type: object + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. type: string - max_retries: - type: number - monitoring_enabled: + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + title: rule_monitoring + type: object + Kibana_HTTP_APIs_rule_response: + additionalProperties: false + properties: + actions: items: - enum: - - logs - - metrics - - traces + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_action' + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. type: string - maxItems: 3 type: array - monitoring_http: - additionalProperties: false - type: object - properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string - monitoring_pprof_enabled: + artifacts: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_artifacts' + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - name: - minLength: 1 + execution_status: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_execution_status' + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + id: + description: The identifier for the rule. type: string - namespace: - minLength: 1 + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true type: string - overrides: + last_run: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_last_run' + nullable: true + mapped_params: additionalProperties: nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true type: object - package_agent_version_conditions: + monitoring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_monitoring' + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true + description: 'List of identifiers of muted alerts. ' + type: string type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: >- - This field is present only when retrieving a single agent - policy, or when retrieving a list of agent policies with the - ?full=true parameter - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. nullable: true - type: array + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object revision: + description: The rule revision number. type: number - schema_version: + rule_type_id: + description: The rule type identifier. type: string - space_ids: + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_interval_schedule' + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_snooze_schedule' + type: array + tags: items: + description: The tags for the rule. type: string - maxItems: 100 type: array - status: - enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number + type: string updated_at: + description: The date and time that the rule was updated most recently. type: string updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true type: string - version: + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true type: string required: - id + - enabled - name - - namespace - - is_protected - - status - - updated_at + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status - revision - title: agent_policy_response + title: rule_response type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + Kibana_HTTP_APIs_rule_snooze_schedule: additionalProperties: false properties: - forceDelete: - default: false - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. - type: boolean - includeHidden: - default: false - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. type: string - tokenIds: - description: List of enrollment token IDs to delete. + rRule: + $ref: '#/components/schemas/Kibana_HTTP_APIs_r_rule_response' + skipRecurrences: items: + description: Skips recurrence of rule on this date. type: string - maxItems: 10000 type: array - title: bulk_delete_enrollment_api_keys_request + required: + - duration + - rRule + title: rule_snooze_schedule type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + Kibana_HTTP_APIs_schedule_request: additionalProperties: false properties: - action: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string - count: + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: schedule_request + type: object + Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: + additionalProperties: false + description: The response payload for the bulk create-or-update roles API. + properties: + created: + items: + description: The name of a role that was created. + type: string + type: array + errors: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' + type: object + noop: + items: + description: The name of a role that was unchanged by the request. + type: string + type: array + updated: + items: + description: The name of a role that was updated. + type: string + type: array + title: security_bulk_create_or_update_roles_response + type: object + Kibana_HTTP_APIs_security_bulk_roles_error_detail: + additionalProperties: false + description: Error information for a single role in a bulk create-or-update request. + properties: + reason: + description: A human readable error reason. + type: string + type: + description: The error type. + type: string + required: + - type + - reason + title: security_bulk_roles_error_detail + type: object + Kibana_HTTP_APIs_security_query_roles_body: + additionalProperties: false + description: The request body for querying roles. + properties: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters' + from: type: number - errorCount: + query: + type: string + size: type: number - successCount: + sort: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort' + title: security_query_roles_body + type: object + Kibana_HTTP_APIs_security_query_roles_filters: + additionalProperties: false + description: The filter criteria for the query. + properties: + showReservedRoles: + type: boolean + title: security_query_roles_filters + type: object + Kibana_HTTP_APIs_security_query_roles_response: + additionalProperties: false + description: The response payload for a roles query. + properties: + count: + description: The number of roles returned in this response page. + type: number + roles: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + total: + description: The total number of roles that match the query. type: number required: - - action + - roles - count - - successCount - - errorCount - title: bulk_delete_enrollment_api_keys_response + - total + title: security_query_roles_response type: object - Kibana_HTTP_APIs_bulk_get_agent_policies_response: + Kibana_HTTP_APIs_security_query_roles_sort: additionalProperties: false + description: The sort criteria for the query. properties: - items: + direction: + enum: + - asc + - desc + type: string + field: + type: string + required: + - field + - direction + title: security_query_roles_sort + type: object + Kibana_HTTP_APIs_security_role_elasticsearch: + additionalProperties: false + description: The Elasticsearch cluster, index, and remote cluster security privileges for the role. + properties: + cluster: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' - maxItems: 10000 + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges' + maxItems: 1000 + type: array + remote_cluster: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges' + maxItems: 100 + type: array + remote_indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges' + maxItems: 1000 + type: array + run_as: + items: + description: A username that members of this role can impersonate. + type: string + maxItems: 100 type: array + title: security_role_elasticsearch + type: object + Kibana_HTTP_APIs_security_role_indices_privileges: + additionalProperties: false + description: The indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string required: - - items - title: bulk_get_agent_policies_response + - names + - privileges + title: security_role_indices_privileges type: object - Kibana_HTTP_APIs_bulk_get_package_policies_response: + Kibana_HTTP_APIs_security_role_kibana_application: additionalProperties: false + description: A raw Elasticsearch application privilege entry tied to Kibana. properties: - items: + application: + type: string + privileges: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 + type: string + type: array + resources: + items: + type: string type: array required: - - items - title: bulk_get_package_policies_response + - application + - privileges + - resources + title: security_role_kibana_application type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + Kibana_HTTP_APIs_security_role_kibana_privilege: additionalProperties: false + description: The Kibana privilege entry for the role. properties: - force: - default: false + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + title: security_role_kibana_privilege + type: object + Kibana_HTTP_APIs_security_role_kibana_privilege_response: + additionalProperties: false + description: A Kibana privilege entry returned for a role. + properties: + _reserved: + items: + description: A reserved Kibana privilege granted globally. + type: string + type: array + base: + items: + description: A base Kibana privilege. + type: string + type: array + feature: + additionalProperties: + items: + description: A privilege the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. The wildcard `*` indicates all spaces. + type: string + type: array + required: + - spaces + - base + - feature + title: security_role_kibana_privilege_response + type: object + Kibana_HTTP_APIs_security_role_put_payload: + additionalProperties: false + description: The role definition to create or update. + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege' + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + title: security_role_put_payload + type: object + Kibana_HTTP_APIs_security_role_remote_cluster_privileges: + additionalProperties: false + description: The remote cluster privileges entry. + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + title: security_role_remote_cluster_privileges + type: object + Kibana_HTTP_APIs_security_role_remote_indices_privileges: + additionalProperties: false + description: The remote indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean - packages: + clusters: items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 minItems: 1 type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string required: - - packages - title: bulk_install_packages_from_registry_request + - clusters + - names + - privileges + title: security_role_remote_indices_privileges type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + Kibana_HTTP_APIs_security_role_response: additionalProperties: false + description: A Kibana role definition returned by the Roles API. properties: - items: + _transform_error: items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error - maxItems: 10000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' + type: array + _unrecognized_applications: + items: + description: Application names found on the role that are not recognized by Kibana. + type: string + type: array + description: + description: A description for the role. + type: string + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' type: array + metadata: + additionalProperties: + nullable: true + type: object + name: + description: The role name. + type: string + transient_metadata: + additionalProperties: + nullable: true + type: object required: - - items - title: bulk_install_packages_from_registry_response + - name + - elasticsearch + - kibana + title: security_role_response type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + Kibana_HTTP_APIs_security_role_transform_error: additionalProperties: false + description: Diagnostic information about a role whose Kibana privileges could not be transformed. properties: - error: - anyOf: - - type: string - - nullable: true - name: + reason: + description: The reason the role could not be fully transformed. type: string - statusCode: - type: number + state: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' + type: array required: - - name - - statusCode - title: bulk_install_packages_response_item_error + - reason + title: security_role_transform_error type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload: additionalProperties: false + description: The request body for bulk creating or updating roles. properties: - name: - type: string - result: - additionalProperties: false + roles: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' type: object - properties: - assets: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: - type: string required: - - name - - version - - result - title: bulk_install_packages_response_item_success + - roles + title: security_roles_bulk_create_or_update_payload type: object - Kibana_HTTP_APIs_bulk_namespace_customization_request: + Kibana_HTTP_APIs_simplified_create_package_policy_request: additionalProperties: false properties: - disable: - description: >- - Namespaces to disable namespace-level customization for on each - package. + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. items: type: string maxItems: 100 + nullable: true type: array - enable: - description: >- - Namespaces to enable namespace-level customization for on each - package. + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: items: - type: string + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value maxItems: 100 type: array - packages: - description: Package names to apply the customization changes to. - items: + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: type: string - maxItems: 1000 - minItems: 1 - type: array + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object required: - - packages - title: bulk_namespace_customization_request + - name + - package + title: simplified_create_package_policy_request type: object - Kibana_HTTP_APIs_bulk_namespace_customization_response: + Kibana_HTTP_APIs_slo-alerts-embeddable: additionalProperties: false + description: SLO Alerts embeddable schema properties: - items: + description: + type: string + drilldowns: items: additionalProperties: false - type: object properties: - error: - type: string - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - namespace_customization_enabled_for: - description: >- - The opt-in list on the package. Returned whenever the package - is installed: the new list on success, or the unchanged list - when the request is rejected (for example, because of a - namespace-prefix restriction). - items: - type: string - maxItems: 100 - type: array - success: + open_in_new_tab: + default: true type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - name - - success - maxItems: 1000 + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - required: - - items - title: bulk_namespace_customization_response - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_request: - additionalProperties: false - properties: - packages: + hide_border: + type: boolean + hide_title: + type: boolean + slos: + default: [] + description: List of SLOs to display alerts for items: additionalProperties: false type: object properties: - name: - description: Package name to rollback + slo_id: + description: SLO ID + type: string + slo_instance_id: + default: '*' + description: SLO instance ID type: string required: - - name - maxItems: 1000 - minItems: 1 + - slo_id + maxItems: 100 type: array - required: - - packages - title: bulk_rollback_packages_request - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_response: - additionalProperties: false - properties: - taskId: + title: type: string - required: - - taskId - title: bulk_rollback_packages_response + title: slo-alerts-embeddable type: object - Kibana_HTTP_APIs_bulk_uninstall_packages_request: + Kibana_HTTP_APIs_slo-burn-rate-embeddable: additionalProperties: false + description: SLO Burn Rate embeddable schema properties: - force: - default: false - type: boolean - packages: + description: + type: string + drilldowns: items: additionalProperties: false - type: object properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - version: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name - - version - maxItems: 1000 - minItems: 1 + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array + duration: + description: Duration for the burn rate chart in the format [value][unit], e.g. 5m, 3h, or 6d + type: string + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the burn rate for + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string required: - - packages - title: bulk_uninstall_packages_request + - slo_id + - duration + title: slo-burn-rate-embeddable type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_request: + Kibana_HTTP_APIs_slo-error-budget-embeddable: additionalProperties: false + description: SLO Error Budget embeddable schema properties: - force: - default: false - type: boolean - packages: + description: + type: string + drilldowns: items: additionalProperties: false - type: object properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - version: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name - maxItems: 1000 - minItems: 1 + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - prerelease: + hide_border: type: boolean - upgrade_package_policies: - default: false + hide_title: type: boolean + slo_id: + description: The ID of the SLO to display the error budget for + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string required: - - packages - title: bulk_upgrade_packages_request + - slo_id + title: slo-error-budget-embeddable type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_response: + Kibana_HTTP_APIs_slo-group-overview-embeddable: additionalProperties: false + description: SLO Group Overview embeddable schema properties: - taskId: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + group_filters: + additionalProperties: false + default: + group_by: status + type: object + properties: + filters: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + group_by: + default: status + enum: + - slo.tags + - status + - slo.indicator.type + - _index + type: string + groups: + items: + type: string + maxItems: 100 + type: array + kql_query: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + overview_mode: + enum: + - groups + type: string + title: type: string required: - - taskId - title: bulk_upgrade_packages_response + - overview_mode + title: slo-group-overview-embeddable type: object - Kibana_HTTP_APIs_category_summary_item: + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: additionalProperties: false properties: - count: - type: number - id: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - parent_id: + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - parent_title: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. + properties: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: + type: string + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array + required: + - sloId + - windows + title: SLO Burn Rate Rule Params + type: object + rule_type_id: + enum: + - slo.rules.burnRate type: string - title: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - id - - title - - count - title: category_summary_item + - name + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate type: object - Kibana_HTTP_APIs_copy_agent_policy_request: + Kibana_HTTP_APIs_slo-single-overview-embeddable: additionalProperties: false + description: SLO Single Overview embeddable schema properties: description: type: string - name: - minLength: 1 - type: string - required: - - name - title: copy_agent_policy_request - type: object - Kibana_HTTP_APIs_create_custom_integration_request: - additionalProperties: false - properties: - datasets: + drilldowns: items: additionalProperties: false - type: object properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu type: string type: enum: - - logs - - metrics - - traces - - synthetics - - profiling + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name + - url + - label + - trigger - type - maxItems: 10 + title: url_drilldown + type: object + maxItems: 100 type: array - force: + hide_border: type: boolean - integrationName: + hide_title: + type: boolean + overview_mode: + enum: + - single + type: string + remote_name: + description: The name of the remote SLO + type: string + slo_id: + description: The ID of the SLO + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: type: string required: - - integrationName - - datasets - title: create_custom_integration_request + - slo_id + - overview_mode + title: slo-single-overview-embeddable type: object - Kibana_HTTP_APIs_create_package_policy_request: + Kibana_HTTP_APIs_staticColor: additionalProperties: false + description: Fixed color for all values in the dimension. properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + color: + description: The static color to be used for all values. type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + type: + enum: + - static type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + required: + - type + - color + title: Static Color + type: object + Kibana_HTTP_APIs_staticOperationDefinition: + additionalProperties: false + properties: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - description: - description: Package policy description + operation: + enum: + - static_value type: string - enabled: - type: boolean - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier + value: + default: 100 + description: Static value + type: number + required: + - operation + title: Static Operation Definition + type: object + Kibana_HTTP_APIs_StreamlangConditionBlock: + additionalProperties: false + type: object + properties: + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: type: string - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns + type: object + properties: + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: + additionalProperties: + type: string + description: Custom pattern definitions to use in the patterns type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 - type: array - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") + type: string + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - name - - package - - inputs - title: create_package_policy_request - type: object - Kibana_HTTP_APIs_create_package_policy_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - required: - - item - title: create_package_policy_response - type: object - Kibana_HTTP_APIs_delete_agent_policy_request: - additionalProperties: false - properties: - agentPolicyId: - description: The ID of the agent policy - type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean - required: - - agentPolicyId - title: delete_agent_policy_request - type: object - Kibana_HTTP_APIs_delete_agent_policy_response: - additionalProperties: false - properties: - id: - type: string - name: - type: string - required: - - id - - name - title: delete_agent_policy_response - type: object - Kibana_HTTP_APIs_delete_enrollment_api_key_response: - additionalProperties: false - properties: - action: - enum: - - deleted - type: string - required: - - action - title: delete_enrollment_api_key_response - type: object - Kibana_HTTP_APIs_delete_one_package_policy_response: - additionalProperties: false - properties: - id: - type: string - required: - - id - title: delete_one_package_policy_response - type: object - Kibana_HTTP_APIs_delete_package_datastream_assets_response: - additionalProperties: false - properties: - success: - type: boolean - required: - - success - title: delete_package_datastream_assets_response - type: object - Kibana_HTTP_APIs_delete_package_policies_request: - additionalProperties: false - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - required: - - packagePolicyIds - title: delete_package_policies_request - type: object - Kibana_HTTP_APIs_delete_package_response: - additionalProperties: false - properties: - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - required: - - items - title: delete_package_response - type: object - Kibana_HTTP_APIs_deprecation_info: - additionalProperties: false - properties: - description: - type: string - replaced_by: - additionalProperties: - type: string - type: object - since: - type: string - required: - - description - title: deprecation_info - type: object - x-oas-optional: true - Kibana_HTTP_APIs_dry_run_package_policies_request: - additionalProperties: false - properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array - packageVersion: - type: string - required: - - packagePolicyIds - title: dry_run_package_policies_request - type: object - Kibana_HTTP_APIs_dry_run_package_policy: - additionalProperties: true - properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true + properties: + action: + enum: + - uppercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object properties: - cluster: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - join + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: items: + minLength: 1 type: string - maxItems: 100 + minItems: 1 type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator + type: object + properties: + action: + enum: + - split + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + preserve_trailing: + description: Preserve empty trailing fields in the split result + type: boolean + separator: + description: Regex separator used to split the field value into an array + minLength: 1 + type: string + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - separator + - additionalProperties: false + type: object + properties: + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + type: object + properties: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 + type: string + type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - type + - additionalProperties: false + type: object + properties: + action: + enum: + - concat + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + anyOf: + - type: object properties: - frozen: - type: boolean type: + enum: + - field type: string value: - nullable: true + minLength: 1 + type: string required: + - type - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object + - type: object properties: - frozen: - type: boolean type: + enum: + - literal type: string value: - nullable: true + type: string required: + - type - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false type: object properties: - frozen: - type: boolean - type: + action: + enum: + - network_direction type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - is_managed: - type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - package - - inputs - title: dry_run_package_policy - type: object - Kibana_HTTP_APIs_enrollment_api_key: - additionalProperties: false - properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - hidden: - type: boolean - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - title: enrollment_api_key - type: object - Kibana_HTTP_APIs_enrollment_api_key_response: - additionalProperties: false - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - required: - - item - - action - title: enrollment_api_key_response - type: object - Kibana_HTTP_APIs_es_asset_reference: - additionalProperties: false - properties: - deferred: - type: boolean - id: - type: string - type: - enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: - type: string - required: - - id - - type - title: es_asset_reference - type: object - Kibana_HTTP_APIs_full_agent_policy: - additionalProperties: false - properties: - agent: - additionalProperties: false - type: object - properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: + description: + description: Human-readable notes about this processor step type: string - username: + destination_ip: + minLength: 1 type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false type: object properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string + internal_networks: + items: + type: string + type: array required: - - key - sourceURI: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field + - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors + type: object + properties: + action: + enum: + - json_extract type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 type: string - timeout: + description: + description: Human-readable notes about this processor step type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: + extractions: + description: List of extraction specifications + items: + description: A single extraction specification + type: object + properties: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 + type: string + target_field: + description: Target field to store the extracted value + minLength: 1 + type: string + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean + type: string + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - monitoring: - additionalProperties: false + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false type: object properties: - _runtime_experimental: + action: + enum: + - enrich type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: + ignore_missing: type: boolean - metrics: + override: type: boolean - namespace: + policy_name: + description: A non-empty string. + minLength: 1 type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: + to: + minLength: 1 type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false + - action + - policy_name + - to + - additionalProperties: false + description: Registered domain processor - extracts domain, registered_domain, top_level_domain, subdomain from a FQDN type: object properties: - enabled: - type: boolean - signing_key: + action: + enum: + - registered_domain type: string - uninstall_token_hash: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: The string expression containing the FQDN to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when expression field is missing + type: boolean + prefix: + description: The prefix for the output columns. The extracted parts are available as prefix.part_name + minLength: 1 type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: + - action + - expression + - prefix - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors type: object properties: - hosts: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails items: - type: string - maxItems: 100 + additionalProperties: {} + type: object type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol - required: - - kibana - id: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_sumMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - inputs: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudESQL: + additionalProperties: false + description: Tag Cloud configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - namespace: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - namespace - id: - type: string - meta: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string - maxItems: 100 - type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10000 + maxItems: 100 type: array - service: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: additionalProperties: false type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: additionalProperties: false type: object properties: - data: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - signature: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - data - - signature + - column + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud + type: string + required: + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (ES|QL) + type: object + Kibana_HTTP_APIs_tagcloudMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricPercentile: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricPercentileRanks: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - id - - outputs - - inputs - title: full_agent_policy + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_get_agent_policy_outputs_response: + Kibana_HTTP_APIs_tagcloudMetricStatsMetric: additionalProperties: false properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: get_agent_policy_outputs_response + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_get_agent_policy_response: + Kibana_HTTP_APIs_tagcloudMetricSumMetric: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: get_agent_policy_response + - field + - operation + title: Sum Metric Operation type: object - Kibana_HTTP_APIs_get_bulk_assets_request: + Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric: additionalProperties: false properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - assetIds - title: get_bulk_assets_request + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_get_bulk_assets_response: + Kibana_HTTP_APIs_tagcloudNoESQL: additionalProperties: false + description: Tag Cloud configuration using a data view. properties: - items: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - description: + label: type: string - service: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - title: + type: + enum: + - discover_drilldown type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagFilters' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud + type: string required: - - items - title: get_bulk_assets_response + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (DSL) type: object - Kibana_HTTP_APIs_get_categories_response: + Kibana_HTTP_APIs_tagcloudStyling: additionalProperties: false + description: Visual chart styling options properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' - maxItems: 10000 - type: array + caption: + additionalProperties: false + description: Caption configuration representing the metric and the tag_by operations labels + type: object + properties: + visible: + default: true + description: When `true`, displays the caption. + type: boolean + font_size: + additionalProperties: false + description: Font size range for tags. + type: object + properties: + max: + default: 72 + description: Maximum font size. + maximum: 120 + type: number + min: + default: 18 + description: Minimum font size. + minimum: 1 + type: number + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + title: Tag cloud styling + type: object + Kibana_HTTP_APIs_tagcloudTagDateHistogram: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - items - title: get_categories_response + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_get_data_streams_response: + Kibana_HTTP_APIs_tagcloudTagFilters: additionalProperties: false properties: - items: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - items - title: get_data_streams_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_get_dependencies_response: + Kibana_HTTP_APIs_tagcloudTagHistogram: additionalProperties: false properties: - items: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_tagcloudTagRanges: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: additionalProperties: false type: object properties: - name: - type: string - title: - type: string - version: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - name - - version - - title - maxItems: 1000 + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array required: - - items - title: get_dependencies_response + - operation + - field + - ranges + title: Ranges Operation type: object - Kibana_HTTP_APIs_get_full_agent_policy_response: + Kibana_HTTP_APIs_tagcloudTagTerms: additionalProperties: false properties: - item: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' - required: - - item - title: get_full_agent_policy_response - type: object - Kibana_HTTP_APIs_get_info_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' - metadata: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - item - - metadata - title: get_info_response + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_get_inputs_response: + Kibana_HTTP_APIs_termsOperation: additionalProperties: false properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true + excludes: + additionalProperties: false type: object - inputs: - items: - additionalProperties: false - type: object - properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. type: string - required: - - id - - type - maxItems: 10000 + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: additionalProperties: false type: object properties: - extensions: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: items: + description: Values to include. type: string - maxItems: 1000 + maxItems: 100 type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_termsRankByAlphabetical: + additionalProperties: false + description: Terms ranked alphabetically. + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabeticalDirection' + type: + enum: + - alphabetical + type: string + required: + - type + - direction + title: Terms Rank By Alphabetical + type: object + Kibana_HTTP_APIs_termsRankByAlphabeticalDirection: + description: Sort direction for alphabetical ranking. + enum: + - asc + - desc + title: termsRankByAlphabeticalDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomCountOperation: + additionalProperties: false + description: Terms ranked by count, either of all documents or of a specific field. + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - count + type: string + type: + enum: + - custom + type: string + required: + - type + - direction + - operation + title: Terms Rank By Custom Count Operation + type: object + Kibana_HTTP_APIs_termsRankByCustomDirection: + description: Sort direction for custom ranking. + enum: + - asc + - desc + title: termsRankByCustomDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomOperation: + additionalProperties: false + description: Terms ranked by custom operation. + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + - unique_count + - sum + - last_value + type: string + type: + enum: + - custom + type: string required: - - inputs - title: get_inputs_response + - type + - field + - direction + - operation + title: Terms Rank By Custom Operation type: object - Kibana_HTTP_APIs_get_installed_packages_response: + Kibana_HTTP_APIs_termsRankByMetric: additionalProperties: false + description: Terms ranked by a linked metric. properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetricDirection' + metric_index: + default: 0 + description: Zero-based index into the metrics array identifying which metric to rank by. + minimum: 0 type: number + type: + enum: + - metric + type: string required: - - items - - total - title: get_installed_packages_response + - type + - direction + title: Terms Rank By Metric type: object - Kibana_HTTP_APIs_get_k8s_manifest_response: + Kibana_HTTP_APIs_termsRankByMetricDirection: + description: Sort direction for metric-based ranking. + enum: + - asc + - desc + title: termsRankByMetricDirection + type: string + Kibana_HTTP_APIs_termsRankByPercentileOperation: additionalProperties: false + description: Terms ranked by a percentile of a numeric field, for example the 95th percentile of response time. properties: - item: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: The percentile threshold (0–100) at which to compute the field value used for ranking terms. + type: number + type: + enum: + - custom type: string required: - - item - title: get_k8s_manifest_response + - type + - field + - direction + - operation + title: Terms Rank By Percentile Operation type: object - Kibana_HTTP_APIs_get_limited_packages_response: + Kibana_HTTP_APIs_termsRankByPercentileRankOperation: additionalProperties: false + description: 'Terms ranked by the percentile rank of a single value: the proportion of field values at or below that value.' properties: - items: - items: - type: string - maxItems: 10000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: The numeric value for which to compute the percentile rank (the percentage of field values at or below this value). + type: number + type: + enum: + - custom + type: string required: - - items - title: get_limited_packages_response + - type + - field + - direction + - operation + title: Terms Rank By Percentile Rank Operation type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + Kibana_HTTP_APIs_termsRankByRare: additionalProperties: false + description: Terms ranked by rarity. properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array + max: + description: Maximum number of rare terms to include. + type: number + type: + enum: + - rare + type: string required: - - ids - title: get_list_agent_policy_outputs_request + - type + - max + title: Terms Rank By Rarity type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + Kibana_HTTP_APIs_termsRankBySignificant: additionalProperties: false + description: Terms ranked by significance. properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array + type: + enum: + - significant + type: string required: - - items - title: get_list_agent_policy_outputs_response + - type + title: Terms Rank By Significance type: object - Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: additionalProperties: false properties: - error: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: additionalProperties: false type: object properties: - message: - type: string - required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: + dashboards: + items: additionalProperties: false type: object properties: - message: + id: type: string required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - required: - - status - title: get_one_bulk_operation_packages_response - type: object - Kibana_HTTP_APIs_get_package_info: - additionalProperties: true - properties: - agent: + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: additionalProperties: false - type: object + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. properties: - privileges: + excludeTransforms: + default: [] + items: + type: string + nullable: true + type: array + includeTransforms: + items: + type: string + type: array + testsConfig: additionalProperties: false + nullable: true type: object properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true + rule_type_id: + enum: + - transform_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string required: - - deprecated - data_streams: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transform health + type: object + Kibana_HTTP_APIs_treemapESQL: + additionalProperties: false + description: Treemap chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - name: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - title: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - name - - title - - selector_title - - options + - column maxItems: 100 + minItems: 1 type: array - vars: + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - additionalProperties: - nullable: true + additionalProperties: false type: object - maxItems: 1000 + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 type: array - version: + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - treemap type: string required: - - installationInfo - - name - - version - - title - - deprecated - - assets - title: get_package_info + - type + - data_source + - metrics + title: Treemap Chart (ES|QL) type: object - Kibana_HTTP_APIs_get_packages_response: + Kibana_HTTP_APIs_treemapGroupByDateHistogram: additionalProperties: false properties: - items: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_treemapGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' - maxItems: 10000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - items - title: get_packages_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_get_stats_response: + Kibana_HTTP_APIs_treemapGroupByHistogram: additionalProperties: false properties: - response: - additionalProperties: false - type: object - properties: - agent_policy_count: - type: number - package_policy_count: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 type: number - required: - - agent_policy_count - - package_policy_count + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string required: - - response - title: get_stats_response + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_get_verification_key_id_response: + Kibana_HTTP_APIs_treemapGroupByRanges: additionalProperties: false properties: - id: - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array required: - - id - title: get_verification_key_id_response + - operation + - field + - ranges + title: Ranges Operation type: object - Kibana_HTTP_APIs_install_kibana_assets_request: + Kibana_HTTP_APIs_treemapGroupByTerms: additionalProperties: false properties: - force: - type: boolean - space_ids: - description: >- - When provided install assets in the specified spaces instead of the - current space. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 minItems: 1 type: array - title: install_kibana_assets_request + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_install_kibana_assets_response: + Kibana_HTTP_APIs_treemapLegend: additionalProperties: false + description: Configuration for the treemap chart legend appearance and behavior properties: - success: + nested: + description: Show nested legend with hierarchical breakdown levels type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_treemapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - success - title: install_kibana_assets_response + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_install_package_from_registry_request: + Kibana_HTTP_APIs_treemapMetricCountMetric: additionalProperties: false properties: - force: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - ignore_constraints: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_treemapMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_treemapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_treemapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - title: install_package_from_registry_request + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_install_package_response: + Kibana_HTTP_APIs_treemapMetricMovingAverage: additionalProperties: false properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - items - - _meta - title: install_package_response + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_install_rule_assets_request: + Kibana_HTTP_APIs_treemapMetricPercentile: additionalProperties: false properties: - force: - type: boolean - title: install_rule_assets_request + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_installation_info: - additionalProperties: true + Kibana_HTTP_APIs_treemapMetricPercentileRanks: + additionalProperties: false properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 100 - type: array - type: object - created_at: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - install_source: + operation: enum: - - registry - - upload - - bundled - - custom + - percentile_rank type: string - install_status: + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_treemapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - installed - - installing - - install_failed + - min + - max + - average + - median + - standard_deviation type: string - installed_es: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - installed_kibana: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 10000 - type: array - installed_kibana_space_id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_rollback_ttl_expired: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_treemapNoESQL: + additionalProperties: false + description: Treemap chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - message: + label: type: string - name: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - stack: + type: + enum: + - discover_drilldown type: string required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - name: - type: string - namespaces: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - type: string + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByFilters' maxItems: 100 + minItems: 1 type: array - previous_version: - nullable: true - type: string - rolled_back: + hide_border: type: boolean - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - verification_status: + type: enum: - - unverified - - verified - - unknown - type: string - version: + - treemap type: string required: - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - title: installation_info + - data_source + - metrics + title: Treemap Chart (DSL) type: object - x-oas-optional: true - Kibana_HTTP_APIs_installed_package: + Kibana_HTTP_APIs_treemapStyling: additionalProperties: false + description: Visual chart styling options properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + visible: + description: Show category labels + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Treemap styling + type: object + Kibana_HTTP_APIs_unassignedColorSchema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + description: The color to use for unassigned values. + title: unassignedColorSchema + Kibana_HTTP_APIs_uniqueCountMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - name: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - status: + operation: + enum: + - unique_count type: string - title: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - version: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - name - - version - - status - - dataStreams - title: installed_package + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_kibana_asset_reference: + Kibana_HTTP_APIs_update_output_elasticsearch: additionalProperties: false properties: - deferred: - type: boolean - id: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true type: string - originId: + ca_trusted_fingerprint: + nullable: true type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string - required: - - id - - type - title: kibana_asset_reference - type: object - Kibana_HTTP_APIs_new_agent_policy: - additionalProperties: false - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: + config_yaml: + nullable: true + type: string + hosts: items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 + format: uri + type: string + maxItems: 10 + minItems: 1 type: array - agentless: + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: additionalProperties: false type: object properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: + ssl: additionalProperties: false type: object properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true + type: + enum: + - elasticsearch type: string - description: + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch + type: object + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos type: string - download_source_id: + broker_timeout: + type: number + ca_sha256: nullable: true type: string - fleet_server_host_id: + ca_trusted_fingerprint: nullable: true type: string - force: - type: boolean - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: items: additionalProperties: false type: object properties: - name: + key: type: string value: - anyOf: - - type: string - - type: number + type: string required: - - name + - key - value maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number is_default: + default: false type: boolean - is_default_fleet_server: - type: boolean - is_managed: + is_default_monitoring: + default: false type: boolean - is_protected: + is_internal: type: boolean - is_verifier: + is_preconfigured: type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled + key: + type: string + name: + type: string + otel_disable_beatsauth: nullable: true type: boolean - min_agent_version: + otel_exporter_config_yaml: nullable: true type: string - monitoring_diagnostics: + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: additionalProperties: false type: object properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 + group_events: type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 - type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. + sasl: + additionalProperties: false nullable: true type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true - type: array - space_ids: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the agent policy supports agentless integrations. - Deprecated in favor of the Fleet agentless policies API. + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true - type: boolean - unenroll_timeout: - minimum: 0 + timeout: type: number - required: - - name - - namespace - title: new_agent_policy - type: object - Kibana_HTTP_APIs_new_enrollment_api_key: - additionalProperties: false - properties: - expiration: + topic: type: string - name: + type: + enum: + - kafka type: string - policy_id: + username: + nullable: true + type: string + version: type: string required: - - policy_id - title: new_enrollment_api_key + - name + title: update_output_kafka type: object - Kibana_HTTP_APIs_new_output_elasticsearch: + Kibana_HTTP_APIs_update_output_logstash: additionalProperties: false properties: allow_edit: @@ -59394,7 +111983,6 @@ components: type: string hosts: items: - format: uri type: string maxItems: 10 minItems: 1 @@ -59402,10 +111990,8 @@ components: id: type: string is_default: - default: false type: boolean is_default_monitoring: - default: false type: boolean is_internal: type: boolean @@ -59419,14 +112005,6 @@ components: otel_exporter_config_yaml: nullable: true type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string proxy_id: nullable: true type: string @@ -59460,18 +112038,11 @@ components: nullable: true type: enum: - - elasticsearch + - logstash type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_elasticsearch + title: update_output_logstash type: object - Kibana_HTTP_APIs_new_output_kafka: + Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: @@ -59479,65 +112050,18 @@ components: type: string maxItems: 1000 type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string - client_id: - type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - nullable: true - type: number config_yaml: nullable: true type: string - connection_type: - enum: - - plaintext - - encryption - type: string - hash: - additionalProperties: false - type: object - properties: - hash: - type: string - random: - type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array hosts: items: + format: uri type: string maxItems: 10 minItems: 1 @@ -59545,16 +112069,18 @@ components: id: type: string is_default: - default: false type: boolean is_default_monitoring: - default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean - key: + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true type: string name: type: string @@ -59564,2854 +112090,6147 @@ components: otel_exporter_config_yaml: nullable: true type: string - partition: + preset: enum: - - random - - round_robin - - hash - type: string - password: - nullable: true + - balanced + - custom + - throughput + - scale + - latency type: string proxy_id: nullable: true type: string - random: + secrets: additionalProperties: false type: object properties: - group_events: - type: number - required_acks: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_update_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true type: object properties: - group_events: - type: number - sasl: - additionalProperties: false + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + title: update_package_policy_request + type: object + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false + properties: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. + items: + type: string + maxItems: 100 + type: array + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_update_rule: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: additionalProperties: false type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + blob: + maxLength: 10000 + type: string required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: + - blob + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - timeout: - type: number - topic: + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - type: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - kafka - type: string - username: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - version: + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - name - - type - - hosts - - auth_type - title: new_output_kafka + - schedule + title: update_rule type: object - Kibana_HTTP_APIs_new_output_logstash: + Kibana_HTTP_APIs_update_rule_action: additionalProperties: false + description: An action that runs under defined conditions. properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array id: + description: The identifier for the connector saved object. type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true + uuid: + description: A universally unique identifier (UUID) for the action. type: string - secrets: + required: + - id + title: update_rule_action + type: object + Kibana_HTTP_APIs_update_rule_action_alerts_filter: + additionalProperties: false + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: additionalProperties: false + description: Defines a period that limits whether the action runs. type: object properties: - ssl: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + title: update_rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_update_rule_action_frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - - logstash + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - - name - - type - - hosts - title: new_output_logstash + - summary + - notify_when + - throttle + title: update_rule_action_frequency type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: + Kibana_HTTP_APIs_upgrade_package_policies_request: additionalProperties: false properties: - allow_edit: + packagePolicyIds: items: type: string maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - packagePolicyIds + title: upgrade_package_policies_request + type: object + Kibana_HTTP_APIs_valueDisplay: + additionalProperties: false + description: Configure the visibility and the format of the values rendered on each chart partition section + properties: + mode: + description: How to format values when visible. + enum: + - absolute + - percentage type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: + percent_decimals: + description: Decimal places for percentage display (0-10) + maximum: 10 + minimum: 0 + type: number + visible: + description: Show metric values on the chart type: boolean - is_preconfigured: + title: valueDisplay + type: object + Kibana_HTTP_APIs_vis_api_direction: + description: Sort direction. + enum: + - asc + - desc + title: vis_api_direction + type: string + Kibana_HTTP_APIs_vis_api_domain_custom: + additionalProperties: false + description: Uses explicitly provided domain bounds (min and max). + properties: + max: + description: Max domain value + type: number + min: + description: Min domain value + type: number + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: + type: + enum: + - custom type: string - otel_disable_beatsauth: - nullable: true + required: + - type + - min + - max + title: vis_api_domain_custom + type: object + Kibana_HTTP_APIs_vis_api_domain_fit: + additionalProperties: false + description: Uses tight domain bounds from the observed data minimum to maximum, without baseline expansion. + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: + type: enum: - - balanced - - custom - - throughput - - scale - - latency + - fit type: string - proxy_id: - nullable: true + required: + - type + title: vis_api_domain_fit + type: object + Kibana_HTTP_APIs_vis_api_domain_full: + additionalProperties: false + description: Uses the full chart domain, including baseline expansion when applicable (for example, includes zero for bar-like series). + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding + type: boolean + type: + enum: + - full type: string - secrets: + required: + - type + title: vis_api_domain_full + type: object + Kibana_HTTP_APIs_vis_api_orientation: + description: Orientation of the tagcloud. + enum: + - horizontal + - vertical + - angled + title: vis_api_orientation + type: string + Kibana_HTTP_APIs_vis_api_simple_orientation: + default: horizontal + description: Orientation + enum: + - horizontal + - vertical + title: vis_api_simple_orientation + type: string + Kibana_HTTP_APIs_vis_api_xy_axis_config: + additionalProperties: false + description: Axis configuration for X, Y, and Y2 axes. The Y axis is on the start (leading) side, the Y2 axis is on the end (trailing) side. + properties: + x: additionalProperties: false + description: X-axis configuration type: object properties: - service_token: + domain: anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: X-axis domain configuration + grid: additionalProperties: false + description: Axis grid lines configuration type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_remote_elasticsearch + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + 'y': + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + description: Y-axis domain configuration + discriminator: + mapping: + custom: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + fit: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + full: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + y2: + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: Y-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + title: Axis type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_waffleESQL: + additionalProperties: false + description: Waffle chart configuration for ES|QL queries properties: - allow_edit: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: items: - type: string - maxItems: 1000 + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of ES|QL breakdown columns (minimum 1) items: - format: uri - type: string - maxItems: 10 + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false + hide_border: type: boolean - is_default_monitoring: - default: false + hide_title: type: boolean - is_internal: + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - is_preconfigured: + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - waffle + type: string + required: + - type + - data_source + - metrics + title: Waffle Chart (ES|QL) + type: object + Kibana_HTTP_APIs_waffleGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. type: boolean - name: + field: + description: Field to be used for the date histogram. type: string - otel_disable_beatsauth: - nullable: true + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - preset: + operation: enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true + - date_histogram type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch + suggested_interval: + default: auto + description: Suggested time interval. type: string - write_to_logs_streams: - nullable: true + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - - name - - type - - hosts - title: output_elasticsearch + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true + Kibana_HTTP_APIs_waffleGroupByFilters: + additionalProperties: false properties: - allow_edit: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos + label: + description: Label for the operation type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + operation: + enum: + - filters type: string - ca_trusted_fingerprint: - nullable: true + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_waffleGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - client_id: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - compression: + operation: enum: - - gzip - - snappy - - lz4 - - none + - histogram type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_waffleGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - connection_type: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - plaintext - - encryption + - range type: string - hash: - additionalProperties: true - type: object - properties: - hash: - type: string - random: - type: boolean - headers: + ranges: items: - additionalProperties: true + additionalProperties: false type: object properties: - key: - type: string - value: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - key - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - hosts: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_waffleGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 10 + maxItems: 4 minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - partition: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: enum: - - random - - round_robin - - hash + - terms type: string - password: - nullable: true - type: string - proxy_id: - nullable: true - type: string - random: - additionalProperties: true - type: object - properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: true - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: true - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: true + other_bucket: + additionalProperties: false type: object properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - name - - type - - hosts - - auth_type - title: output_kafka + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true + Kibana_HTTP_APIs_waffleLegend: + additionalProperties: false + description: Legend configuration for waffle chart properties: - allow_edit: + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + values: items: + description: 'Legend value display mode: absolute (show raw metric values in legend)' + enum: + - absolute type: string - maxItems: 1000 + maxItems: 1 + minItems: 1 type: array - ca_sha256: - nullable: true + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - ca_trusted_fingerprint: - nullable: true + title: Legend + type: object + Kibana_HTTP_APIs_waffleMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + operation: + enum: + - counter_rate type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - otel_disable_beatsauth: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_waffleMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - otel_exporter_config_yaml: - nullable: true + field: + description: Field to be used for the metric type: string - proxy_id: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + operation: enum: - - logstash + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - name - - type - - hosts - title: output_logstash + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricCumulativeSum: + additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + operation: + enum: + - cumulative_sum type: string - kibana_url: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - name: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_waffleMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - preset: + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - differences type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: true - type: object - properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_waffleMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + label: + description: Label for the operation + type: string + operation: enum: - - remote_elasticsearch + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d type: string - write_to_logs_streams: - nullable: true - type: boolean required: - - name - - type - - hosts - title: output_remote_elasticsearch + - operation + - formula + title: Formula Operation type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricLastValue: + additionalProperties: false properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false - nullable: true - type: boolean - disk_queue_encryption_enabled: - nullable: true + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + operation: + enum: + - last_value type: string - loadbalance: - nullable: true - type: boolean - max_batch_bytes: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_waffleMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window type: number - mem_queue_events: - nullable: true + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_waffleMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile type: number - queue_flush_timeout: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_waffleMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricStatsMetric: + additionalProperties: false properties: - certificate: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - verification_mode: + operation: enum: - - full - - none - - certificate - - strict + - min + - max + - average + - median + - standard_deviation type: string - title: output_ssl + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_package_icon: + Kibana_HTTP_APIs_waffleMetricSumMetric: additionalProperties: false properties: - dark_mode: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - path: + field: + description: Field to be used for the metric type: string - size: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - src: + operation: + enum: + - sum type: string - title: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - type: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - src - title: package_icon + - field + - operation + title: Sum Metric Operation type: object - Kibana_HTTP_APIs_package_list_item: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricUniqueCountMetric: + additionalProperties: false properties: - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - required: - - deprecated - data_streams: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleNoESQL: + additionalProperties: false + description: Waffle chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - name: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name - maxItems: 100 - type: array - download: - type: string - format_version: - type: string - icons: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByFilters' maxItems: 100 + minItems: 1 type: array - id: - type: string - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - integration: - type: string - internal: + hide_border: type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricFormula' + maxItems: 100 + minItems: 1 type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: - type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: - type: string + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: + enum: + - waffle + type: string + required: + - type + - data_source + - metrics + title: Waffle Chart (DSL) + type: object + Kibana_HTTP_APIs_waffleStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Waffle styling + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: items: - additionalProperties: true type: object properties: description: type: string - name: - type: string - options: + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: items: - additionalProperties: true type: object properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: + id: type: string - title: + run_id: type: string - vars: - items: - type: string - maxItems: 100 - type: array required: - - name - - title - - vars - maxItems: 100 + - id type: array - selector_title: + id: + description: A non-empty string. + minLength: 1 type: string + severity_score: + type: number title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats type: string required: - - name + - id - title - - selector_title - - options - maxItems: 100 + - description + - esql type: array - vars: + rules: items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string type: array - version: - type: string - required: - - installationInfo - - name - - version - - title - - deprecated - - id - title: package_list_item - type: object - Kibana_HTTP_APIs_package_metadata: - additionalProperties: false - properties: - has_policies: - type: boolean + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired + type: string + required: + - description + - ingest + - type required: - - has_policies - title: package_metadata - type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_package: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: additionalProperties: false properties: - experimental_data_stream_features: + actions: + default: [] items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: additionalProperties: false type: object properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - fips_compatible: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: - description: Package name + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - requires_root: - type: boolean - title: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - version: - description: Package version + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + properties: + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: + nullable: true + type: string + lookbackInterval: + nullable: true + type: string + resultType: + enum: + - record + - bucket + - influencer + type: string + severity: + maximum: 100 + minimum: 0 + type: number + topNBuckets: + minimum: 1 + nullable: true + type: number + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_alert + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string required: - name - - version - title: package_policy_package + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_response: + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + actions: + default: [] items: - type: string - maxItems: 1000 - nullable: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - elasticsearch: - additionalProperties: true - type: object + params: + additionalProperties: false + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. properties: - privileges: - additionalProperties: true + excludeJobs: + additionalProperties: false + nullable: true type: object properties: - cluster: + groupIds: + default: [] items: type: string - maxItems: 100 type: array - enabled: - type: boolean - global_data_tags: + jobIds: + default: [] + items: + type: string + type: array + includeJobs: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false + nullable: true + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_jobs_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true + type: string type: array - id: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true type: string - inputs: - anyOf: - - items: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: additionalProperties: false type: object properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean id: type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. + properties: + condition: + additionalProperties: false + type: object + properties: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet + type: string + window: + anyOf: + - additionalProperties: false type: object properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - data_stream: + time: additionalProperties: false type: object properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false + - time + - additionalProperties: false type: object properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string type: array - - additionalProperties: + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: additionalProperties: false type: object properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + id: type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that input. Defaults to `true` - (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to - know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - output_id: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - overrides: + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + search: + type: string + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.tls + type: string + schedule: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false type: object properties: - inputs: - additionalProperties: - nullable: true + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - policy_ids: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. + properties: + monitorId: + type: string + severity: + type: number + stackVersion: + type: string + required: + - monitorId + - severity + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.durationAnomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - description: >- - IDs of the agent policies which that package policy will be added - to. type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 type: array - spaceIds: + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - type: string - maxItems: 100 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - type: boolean - updated_at: + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - updated_by: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - var_group_selections: - additionalProperties: + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. + properties: + availability: + additionalProperties: false + type: object + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false + type: object + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: + type: boolean + locations: + items: + type: string + type: array + numTimes: + type: number + search: + type: string + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: + type: string + timerange: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: + type: number + timerangeUnit: + type: string + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_alert_delay' + artifacts: + additionalProperties: false type: object - vars: - anyOf: - - additionalProperties: + properties: + dashboards: + items: additionalProperties: false type: object properties: - frozen: - type: boolean - type: + id: type: string - value: - nullable: true required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object + Kibana_HTTP_APIs_xyAnnotationByRefLayer: + additionalProperties: false + description: Reference to a library annotation group + properties: + group_id: + description: ID of the linked annotation group from the library + type: string + type: + enum: + - annotation_group + type: string + required: + - type + - group_id + title: Annotation Layer (By Reference) + type: object + Kibana_HTTP_APIs_xyAnnotationLayerNoESQL: + additionalProperties: false + description: Layer containing annotations (query-based, points, and ranges) + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + events: + description: Array of annotation configurations + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationQuery' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualEvent' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualRange' + maxItems: 100 + minItems: 1 + type: array + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + type: + enum: + - annotations + type: string + required: + - type + - data_source + - events + title: Annotation Layer (DSL) + type: object + Kibana_HTTP_APIs_xyAnnotationManualEvent: + additionalProperties: false + description: Manual point annotation at specific timestamp + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label text for the annotation + type: string + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + text: + additionalProperties: false + description: Annotation text label visibility + type: object + properties: + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + timestamp: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + type: + enum: + - point type: string + visible: + description: Show the annotation + type: boolean required: - - name - - enabled - - package - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - title: package_policy_response + - type + - timestamp + title: xyAnnotationManualEvent type: object - Kibana_HTTP_APIs_package_policy_status_response: + Kibana_HTTP_APIs_xyAnnotationManualRange: additionalProperties: false + description: Manual range annotation spanning time interval properties: - body: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for range + enum: + - inside + - outside + type: string + interval: additionalProperties: false + description: Time range for annotation type: object properties: - message: - type: string + from: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + to: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string required: - - message - id: + - from + - to + label: + description: Label text for the annotation type: string - name: + type: + enum: + - range type: string - statusCode: - type: number - success: + visible: + description: Show the annotation type: boolean required: - - id - - success - title: package_policy_status_response + - type + - interval + title: xyAnnotationManualRange type: object - Kibana_HTTP_APIs_reauthorize_transform_request: + Kibana_HTTP_APIs_xyAnnotationQuery: additionalProperties: false + description: Annotation from query results matching a filter properties: - transforms: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + extra_fields: + description: Additional fields for annotation tooltip items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 + description: Additional field to include in tooltip + type: string + maxItems: 100 type: array + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label text for the annotation + type: string + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + text: + additionalProperties: false + description: Annotation text label configuration + type: object + properties: + field: + description: Field name for text label source + type: string + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + time_field: + description: Field containing the timestamp + type: string + type: + enum: + - query + type: string + visible: + description: Show the annotation + type: boolean required: - - transforms - title: reauthorize_transform_request + - type + - query + - time_field + title: xyAnnotationQuery type: object - Kibana_HTTP_APIs_review_upgrade_request: + Kibana_HTTP_APIs_xyBreakdownDateHistogram: additionalProperties: false properties: - action: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: enum: - - accept - - decline - - pending + - date_histogram type: string - target_version: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - action - - target_version - title: review_upgrade_request + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_review_upgrade_response: + Kibana_HTTP_APIs_xyBreakdownFilters: additionalProperties: false properties: - success: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - success - title: review_upgrade_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_rollback_package_response: + Kibana_HTTP_APIs_xyBreakdownHistogram: additionalProperties: false properties: - success: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - version: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram type: string required: - - version - - success - title: rollback_package_response + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_simplified_create_package_policy_request: + Kibana_HTTP_APIs_xyBreakdownRanges: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - type: string + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number maxItems: 100 - nullable: true type: array - cloud_connector: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyBreakdownTerms: + additionalProperties: false + properties: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - cloud_connector_id: - description: >- - ID of an existing cloud connector to reuse. If not provided, a - new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. + as_regex: + description: When `true`, treats the values as regular expressions. type: boolean - name: - description: >- - Optional name for the cloud connector. If not provided, will be - auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: >- - Target cloud service provider. If not provided, will be - auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyChartESQL: + additionalProperties: false + description: XY chart configuration for ES|QL queries + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: - description: Policy description. type: string - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - global_data_tags: + hide_title: + type: boolean + layers: + description: ES|QL chart layers items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' maxItems: 100 + minItems: 1 type: array - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to know - which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - name: - description: Unique name for the policy. + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - namespace: - description: >- - Policy namespace. When not specified, it inherits the agent policy - namespace. + type: + enum: + - xy type: string - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - policy_template: - description: >- - The policy template to use for the agentless package policy. If not - provided, the default policy template will be used. + required: + - type + - layers + title: XY Chart (ES|QL) + type: object + Kibana_HTTP_APIs_xyChartNoESQL: + additionalProperties: false + description: XY chart configuration for DSL queries + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' + description: type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: + drilldowns: + items: anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - id: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - isSecretRef: + open_in_new_tab: + default: true type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration documentation - for more information. + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + layers: + description: Chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayersNoESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - xy + type: string + required: + - type + - layers + title: XY Chart (DSL) + type: object + Kibana_HTTP_APIs_xyFitting: + additionalProperties: false + description: Missing data interpolation configuration for line and area series + properties: + emphasize: + description: Visually distinguish fitted segments with a dashed line style and reduced area opacity + type: boolean + extend: + description: How to render line and area edges when data does not cover the full X domain + enum: + - none + - zero + - nearest + type: string + type: + description: Fitting function type for missing data + enum: + - none + - zero + - linear + - carry + - lookahead + - average + - nearest + type: string + required: + - type + title: xyFitting + type: object + Kibana_HTTP_APIs_xyLayerESQL: + additionalProperties: false + description: Data layer for ES|QL queries with column references + properties: + breakdown_by: + additionalProperties: false + description: ES|QL column for breakdown + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + additionalProperties: false type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + description: Array of ES|QL columns for Y-axis metrics + items: + additionalProperties: false + description: ES|QL column for Y-axis metric + type: object + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + type: array required: - - name - - package - title: simplified_create_package_policy_request + - data_source + - type + - 'y' + title: Layer (ES|QL) type: object - Kibana_HTTP_APIs_update_output_elasticsearch: + Kibana_HTTP_APIs_xyLayerNoESQL: additionalProperties: false + description: Data layer for standard queries with metrics and buckets properties: - allow_edit: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXFilters' + 'y': + description: Array of metrics to display on Y-axis items: - type: string - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYFormula' + maxItems: 100 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true + required: + - type + - data_source + - 'y' + title: Layer (DSL) + type: object + Kibana_HTTP_APIs_xyLayersESQL: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + description: XY chart layer types for ES|QL queries + title: xyLayersESQL + Kibana_HTTP_APIs_xyLayersNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationByRefLayer' + description: XY chart layer types for DSL queries + title: xyLayersNoESQL + Kibana_HTTP_APIs_xyLegend: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideHorizontal' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideVertical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendInside' + description: Legend configuration for XY chart + title: Legend + Kibana_HTTP_APIs_xyLegendInside: + additionalProperties: false + description: Inside legend + properties: + columns: + description: Number of legend columns + maximum: 5 + minimum: 1 + type: number + layout: + additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: + enum: + - inside type: string - hosts: + position: + description: Legend position inside the chart + enum: + - top_left + - top_right + - bottom_left + - bottom_right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend items: - format: uri + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value type: string - maxItems: 10 - minItems: 1 + maxItems: 17 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - placement + title: Inside + type: object + Kibana_HTTP_APIs_xyLegendOutsideHorizontal: + additionalProperties: false + description: Outside legend positioned horizontal (top/bottom) of the chart + properties: + layout: + anyOf: + - additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + - additionalProperties: false + type: object + properties: + type: + enum: + - list + type: string + required: + - type + placement: + enum: + - outside type: string - preset: + position: enum: - - balanced - - custom - - throughput - - scale - - latency + - top + - bottom type: string - proxy_id: - nullable: true + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - secrets: + title: Outside horizontal + type: object + Kibana_HTTP_APIs_xyLegendOutsideVertical: + additionalProperties: false + description: Outside legend positioned vertical (left/right) of the chart + properties: + layout: additionalProperties: false type: object properties: - ssl: + truncate: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: enum: - - elasticsearch + - outside type: string - write_to_logs_streams: - nullable: true + position: + enum: + - left + - right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside vertical + type: object + Kibana_HTTP_APIs_xyLegendSeriesHeader: + additionalProperties: false + description: Legend table series header configuration. + properties: + text: + description: Legend table series header text. + type: string + visible: + description: When true, shows the legend table series header. type: boolean - title: update_output_elasticsearch + title: xyLegendSeriesHeader type: object - Kibana_HTTP_APIs_update_output_kafka: + Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL: additionalProperties: false + description: Reference line layer for standard queries properties: - allow_edit: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + thresholds: + description: Array of reference line thresholds items: - type: string - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatic' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineFormula' + maxItems: 100 + minItems: 1 type: array - auth_type: + type: enum: - - none - - user_pass - - ssl - - kerberos + - reference_lines type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + required: + - type + - data_source + - thresholds + title: Reference Line Layer (DSL) + type: object + Kibana_HTTP_APIs_xyRefLineCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - client_id: + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - compression: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line enum: - - gzip - - snappy - - lz4 - - none + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + label: + description: Label for the operation type: string - connection_type: + operation: enum: - - plaintext - - encryption + - count type: string - hash: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - hash: - type: string - random: + visible: + description: Show text label on the reference line type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineFormula: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - name: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - partition: + icon: + description: Icon to display on the reference line enum: - - random - - round_robin - - hash + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - password: - nullable: true + label: + description: Label for the operation type: string - proxy_id: - nullable: true + operation: + enum: + - formula type: string - random: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - required_acks: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + description: Time scale enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyRefLineLastValue: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - sasl: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentile: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false - nullable: true + description: Reference line text label configuration type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentileRanks: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - type: + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyRefLineStatic: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - kafka + - x + - 'y' + - y2 type: string - username: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - version: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string + label: + description: Label for the operation + type: string + operation: + enum: + - static_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + value: + default: 100 + description: Static value + type: number required: - - name - title: update_output_kafka + - operation + title: Static Operation Definition type: object - Kibana_HTTP_APIs_update_output_logstash: + Kibana_HTTP_APIs_xyRefLineStatsMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + label: + description: Label for the operation type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + operation: + enum: + - min + - max + - average + - median + - standard_deviation type: string - proxy_id: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - secrets: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - title: update_output_logstash + required: + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: + Kibana_HTTP_APIs_xyRefLineSumMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + label: + description: Label for the operation type: string - kibana_url: - nullable: true + operation: + enum: + - sum type: string - name: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - otel_disable_beatsauth: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - otel_exporter_config_yaml: - nullable: true + field: + description: Field to be used for the metric type: string - preset: + fill: + description: Fill direction for reference line enum: - - balanced - - custom - - throughput - - scale - - latency + - above + - below type: string - proxy_id: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - secrets: + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_xyStyling: + additionalProperties: false + description: Visual styling options for the chart + properties: + areas: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingAreas' + bars: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingBars' + fitting: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyFitting' + interpolation: + description: Curve interpolation method for line and area series enum: - - remote_elasticsearch + - linear + - smooth + - stepped type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_remote_elasticsearch + overlays: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingOverlays' + points: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingPoints' + title: xyStyling type: object - Kibana_HTTP_APIs_update_package_policy_request: + Kibana_HTTP_APIs_xyStylingAreas: additionalProperties: false + description: Area-specific rendering settings properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + fill_opacity: + description: Area fill opacity (0-1 typical, max 2 for legacy) + maximum: 2 + minimum: 0 + type: number + title: xyStylingAreas + type: object + Kibana_HTTP_APIs_xyStylingBars: + additionalProperties: false + description: Bar-specific rendering settings + properties: + data_labels: + additionalProperties: false + description: Data label configuration for bar series + type: object + properties: + visible: + default: false + description: Display value labels on bar data points + type: boolean + minimum_height: + description: Minimum bar height in pixels + minimum: 0 + type: number + title: xyStylingBars + type: object + Kibana_HTTP_APIs_xyStylingOverlays: + additionalProperties: false + description: Visual overlays drawn on top of the chart canvas + properties: + current_time_marker: + additionalProperties: false + description: Current time marker configuration + type: object + properties: + visible: + default: false + description: Show current time marker line + type: boolean + partial_buckets: + additionalProperties: false + description: Partial (incomplete) bucket indicator configuration + type: object + properties: + visible: + default: false + description: Show partial bucket indicators at time range edges + type: boolean + title: xyStylingOverlays + type: object + Kibana_HTTP_APIs_xyStylingPoints: + additionalProperties: false + description: Data point marker settings for line and area series + properties: + visibility: + description: Data point marker visibility on line and area series + enum: + - auto + - visible + - hidden type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + title: xyStylingPoints + type: object + Kibana_HTTP_APIs_xyXDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - description: - description: Package policy description + operation: + enum: + - date_histogram type: string - enabled: - type: boolean - force: + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean - global_data_tags: + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_xyXFilters: + additionalProperties: false + properties: + filters: items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 type: array - is_managed: + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_xyXHistogram: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - name: + label: + description: Label for the operation type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + operation: + enum: + - histogram type: string - output_id: - nullable: true + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_xyXRanges: + additionalProperties: false + properties: + field: + description: Field to be used for the range. type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + operation: + enum: + - range type: string - policy_ids: + ranges: items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - spaceIds: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyXTerms: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 + minItems: 1 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false type: object - version: + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyYCounterRate: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - package - title: update_package_policy_request + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_update_package_request: + Kibana_HTTP_APIs_xyYCountMetric: additionalProperties: false properties: - keepPoliciesUpToDate: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - namespace_customization_enabled_for: - description: >- - Namespaces for which namespace-level customization is enabled on - this package. - items: - type: string - maxItems: 100 - type: array - title: update_package_request + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_update_package_response: + Kibana_HTTP_APIs_xyYCumulativeSum: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: update_package_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_upgrade_package_policies_request: + Kibana_HTTP_APIs_xyYDifferences: additionalProperties: false properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packagePolicyIds - title: upgrade_package_policies_request + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_xyYFormula: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyYLastValue: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_xyYMovingAverage: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_xyYPercentile: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyYPercentileRanks: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyYStatsMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_xyYSumMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyYUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -62427,97 +118246,63 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -62525,11 +118310,7 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -62609,8 +118390,7 @@ components: description: The name associated with the message. type: string role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: @@ -62734,8 +118514,7 @@ components: example: user.name type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id @@ -62753,15 +118532,12 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -62785,8 +118561,7 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: @@ -62797,14 +118572,12 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated @@ -63000,9 +118773,7 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. + description: List of field names within the data object that should be anonymized. example: - user.name - source.ip @@ -63025,18 +118796,12 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object @@ -63188,9 +118953,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -63200,8 +118963,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -63219,18 +118981,14 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -63266,10 +119024,8 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -63289,16 +119045,13 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -63344,9 +119097,7 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -63407,9 +119158,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -63419,8 +119168,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -63438,27 +119186,21 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. + description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author @@ -63469,9 +119211,7 @@ components: type: object properties: description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -63483,9 +119223,7 @@ components: example: knowledge_base_index type: string queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -63502,10 +119240,8 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -63525,20 +119261,15 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: @@ -63561,8 +119292,7 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -63602,11 +119332,9 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -63617,11 +119345,9 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -63640,8 +119366,7 @@ components: example: Skipped Entry type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason @@ -63661,15 +119386,12 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary @@ -63704,29 +119426,23 @@ components: text: This is the content of the new entry. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. + description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. + description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -63738,8 +119454,7 @@ components: text: Updated content. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated @@ -63754,15 +119469,11 @@ components: example: 2 type: integer skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. + description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: @@ -63799,16 +119510,12 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -63854,37 +119561,27 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: @@ -63904,9 +119601,7 @@ components: example: complete type: string security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. + description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: @@ -63914,9 +119609,7 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights @@ -64004,16 +119697,10 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -64029,9 +119716,7 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -64042,8 +119727,7 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. @@ -64071,8 +119755,7 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. @@ -64098,8 +119781,7 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. @@ -64258,8 +119940,7 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id @@ -64272,15 +119953,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -64318,8 +119996,7 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. @@ -64476,8 +120153,7 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -64486,9 +120162,7 @@ components: example: SELECT_OPTION type: string value: - description: >- - The value of the selected option to resume the graph execution - with + description: The value of the selected option to resume the graph execution with example: option_1 type: string required: @@ -64510,8 +120184,7 @@ components: - label: Option 1 - label: Option 2 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: @@ -64555,9 +120228,7 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: @@ -64655,9 +120326,7 @@ components: type: string type: array alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -64666,22 +120335,16 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert + description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert + description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -64692,20 +120355,13 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery + description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -64714,9 +120370,7 @@ components: description: The unique ID of the attack discovery type: string index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -64725,13 +120379,9 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields + description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert + description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -64751,14 +120401,10 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -64779,8 +120425,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created @@ -64796,19 +120441,16 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -64830,30 +120472,22 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary @@ -64866,9 +120500,7 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval @@ -64876,14 +120508,10 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -64894,8 +120522,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled @@ -64904,12 +120531,10 @@ components: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -64929,8 +120554,7 @@ components: message: type: string status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date @@ -64952,20 +120576,15 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -65015,11 +120634,9 @@ components: description: The action type used for sending notifications. type: string id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -65033,19 +120650,16 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -65053,9 +120667,7 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string @@ -65063,10 +120675,7 @@ components: type: object properties: alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -65076,29 +120685,19 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user + description: The number of successful generations for the same connector id, for the current user type: number discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -65129,23 +120728,15 @@ components: type: object properties: alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - + description: | + The (space specific) index pattern that contains the alerts to use as context for the attack discovery. - Example: .alerts-security.alerts-default type: string anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -65156,10 +120747,8 @@ components: type: string filter: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { @@ -65204,10 +120793,7 @@ components: - size - subAction Security_Attack_discovery_API_AttackDiscoveryGenericError: - description: >- - Error response for Attack discovery schedule operations when the request - is rejected. Uses `status_code` (snake_case), `error`, and `message` to - match the implementation. + description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation. type: object properties: error: @@ -65232,8 +120818,7 @@ components: type: object properties: id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the failed schedule. name: description: The name of the failed schedule. @@ -65263,13 +120848,10 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError' type: array ids: - description: >- - The unique identifiers of the schedules successfully affected by the - bulk action. + description: The unique identifiers of the schedules successfully affected by the bulk action. items: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' type: array @@ -65281,9 +120863,7 @@ components: - errors - total Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -65301,9 +120881,7 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -65359,18 +120937,14 @@ components: properties: add: items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -65428,29 +121002,22 @@ components: type: object properties: requests_per_second: - description: >- - The throttle for the migration task in sub-requests per second. - Corresponds to requests_per_second on the Reindex API. + description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: - description: >- - Number of alerts to migrate per batch. Corresponds to the - source.size option on the Reindex API. + description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. minimum: 1 type: integer slices: - description: >- - The number of subtasks for the migration task. Corresponds to slices - on the Reindex API. + description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -65458,9 +121025,7 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged @@ -65471,21 +121036,18 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer @@ -65506,28 +121068,21 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created - suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. + description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. + description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array @@ -65542,46 +121097,29 @@ components: - version - count Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -65592,19 +121130,12 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > + description: | Edits index patterns of rulesClient. - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -65622,20 +121153,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > + description: | Edits investigation fields of rules. - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -65650,18 +121173,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > + description: | Edits rule actions of rules. - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -65674,30 +121190,22 @@ components: properties: actions: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: > + description: | Overwrites schedule of rules. + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -65708,20 +121216,15 @@ components: type: object properties: interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: > + description: | Lookback time for the rules. - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -65751,24 +121254,17 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: > + description: | Edits tags of rules. - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -65783,12 +121279,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: > + description: | Edits timeline of rules. - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -65801,8 +121295,7 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title @@ -65833,8 +121326,7 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason @@ -65846,14 +121338,10 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65864,10 +121352,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65886,14 +121372,10 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65904,10 +121386,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65939,14 +121419,10 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65957,10 +121433,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65979,15 +121453,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary @@ -66026,13 +121497,7 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: @@ -66062,14 +121527,10 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66080,10 +121541,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66107,14 +121566,10 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66125,10 +121580,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66149,14 +121602,10 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66167,10 +121616,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66193,9 +121640,7 @@ components: - fill_gaps type: string fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: @@ -66208,14 +121653,10 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66226,10 +121667,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66249,14 +121688,10 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66267,10 +121702,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66301,9 +121734,7 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -66366,9 +121797,7 @@ components: - items: type: string type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object @@ -66428,18 +121857,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66453,8 +121878,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -66470,35 +121894,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66525,13 +121938,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66570,18 +121981,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66595,8 +122002,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -66612,35 +122018,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66669,13 +122064,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66706,18 +122099,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66731,12 +122120,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -66750,35 +122138,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66807,13 +122184,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66828,18 +122203,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66853,12 +122224,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -66872,35 +122242,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66929,13 +122288,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66982,18 +122339,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67007,8 +122360,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67024,35 +122376,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67079,13 +122420,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67124,18 +122463,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67149,8 +122484,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67166,35 +122500,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67223,13 +122546,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67250,18 +122571,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67275,12 +122592,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -67296,13 +122612,11 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -67310,23 +122624,14 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67355,13 +122660,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -67397,18 +122700,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67422,12 +122721,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -67441,35 +122739,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67498,13 +122785,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67530,9 +122815,7 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: @@ -67543,27 +122826,18 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external @@ -67598,12 +122872,7 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string @@ -67631,21 +122900,15 @@ components: - migrations - is_outdated Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). - + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info - > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: @@ -67655,12 +122918,9 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: @@ -67674,19 +122934,14 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -67709,18 +122964,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67734,8 +122985,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67751,35 +123001,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67806,13 +123045,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67841,31 +123078,24 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67879,8 +123109,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67896,35 +123125,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67953,13 +123171,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67969,8 +123185,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -67983,32 +123198,26 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68022,12 +123231,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68041,35 +123249,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68098,19 +123295,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -68129,27 +123323,21 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68163,12 +123351,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68182,35 +123369,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68239,13 +123415,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68255,25 +123429,13 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: @@ -68386,18 +123548,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68411,8 +123569,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -68428,35 +123585,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68483,13 +123629,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68518,33 +123662,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68558,8 +123694,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -68575,35 +123710,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68632,13 +123756,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68648,8 +123770,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -68681,27 +123802,21 @@ components: enum: - new_terms type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68715,12 +123830,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68734,35 +123848,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68791,13 +123894,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68824,10 +123925,8 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: @@ -68839,18 +123938,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68864,12 +123959,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68883,35 +123977,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68940,13 +124023,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68956,8 +124037,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -68984,8 +124064,7 @@ components: type: object properties: err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: @@ -69004,31 +124083,20 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object @@ -69082,18 +124150,13 @@ components: type: object properties: command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object @@ -69145,18 +124208,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69170,8 +124229,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -69187,35 +124245,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69242,13 +124289,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69282,25 +124327,20 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69314,8 +124354,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -69331,35 +124370,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69388,13 +124416,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69435,25 +124461,20 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69467,12 +124488,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -69486,35 +124506,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69543,13 +124552,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69583,18 +124590,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69608,12 +124611,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -69627,35 +124629,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69684,13 +124675,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69702,11 +124691,7 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -69720,45 +124705,23 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. - package's "integrations" that this package contains. It is represented - by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -69780,35 +124743,23 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and + description: | + Describes an Elasticsearch field that is needed for the rule to function. + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - - Required field is an event field that must be present in the source - indices of a given rule. - + Required field is an event field that must be present in the source indices of a given rule. @example - const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; - @example - const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -69817,10 +124768,7 @@ components: type: object properties: ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field @@ -69841,10 +124789,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: @@ -69880,7 +124825,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -69919,9 +124864,7 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: @@ -69984,34 +124927,27 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: > + description: | Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -70021,9 +124957,7 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. + description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -70037,10 +124971,8 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - + description: | + Object containing the allowed connector fields, which varies according to the connector type. For Slack: @@ -70088,30 +125020,22 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -70128,11 +125052,8 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: @@ -70166,10 +125087,7 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: @@ -70190,9 +125108,7 @@ components: type: object properties: type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) + description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -70200,50 +125116,25 @@ components: required: - type total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle + description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle + description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running @@ -70270,14 +125161,12 @@ components: message: type: string metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status @@ -70287,33 +125176,22 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info - > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -70323,13 +125201,10 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: > + description: | Placeholder for metadata about the rule. - > info - - > This field is overwritten when you save changes to the rule’s - settings. + > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -70337,31 +125212,19 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -70387,8 +125250,7 @@ components: type: array requests: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -70412,22 +125274,14 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array @@ -70453,47 +125307,26 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: > + description: | The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array @@ -70501,47 +125334,31 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: - description: > + description: | The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. - > info - - > It is not incremented on each update. Compare this to the `revision` - field. + > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -70567,22 +125384,17 @@ components: - runscript type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log + description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -70599,28 +125411,21 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70634,8 +125439,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -70651,35 +125455,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -70706,13 +125499,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -70741,33 +125532,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70781,8 +125564,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -70798,35 +125580,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -70855,13 +125626,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -70871,8 +125640,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -70902,27 +125670,21 @@ components: enum: - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70936,12 +125698,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -70955,35 +125716,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71012,19 +125762,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -71040,10 +125787,8 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: @@ -71055,18 +125800,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71080,376 +125821,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertAssigneesBody: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase - Security_Detections_API_SetAlertsStatusByIdsBase: - type: object - properties: - signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase - Security_Detections_API_SetAlertsStatusByQueryBase: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - - * `medium`: Alerts that require investigation - - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SkippedAlertsIndexMigration: - type: object - properties: - index: - type: string - required: - - index - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: > - > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - - - - field: field from the event indices on which the rule runs - - - type: must be mapping - - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. - items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMappingEntry: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71463,35 +125839,340 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SetAlertAssigneesBody: + type: object + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' + Security_Detections_API_SetAlertsStatusByIdsBase: + type: object + properties: + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' + Security_Detections_API_SetAlertsStatusByQueryBase: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: + type: object + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + Security_Detections_API_SetupGuide: + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation + * `critical`: Alerts that indicate it is highly likely a security incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: | + > info + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: Defines the path to the threat indicator in the indicator documents (optional) + type: string + Security_Detections_API_ThreatMapping: + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + - field: field from the event indices on which the rule runs + - type: must be mapping + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71518,13 +126199,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -71553,33 +126232,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71593,8 +126264,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -71610,35 +126280,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71667,13 +126326,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -71683,8 +126340,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -71730,27 +126386,21 @@ components: enum: - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71764,12 +126414,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71783,35 +126432,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71840,19 +126478,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -71877,10 +126512,8 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: @@ -71892,18 +126525,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71917,12 +126546,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71936,35 +126564,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71993,13 +126610,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72009,12 +126624,9 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -72089,8 +126701,7 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: @@ -72102,9 +126713,7 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -72112,10 +126721,7 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: @@ -72128,18 +126734,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72153,8 +126755,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -72170,35 +126771,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72225,13 +126815,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72260,33 +126848,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72300,8 +126880,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -72317,35 +126896,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72374,13 +126942,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72390,8 +126956,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -72401,8 +126966,7 @@ components: type: object properties: alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -72424,27 +126988,21 @@ components: enum: - threshold type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72458,12 +127016,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -72477,35 +127034,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72534,19 +127080,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -72565,10 +127108,8 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: @@ -72580,18 +127121,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72605,12 +127142,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -72624,35 +127160,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72681,13 +127206,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72697,26 +127220,17 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: > + description: | Defines the maximum interval in which a rule’s actions are executed. - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h @@ -72733,17 +127247,10 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -72778,10 +127285,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -72791,39 +127295,28 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -72832,8 +127325,7 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id @@ -72853,30 +127345,17 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -72891,14 +127370,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -72907,46 +127382,32 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -72999,32 +127460,24 @@ components: - comment (string): Comments about the exception item. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -73032,8 +127485,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -73058,8 +127510,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -73075,8 +127526,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -73094,16 +127544,14 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: @@ -73117,8 +127565,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -73135,8 +127582,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -73151,21 +127597,16 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -73190,14 +127631,11 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -73224,20 +127662,15 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -73253,21 +127686,14 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -73281,17 +127707,12 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -73354,8 +127775,7 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -73373,8 +127793,7 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -73383,9 +127802,7 @@ components: type: object properties: canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for response - actions. + description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data @@ -73400,8 +127817,7 @@ components: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions @@ -73454,17 +127870,12 @@ components: example: updatedAt type: string Security_Endpoint_Management_API_ArchivePathToExecutableSchema: - description: >- - Used only for when the uploaded script is an archive (.zip file for - example). This property defines the relative path to the file included - in the archive that should be executed once its contents are extracted. - The path should be relative to the root of the archive. + description: Used only for when the uploaded script is an archive (.zip file for example). This property defines the relative path to the file included in the archive that should be executed once its contents are extracted. The path should be relative to the root of the archive. example: ./bin/script.sh type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -73490,10 +127901,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -73504,9 +127912,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -73519,8 +127925,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -73600,24 +128005,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -73625,8 +128025,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array required: - name @@ -73637,10 +128036,8 @@ components: type: object properties: downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - + description: | + The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -73668,9 +128065,7 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -73749,9 +128144,7 @@ components: type: object properties: {} Security_Endpoint_Management_API_EndpointRunScriptParameters: - description: >- - Parameters for Run Script response action against Elastic Defend agent - type. + description: Parameters for Run Script response action against Elastic Defend agent type. example: agent_type: endpoint endpoint_ids: @@ -73765,9 +128158,7 @@ components: minLength: 1 type: string scriptInput: - description: >- - The input parameter arguments (if any) for the script that will be - executed. + description: The input parameter arguments (if any) for the script that will be executed. minLength: 1 type: string required: @@ -73788,11 +128179,8 @@ components: example: Collects host data for investigation type: string downloadUri: - description: >- - URI to download the script file. Note that this is the relative path - and does not include the space (if applicable) - example: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + description: URI to download the script file. Note that this is the relative path and does not include the space (if applicable) + example: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download type: string example: type: string @@ -73813,31 +128201,25 @@ components: format: uuid type: string instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: example: Collect host data type: string pathToExecutable: - description: > - The relative path to the file included in the archive that should be - executed once its contents are extracted. Applicable only for - scripts uploaded as an archive (.zip file for example). + description: | + The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example). type: string platform: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: type: boolean tags: description: Tags that categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array updatedAt: format: date-time @@ -73848,12 +128230,7 @@ components: version: type: string Security_Endpoint_Management_API_EndpointScriptFileType: - description: >- - The type of the uploaded file, which determines the expected value of - `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` - should not be included. If `fileType` is "archive", then - `pathToExecutable` is required and should specify the path to the - executable file within the archive. + description: The type of the uploaded file, which determines the expected value of `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` should not be included. If `fileType` is "archive", then `pathToExecutable` is required and should specify the path to the executable file within the archive. enum: - script - archive @@ -73880,8 +128257,7 @@ components: type: string Security_Endpoint_Management_API_Execute: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -73890,8 +128266,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -73929,10 +128304,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -73943,9 +128315,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -73958,8 +128328,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -73974,9 +128343,7 @@ components: minLength: 1 type: string timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. + description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: @@ -74054,8 +128421,7 @@ components: data: description: The list of response actions. items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -74089,8 +128455,7 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74099,8 +128464,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -74135,10 +128499,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74149,9 +128510,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74164,8 +128523,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74188,10 +128546,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74254,8 +128609,7 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -74265,12 +128619,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74321,9 +128673,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -74332,10 +128682,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74346,9 +128693,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74361,8 +128706,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74388,9 +128732,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -74401,9 +128743,7 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -74426,8 +128766,7 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74439,17 +128778,13 @@ components: code: type: string disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk + description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: >- - The path to the memory dump compressed file on the - host machine + description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object @@ -74503,10 +128838,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74517,9 +128849,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74532,8 +128862,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74586,9 +128915,7 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -74647,9 +128974,7 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux @@ -74672,9 +128997,7 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -74774,9 +129097,7 @@ components: description: Parameters object type: object Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody: - description: >- - The script entry properties to be updated. At least one property must be - provided. + description: The script entry properties to be updated. At least one property must be provided. minProperties: 1 type: object properties: @@ -74791,24 +129112,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -74816,8 +129132,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array Security_Endpoint_Management_API_PendingActionDataType: description: Number of pending actions of this type. @@ -74827,40 +129142,31 @@ components: - type: object properties: execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object @@ -74868,9 +129174,7 @@ components: type: object properties: note: - description: >- - A note associated with the protection updates for the given package - policy. + description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -74915,8 +129219,7 @@ components: type: object properties: data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -74932,9 +129235,7 @@ components: type: object properties: completedAt: - description: >- - The date and time the response action was completed for the - agent ID + description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -74942,9 +129243,7 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to + description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -74965,9 +129264,7 @@ components: name: description: The host name type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to + description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID @@ -74985,9 +129282,7 @@ components: format: uuid properties: content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. + description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string @@ -75001,17 +129296,12 @@ components: - content title: Agent ID type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action type: object parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command + description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time @@ -75027,8 +129317,7 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75037,10 +129326,8 @@ components: properties: content: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -75071,8 +129358,7 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75081,8 +129367,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -75094,12 +129379,9 @@ components: type: object parameters: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -75134,10 +129416,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75148,9 +129427,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75163,8 +129440,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75172,28 +129448,20 @@ components: - type: object properties: parameters: - description: > - One of the following set of parameters must be provided for the - `agentType` that is specified. + description: | + One of the following set of parameters must be provided for the `agentType` that is specified. oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75218,10 +129486,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75232,9 +129497,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75247,8 +129510,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75270,8 +129532,7 @@ components: example: data: description: Collects host data for investigation - downloadUri: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + downloadUri: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download example: ./collect_host_data.sh --help fileHash: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 fileName: collect_host_data.sh @@ -75288,9 +129549,7 @@ components: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. + description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: @@ -75300,9 +129559,7 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. + description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: @@ -75343,8 +129600,7 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75391,10 +129647,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75405,9 +129658,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75420,8 +129671,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75464,8 +129714,7 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -75475,12 +129724,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75498,10 +129745,8 @@ components: type: string type: object parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that - + description: | + The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: @@ -75520,10 +129765,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75534,9 +129776,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75549,8 +129789,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75588,9 +129827,7 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. + description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 @@ -75612,8 +129849,7 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: @@ -75669,10 +129905,7 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -75682,10 +129915,8 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': @@ -75713,8 +129944,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: @@ -75724,8 +129954,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: @@ -75739,8 +129968,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75754,8 +129982,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75769,8 +129996,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75836,13 +130062,11 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -75853,17 +130077,13 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. + description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition @@ -75878,9 +130098,7 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: @@ -75911,10 +130129,9 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed @@ -75938,23 +130155,17 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. + description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -75976,9 +130187,7 @@ components: example: 10 type: integer filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -76045,10 +130254,7 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -76103,9 +130309,7 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: @@ -76117,9 +130321,7 @@ components: description: Whether the entity is classified as an asset. type: boolean managed: - description: >- - Whether the entity is managed (for example, via a directory - service). + description: Whether the entity is managed (for example, via a directory service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. @@ -76229,8 +130431,7 @@ components: type: object properties: calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: @@ -76238,9 +130439,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -76282,9 +130481,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -76293,14 +130490,10 @@ components: description: Unique identifier for the scoring run that produced this document. type: string category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). type: integer category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: @@ -76309,27 +130502,20 @@ components: format: double type: number criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array @@ -76409,9 +130595,7 @@ components: - type: object Security_Entity_Analytics_API_GenericEntity: additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. type: object properties: '@timestamp': @@ -76427,9 +130611,7 @@ components: - entity Security_Entity_Analytics_API_HostEntity: additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + description: An entity record representing a host, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -76491,9 +130673,7 @@ components: type: string os: additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: family: @@ -76519,8 +130699,7 @@ components: version: type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: description: Observed host types. items: @@ -76538,10 +130717,7 @@ components: - entity.id type: string Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. example: logs-* type: string Security_Entity_Analytics_API_InspectQuery: @@ -76580,10 +130756,7 @@ components: description: Index to read latest sync markers from type: string Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -76595,11 +130768,8 @@ components: type: string type: array values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. oneOf: - items: type: string @@ -76611,12 +130781,10 @@ components: - fields - values Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: '@timestamp': @@ -76656,8 +130824,7 @@ components: properties: labels: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array id: type: string @@ -76694,19 +130861,15 @@ components: type: object properties: message: - description: >- - Error message typically only present if the engine is in error - state + description: Error message typically only present if the engine is in error state type: string status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' required: - status Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: id: @@ -76718,8 +130881,7 @@ components: - managed Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - type: object properties: managed: @@ -76834,9 +130996,7 @@ components: - category Security_Entity_Analytics_API_ServiceEntity: additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -76867,8 +131027,7 @@ components: description: Primary service name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: @@ -76996,9 +131155,7 @@ components: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' Security_Entity_Analytics_API_UserEntity: additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -77052,8 +131209,7 @@ components: description: Primary user name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' additionalProperties: false roles: description: Observed roles assigned to the user. @@ -77080,9 +131236,7 @@ components: description: The field name for the label type: string source: - description: >- - The source where this label was created (api, csv, or - index_sync) + description: The source where this label was created (api, csv, or index_sync) enum: - api - csv @@ -77259,8 +131413,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -77291,8 +131444,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -77379,10 +131531,8 @@ components: * Code signature entry: only 1 allowed items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -77407,18 +131557,14 @@ components: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -77434,21 +131580,16 @@ components: - description Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: @@ -77458,23 +131599,19 @@ components: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - example: description: This is a sample detection type exception item. entries: @@ -77499,63 +131636,46 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] required: - list_id - entries Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: @@ -77565,28 +131685,23 @@ components: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -77595,8 +131710,7 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' @@ -77610,15 +131724,10 @@ components: - entries Security_Exceptions_API_EndpointArtifactTags: default: [] - description: > + description: | Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) items: type: string type: array @@ -77627,24 +131736,18 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. list_id: enum: - endpoint_list example: endpoint_list type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -77655,16 +131758,11 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) **Minimum requirement:** At least 1 entry required list_id: @@ -77673,8 +131771,7 @@ components: example: endpoint_event_filters type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -77684,10 +131781,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -77697,8 +131791,7 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: @@ -77712,14 +131805,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' @@ -77751,30 +131841,17 @@ components: example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -77789,14 +131866,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -77805,19 +131878,15 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: @@ -77827,14 +131896,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' @@ -77897,18 +131963,12 @@ components: type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: @@ -77921,8 +131981,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -77947,8 +132006,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -77964,8 +132022,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -77983,8 +132040,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any @@ -78005,8 +132061,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -78023,8 +132078,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -78039,21 +132093,16 @@ components: - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: @@ -78082,9 +132131,7 @@ components: type: array Security_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -78129,28 +132176,22 @@ components: id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -78166,21 +132207,14 @@ components: minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -78195,14 +132229,560 @@ components: type: object properties: entries: - description: Exactly one entry allowed for host isolation exceptions + description: Exactly one entry allowed for host isolation exceptions + items: + type: object + properties: + field: + description: Must be destination.ip + enum: + - destination.ip + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match + enum: + - match + type: string + value: + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") + type: string + required: + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions + type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Exceptions_API_TrustedAppHashEntry: + type: object + properties: + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 + type: string + operator: + enum: + - included + type: string + type: + description: Hash entries only support match type + enum: + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + type: object + properties: + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: macOS code signature field + enum: + - process.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedAppPathEntry: + type: object + properties: + field: + description: Process executable path field + enum: + - process.executable.caseless + type: string + operator: + enum: + - included + type: string + type: + description: Path supports both match and wildcard types + enum: + - match + - wildcard + type: string + value: + description: Executable path + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). + type: object + properties: + entries: + description: Process hash or executable path entries (code signature not supported on Linux) + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Linux only + items: + enum: + - linux + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be macOS only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Windows only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: Windows code signature field + enum: + - process.Ext.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: Trusted devices list item properties (macOS-only, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) + items: + type: object + properties: + field: + description: Device field to match against + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: macOS-only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: Trusted devices list item properties (Windows + macOS, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) + items: + type: object + properties: + field: + description: Device field to match against (username not available for multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must include both Windows and macOS (username field not allowed) + items: + enum: + - windows + - macos + type: string + maxItems: 2 + minItems: 2 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: Trusted devices list item properties (Windows-only, allows username field). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: field: - description: Must be destination.ip + description: Device field to match against (user.name is Windows-only) enum: - - destination.ip + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name type: string operator: description: Must be the value "included" @@ -78210,61 +132790,394 @@ components: - included type: string type: - description: Must be match + description: Entry match type enum: - match + - wildcard + - match_any type: string value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") - type: string + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array required: - field - type - value - operator - maxItems: 1 minItems: 1 type: array list_id: enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string os_types: - description: Must include all three operating systems (windows, linux, macos) + description: Must be Windows-only to allow username field items: enum: - windows - - linux - - macos type: string - maxItems: 3 - minItems: 3 + maxItems: 1 + minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_ListId: + Security_Exceptions_API_UpdateExceptionListItemBase: + type: object + properties: + _version: + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + type: array + Security_Exceptions_API_UpdateExceptionListItemEndpointList: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_UpdateExceptionListItemEventFilters: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_UpdateExceptionListItemGeneric: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - example: + comments: [] + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + item_id: simple_list_item + name: Updated name + namespace_type: single + tags: [] + type: simple + type: object + properties: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + required: + - entries + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string - Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + Security_Lists_API_ListItem: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -78290,12 +133203,17 @@ components: - short - text type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= type: string - Security_Exceptions_API_PlatformErrorResponse: + Security_Lists_API_PlatformErrorResponse: type: object properties: error: @@ -78308,9 +133226,7 @@ components: - statusCode - error - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + Security_Lists_API_SiemErrorResponse: type: object properties: message: @@ -78318,1019 +133234,1738 @@ components: status_code: type: integer required: - - status_code - - message - Security_Exceptions_API_TrustedAppHashEntry: + - status_code + - message + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + saved_object_id: + description: The saved object ID of the copied pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name + required: + - data + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 - type: string - operator: - enum: - - included - type: string - type: - description: Hash entries only support match type - enum: - - match - type: string - value: - description: Hash value (MD5, SHA1, or SHA256) - type: string + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + required: + - saved_object_id + - id required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + - data + Security_Osquery_API_CreateLiveQueryRequestBody: + example: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. items: - oneOf: - - type: object + type: string + type: array + agent_platforms: + description: A list of agent platforms to run the query on. + items: + type: string + type: array + agent_policy_ids: + description: A list of agent policy IDs to run the query on. + items: + type: string + type: array + alert_ids: + description: A list of alert IDs associated with the live query. + items: + type: string + type: array + case_ids: + description: A list of case IDs associated with the live query. + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string + type: array + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic + type: object + properties: + data: + type: object + properties: + '@timestamp': + description: The timestamp when the action was created. + format: date-time + type: string + action_id: + description: The ID of the action. + type: string + agent_all: + description: Whether the query targets all agents. + type: boolean + agent_ids: + description: The agent IDs targeted by the action. + items: + type: string + type: array + agent_platforms: + description: The agent platforms targeted. + items: + type: string + type: array + agent_policy_ids: + description: The agent policy IDs targeted. + items: + type: string + type: array + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time + type: string + input_type: + description: The input type. + type: string + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. + type: string + queries: + description: The queries in this action. + items: + type: object properties: - field: - enum: - - subject_name + action_id: type: string - operator: - enum: - - included + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: type: string - type: - enum: - - match + platform: type: string - value: - description: Certificate subject name + query: type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted + saved_query_id: type: string - operator: - enum: - - included + timeout: + type: integer + version: type: string - type: - enum: - - match + type: array + type: + description: The action type. + type: string + user_id: + description: The user who created the action. + type: string + required: + - action_id + required: + - data + Security_Osquery_API_CreatePacksRequestBody: + example: + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + type: object + properties: + data: + type: object + properties: + created_at: + description: The date and time the pack was created. + format: date-time + type: string + created_by: + description: The user who created the pack. + nullable: true + type: string + created_by_profile_uid: + description: The profile UID of the user who created the pack. + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: type: string value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: macOS code signature field - enum: - - process.code_signature - type: string - type: - enum: - - nested - type: string + type: number + type: array + updated_at: + description: The date and time the pack was last updated. + format: date-time + type: string + updated_by: + description: The user who last updated the pack. + nullable: true + type: string + updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: + - data + Security_Osquery_API_CreateSavedQueryRequestBody: + example: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object properties: - field: - description: Process executable path field - enum: - - process.executable.caseless - type: string - operator: - enum: - - included - type: string - type: - description: Path supports both match and wildcard types - enum: - - match - - wildcard - type: string - value: - description: Executable path - type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + description: An interval, in seconds, on which to run the query. May be returned as number or string. + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + description: Whether the saved query is prebuilt. + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + description: The saved object ID of the saved query. + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + description: The query timeout in seconds. + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). + - data + Security_Osquery_API_DefaultSuccessResponse: + example: {} type: object - properties: - entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Linux only - items: - enum: - - linux - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + key: + description: The ECS field name. type: string - os_types: - description: Must be macOS only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). + value: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + field: + description: The ECS field to map to. + example: host.uptime type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + value: + description: The value to map to the ECS field. + example: total_seconds + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted - items: - oneOf: - - type: object + data: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + pack_name: + type: string + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. + items: + type: object properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name + action_id: type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + failed: + description: Number of failed queries. + type: integer + id: type: string - operator: - enum: - - included + pending: + description: Number of pending agents. + type: integer + query: type: string - type: - enum: - - match + responded: + description: Total responded agents. + type: integer + saved_query_id: type: string - value: - description: Must be the string 'true' + status: + description: Status of this individual query. enum: - - 'true' + - completed + - running type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). + successful: + description: Number of successful agents. + type: integer + type: array + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running + type: string + tags: + items: + type: string + type: array + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: + example: + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) - items: - type: object - properties: - field: - description: Device field to match against - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + data: + type: object + properties: + items: + description: An array of live query action items. + items: + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: Result count statistics (present when withResultCounts is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string + type: array + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. + example: + data: + created_at: '2022-07-25T19:41:10.263Z' + created_by: elastic + description: '' + enabled: true + name: test_pack + namespaces: + - default + policy_ids: [] + queries: + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' + updated_by: elastic + version: 1 + type: object + properties: + data: + description: The pack details. + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + namespaces: + description: The namespaces the pack belongs to. + items: type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + type: array + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). + - data + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. + example: + data: + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) + data: + description: An array of pack objects. items: type: object properties: - field: - description: >- - Device field to match against (username not available for - multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name + created_at: + format: date-time type: string - operator: - description: Must be the value "included" - enum: - - included + created_by: + nullable: true type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + created_by_profile_uid: type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: type: string - minItems: 1 - type: array + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) - items: - enum: - - windows - - macos - type: string - maxItems: 2 - minItems: 2 + - saved_object_id + - name type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. + type: integer required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + version: 2.8.0 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id + required: + - data + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. + example: + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 + type: object + properties: + data: + description: An array of saved query objects. items: type: object properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name + created_at: + format: date-time type: string - operator: - description: Must be the value "included" - enum: - - included + created_by: + nullable: true type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + created_by_profile_uid: type: string - value: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string required: - - field - - type - - value - - operator - minItems: 1 + - saved_object_id + - id type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must be Windows-only to allow username field + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer + required: + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 + type: object + properties: + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object + properties: + _id: + type: string + _source: + description: The Elasticsearch document source containing query results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 + type: object type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object properties: - _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemComment: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. + type: string required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - example: - comments: [] - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - item_id: simple_list_item - name: Updated name - namespace_type: single - tags: [] - type: simple - type: object + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. + type: string + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string required: - - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description type: string - Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + example: linux,darwin type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; type: string - Security_Lists_API_List: - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic - type: string - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. - format: nonempty - minLength: 1 + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description type: string - Security_Lists_API_ListItem: + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + packName: + description: The name of the pack containing the query. type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time + queryName: + description: The name of the query within the pack. type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic + queryText: + description: The SQL query that was executed. type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItemMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list item. - type: object - Security_Lists_API_ListItemPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + scheduleId: + description: The schedule ID for the scheduled query. type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. - type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + timestamp: + description: The timestamp of the most recent response for this execution. type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + example: + policy_id: 50 + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true type: string - Security_Lists_API_PlatformErrorResponse: + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: type: object properties: - error: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. type: string - message: + packId: + description: The ID of the pack containing the query. type: string - statusCode: + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: - type: object - properties: - message: + timestamp: + description: The timestamp of the query execution. type: string - status_code: + totalRows: + description: The total number of result rows returned across all agents. + nullable: true type: integer required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: + example: + name: updated_my_pack_name type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] + enabled: true + name: updated_my_pack_name + policy_ids: + - my_policy_id queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports + ports: + ecs_mapping: + client.port: + field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic + version: 1 type: object properties: data: @@ -79345,54 +134980,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: - description: The saved object ID of the copied pack. + description: The saved object ID of the pack. type: string shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array + $ref: '#/components/schemas/Security_Osquery_API_Shards' updated_at: format: date-time type: string @@ -79404,31 +135005,43 @@ components: version: description: The pack version number. type: integer - required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy + id: updated_my_saved_query_name interval: '60' - platform: linux,darwin query: select * from uptime; - removed: false saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic + version: WzQzMTcsMV0= type: object properties: data: @@ -79443,10 +135056,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -79454,15 +135066,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -79473,5003 +135087,4643 @@ components: type: string updated_by_profile_uid: type: string + version: + description: The saved query version. + type: string required: - saved_object_id - id required: - data - Security_Osquery_API_CreateLiveQueryRequestBody: - example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + Security_Osquery_API_Version: + description: Uses the Osquery versions greater than or equal to the specified version string. + example: 1.0.0 + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true + type: string + note: + description: The text of the note + example: This is an example text + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + timelineId: + description: The `savedObjectId` of the timeline that this pinned event is associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - agent_all: - description: When `true`, the query runs on all agents. + aggregatable: + nullable: true type: boolean - agent_ids: - description: A list of agent IDs to run the query on. - items: - type: string - type: array - agent_platforms: - description: A list of agent platforms to run the query on. - items: - type: string - type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. - items: - type: string - type: array - alert_ids: - description: A list of alert IDs associated with the live query. - items: - type: string - type: array - case_ids: - description: A list of case IDs associated with the live query. - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - description: A list of event IDs associated with the live query. + category: + nullable: true + type: string + columnHeaderType: + nullable: true + type: string + description: + nullable: true + type: string + example: + nullable: true + type: string + id: + nullable: true + type: string + indexes: items: type: string + nullable: true type: array - metadata: - description: Custom metadata object associated with the live query. + name: nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + type: string + placeholder: + nullable: true + type: string + searchable: + nullable: true + type: boolean + type: + nullable: true + type: string + Security_Timeline_API_DataProviderQueryMatch: type: object properties: - data: - type: object - properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. - items: - type: string - type: array - agent_platforms: - description: The agent platforms targeted. - items: - type: string - type: array - agent_policy_ids: - description: The agent policy IDs targeted. - items: - type: string - type: array - agents: - description: The resolved list of agent IDs. - items: - type: string - type: array - expiration: - description: The expiration date of the action. - format: date-time - type: string - input_type: - description: The input type. - type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. - type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. - type: string - user_id: - description: The user who created the action. - type: string - required: - - action_id + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string required: - - data - Security_Osquery_API_CreatePacksRequestBody: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 + favoriteDate: 1741337636741 + userName: elastic type: object properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' type: object properties: - data: + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true type: object properties: - created_at: - description: The date and time the pack was created. - format: date-time + alias: + nullable: true type: string - created_by: - description: The user who created the pack. + controlledBy: nullable: true type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. + disabled: + nullable: true + type: boolean + field: + nullable: true type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + formattedValue: + nullable: true type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported type: object properties: - key: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON type: string - value: + status_code: + description: The HTTP status code of the error + example: 400 type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true type: string - updated_by: - description: The user who last updated the pack. + version: nullable: true type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e type: string version: - description: The pack version number. - type: integer + description: The version of the note + example: WzQ2LDFd + type: string required: - - saved_object_id - - name + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true + type: string + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 + - timeline + - outcome + Security_Timeline_API_ResponseNote: type: object properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object properties: - data: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true + type: string + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true + type: string + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true + type: object + properties: + eventCategoryField: nullable: true type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - description: The saved object ID of the saved query. + nullable: true type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true type: string - updated_by: + timestampField: nullable: true type: string - updated_by_profile_uid: + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true + type: string + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true + type: string + kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e + nullable: true + type: string + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true + type: string + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: - description: The saved query version. - oneOf: - - type: integer - - type: string + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. example: - host.uptime: - field: total_seconds - type: object - Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). - items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' - type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). - type: object - properties: - key: - description: The ECS field name. - type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: - field: - description: The ECS field to map to. - example: host.uptime - type: string - value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic + columnId: '@timestamp' + sortDirection: desc type: object properties: - data: - type: object + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - type: object properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: - type: boolean - queries: - description: The queries with their execution status. + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string + nullable: true type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 - type: object - properties: - data: - type: object - properties: - items: - description: An array of live query action items. + notes: + description: A list of all the notes that are associated to this Timeline. items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. - example: - data: - created_at: '2022-07-25T19:41:10.263Z' - created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default - policy_ids: [] - queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' - updated_by: elastic - version: 1 - type: object - properties: - data: - description: The pack details. - type: object + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object properties: - created_at: - format: date-time - type: string - created_by: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. + type: array + noteIds: items: type: string + nullable: true type: array - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string - updated_at: - format: date-time - type: string - updated_by: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - updated_by_profile_uid: + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: type: string version: - description: The pack version number. - type: integer + type: string required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + Short_URL_APIs_urlResponse: type: object properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. + accessCount: + description: Number of times the short URL has been resolved. type: integer - per_page: - description: The number of results per page. + accessDate: + description: Unix epoch (milliseconds) of the last time the short URL was resolved. Set to the creation time when the URL has never been accessed. + format: int64 type: integer - total: - description: The total number of packs. + createDate: + description: Unix epoch (milliseconds) when the short URL was created. + format: int64 type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. - example: - data: - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: - data: + id: + description: The identifier for the short URL. + type: string + locator: type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: + description: The identifier for the locator. type: string + state: + description: The locator parameters. + type: object version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + description: The version of Kibana when the short URL was created. + type: string + slug: + description: | + A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number required: - - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized type: object properties: - data: - description: An array of saved query objects. + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object + properties: + error: + example: Forbidden + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references items: type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: + description: Dashboard saved-object id type: string - version: - oneOf: - - type: integer - - type: string required: - - saved_object_id - id type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. - example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 + - list + title: Bulk delete SLO request type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. - items: - type: object - properties: - _id: - type: string - _source: - description: >- - The Elasticsearch document source containing query - results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + title: Bulk delete SLO response type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: - aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. + error: + description: The error message if the bulk deletion operation failed + example: Task not found + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO items: type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + title: The status of the bulk deletion type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: - data: - description: The query results data wrapper. + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + title: Bulk Purge Rollup data response type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: - data: - description: The list of unified history rows for the current page. + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: string type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. - type: string + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. - type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request type: object - Security_Osquery_API_ObjectQueriesItem: + SLOs_create_slo_response: + title: Create SLO response type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. - example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. - example: - policy_id: 50 + SLOs_error_budget: + title: Error budget type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true - type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter type: object + SLOs_filter_meta: + description: Defines properties for a filter properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. + alias: nullable: true - type: integer - id: - description: Unique identifier for the history row. type: string - packId: - description: The ID of the pack containing the query. + controlledBy: type: string - packName: - description: The name of the pack containing the query. + disabled: + type: boolean + field: type: string - queryName: - description: The name of the query, if available. + group: type: string - queryText: - description: The SQL query that was executed. + index: type: string - spaceId: - description: The Kibana space ID where the query was executed. + isMultiIndex: + type: boolean + key: type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. + negate: + type: boolean + params: + type: object + type: type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: - example: - name: updated_my_pack_name + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: + - type: object + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id + items: + type: string + type: array + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + type: string + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: updated_my_pack_name - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: 1 + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time + environment: + description: The APM service environment or "*" + example: production type: string - created_by: - nullable: true + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - created_by_profile_uid: + index: + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + service: + description: The APM service name + example: o11y-app type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - updated_at: - format: date-time + transactionName: + description: The APM transaction name or "*" + example: GET /my/api type: string - updated_by: - nullable: true + transactionType: + description: The APM transaction type or "*" + example: request type: string - updated_by_profile_uid: + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - version: - description: The pack version number. - type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: - example: - id: updated_my_saved_query_name + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - id: updated_my_saved_query_name - interval: '60' - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: WzQzMTcsMV0= + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata - - type: object - properties: - eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - nullable: true - type: string - note: - description: The text of the note - example: This is an example text - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true + - index + - timestampField + - good + - total type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: + description: The type of indicator. + example: sli.histogram.custom type: string required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - formattedValue: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true + description: The index or index pattern to use + example: my-service-* type: string - value: - nullable: true + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not + type: object + properties: + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - missing: - nullable: true - type: string - query: - nullable: true + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - range: - nullable: true + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - script: - nullable: true + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - description: The list of failed Timeline imports - items: - type: object - properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string - type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: + filters: items: - type: string - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true + kqlQuery: type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string - type: object properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - type: string - version: - description: The version of this pinned event - example: WzQ2LDFe - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m + type: string + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m + type: string + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - Security_Timeline_API_QueryMatchResult: + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - field: - nullable: true + description: + description: The description of the SLO. + example: My SLO description type: string - operator: - nullable: true + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - value: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type oneOf: - - nullable: true - type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window type: object properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d + type: string + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true + description: A description for the SLO. type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Synthetics_browserMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true + ignore_https_errors: + default: false + description: Ignore HTTPS errors. + type: boolean + inline_script: + description: The inline script. type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true + playwright_options: + description: Playwright options. + type: object + screenshots: + default: 'on' + description: The screenshot option. + enum: + - 'on' + - 'off' + - only-on-failure type: string - timestampField: - nullable: true + synthetics_args: + description: Synthetics agent CLI arguments. + items: + type: string + type: array + type: + description: The monitor type. + enum: + - browser type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true + required: + - inline_script + - type + title: Browser monitor fields + Synthetics_commonMonitorFields: + title: Common monitor fields + type: object + properties: + alert: + description: | + The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. + type: object + enabled: + default: true + description: Specify whether the monitor is enabled. + type: boolean + labels: + additionalProperties: + type: string + description: | + Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. + type: object + locations: + description: | + The location to deploy the monitor. + Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. + To list available locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. + externalDocs: + url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + items: + type: string + type: array + name: + description: The monitor name. type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode + namespace: + default: default + description: | + The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. + type: string + params: + description: The monitor parameters. + type: string + private_locations: + description: | + The private locations to which the monitors will be deployed. + These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. + You can specify a private location using the location's name. + To list available private locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. + + > info + > You can provide `locations` or `private_locations` or both. At least one is required. items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true + type: string type: array - favorite: + retest_on_failure: + default: true + description: | + Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. + type: boolean + schedule: + description: | + The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + type: number + service.name: + description: The APM service name. + type: string + tags: + description: An array of tags. items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true + type: string type: array - filters: - description: A list of filters that should be applied to the query + timeout: + default: 16 + description: | + The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. + + For browser monitors, the minimum timeout is 30 seconds. Browser monitor timeouts are only applied when the monitor runs on private locations. If a browser monitor specifies a timeout but has no private locations configured, the timeout will have no effect and a warning will be returned in the response. + type: number + required: + - name + Synthetics_getParameterResponse: + title: Get parameter response + type: object + properties: + description: + description: | + The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + type: string + id: + description: The unique identifier of the parameter. + type: string + key: + description: The key of the parameter. + type: string + namespaces: + description: | + The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true + type: string type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* + tags: + description: | + An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string - nullable: true type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true + value: + description: | + The value associated with the parameter. It will be included in the response if the user has write permissions. type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + Synthetics_getPrivateLocation: + additionalProperties: true + properties: + agentPolicyId: + description: The ID of the agent policy associated with the private location. type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + geo: + description: Geographic coordinates (WGS84) for the location. + type: object + properties: + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + id: + description: The unique identifier of the private location. type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true + isInvalid: + description: | + Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. + type: boolean + label: + description: A label for the private location. type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true + namespace: + description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + title: Post a private location type: object - properties: - filterQuery: - nullable: true + Synthetics_httpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - kuery: - nullable: true + check: + description: The check request settings. type: object properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true + request: + description: An optional request to send to the remote host. + type: object + properties: + body: + description: Optional request body content. + type: string + headers: + description: | + A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. + type: object + method: + description: The HTTP method to use. + enum: + - HEAD + - GET + - POST + - OPTIONS + type: string + response: + additionalProperties: true + description: The expected response. + type: object + properties: + body: + type: object + headers: + description: A dictionary of expected HTTP headers. If the header is not found, the check fails. + type: object + ipv4: + default: true + description: If `true`, ping using the ipv4 protocol. + type: boolean + ipv6: + default: true + description: If `true`, ping using the ipv6 protocol. + type: boolean + max_redirects: + default: 0 + description: The maximum number of redirects to follow. + type: number + mode: + default: any + description: | + The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. + enum: + - all + - any type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - - type: object - properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - savedObjectId: + password: + description: | + The password for authenticating with the server. The credentials are passed with the request. + type: string + proxy_headers: + description: Additional headers to send to proxies during CONNECT requests. + type: object + proxy_url: + description: The URL of the proxy to use for this monitor. + type: string + response: + description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. + type: object + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - http type: string - version: + url: + description: The URL to monitor. + type: string + username: + description: | + The username for authenticating with the server. The credentials are passed with the request. type: string required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - Short_URL_APIs_urlResponse: - type: object - properties: - accessCount: - description: Number of times the short URL has been resolved. - type: integer - accessDate: - description: >- - Unix epoch (milliseconds) of the last time the short URL was - resolved. Set to the creation time when the URL has never been - accessed. - format: int64 - type: integer - createDate: - description: Unix epoch (milliseconds) when the short URL was created. - format: int64 - type: integer - id: - description: The identifier for the short URL. - type: string - locator: + - type + - url + title: HTTP monitor fields + Synthetics_icmpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - id: - description: The identifier for the locator. + host: + description: The host to ping. type: string - state: - description: The locator parameters. - type: object - version: - description: The version of Kibana when the short URL was created. + type: + description: The monitor type. + enum: + - icmp type: string - slug: - description: > - A random human-readable slug is automatically generated if the - `humanReadableSlug` parameter is set to `true`. If it is set to - `false`, a random short string is generated. - type: string - SLOs_400_response: - title: Bad request + wait: + default: 1 + description: The wait time in seconds. + type: number + required: + - host + - type + title: ICMP monitor fields + Synthetics_monitorWarning: + title: Monitor warning type: object properties: - error: - example: Bad Request - type: string message: - example: 'Invalid value ''foo'' supplied to: [...]' + description: A human-readable warning message. type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized + monitorId: + description: The monitor ID associated with the warning. + type: string + publicLocationIds: + description: The public location IDs associated with the warning. + items: + type: string + type: array + Synthetics_parameterRequest: + title: Parameter request type: object properties: - error: - example: Unauthorized + description: + description: A description of the parameter. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + key: + description: The key of the parameter. + type: string + share_across_spaces: + description: Specify whether the parameter should be shared across spaces. + type: boolean + tags: + description: An array of tags to categorize the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. type: string - statusCode: - example: 401 - type: number required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden + - key + - value + Synthetics_postParameterResponse: + title: Post parameter response type: object properties: - error: - example: Forbidden + description: + description: A description of the parameter. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + id: + description: The unique identifier for the parameter. type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found + key: + description: The parameter key. + type: string + share_across_spaces: + description: Indicates whether the parameter is shared across spaces. + type: boolean + tags: + description: An array of tags associated with the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. + type: string + Synthetics_tcpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + host: + description: | + The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". + type: string + proxy_url: + description: | + The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + type: string + proxy_use_local_resolver: + default: false + description: | + Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. + type: boolean + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - tcp + type: string + required: + - host + - type + title: TCP monitor fields + Task_manager_health_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_APIs_health_response: + title: Task health response properties type: object properties: - error: - example: Not Found + id: type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + last_update: type: string - statusCode: - example: 404 - type: number - required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + stats: + type: object + properties: + capacity_estimation: + description: | + This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. + type: object + configuration: + $ref: '#/components/schemas/Task_manager_health_APIs_configuration' + runtime: + description: | + This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + type: object + workload: + $ref: '#/components/schemas/Task_manager_health_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. + type: object + required: + - apiUrl properties: - error: - example: Conflict + apiUrl: type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + description: The Amazon Bedrock request URL. + region: type: string - statusCode: - example: 409 - type: number + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references - items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id - type: array - title: Artifacts + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - required: - - list - title: Bulk delete SLO request + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status + required: + - url properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + url: type: string - title: Bulk delete SLO response + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. + required: + - from type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true + nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. + type: string + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO - items: - type: object - properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + type: string + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object required: - - list - - purgePolicy - title: Bulk Purge Rollup data request - type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. + - apiUrl + - gcpRegion + - gcpProjectID properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + apiUrl: type: string - title: Bulk Purge Rollup data response - type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. - properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + description: The Google Gemini request URL. + defaultModel: type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. type: object properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + apiUrl: + description: The IBM Resilient instance URL. type: string + orgId: + description: The IBM Resilient organization ID. + type: string + index_config: + title: Connector request properties for an index connector required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + - index + description: Defines properties for connectors when type is `.index`. type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true + executionTimeField: + description: A field that indicates when the document was indexed. + default: null + type: string + nullable: true + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number + jira_config: + title: Connector request properties for a Jira connector required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: - nullable: true + apiUrl: + description: The Jira instance URL. type: string - controlledBy: + projectKey: + description: The Jira project key. type: string - disabled: - type: boolean - field: + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. + type: object + properties: + apiUrl: type: string - group: + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: type: string - index: + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: type: string - isMultiIndex: - type: boolean - key: + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: type: string - negate: - type: boolean - params: - type: object - type: + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. + type: object + required: + - apiProvider + - apiUrl + properties: + apiProvider: type: string - value: + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. + required: + - apiProvider + - apiUrl properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + apiProvider: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiUrl: + description: The PagerDuty event URL. type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - url + description: Defines properties for connectors when type is `.sentinelone`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. + items: + type: object + required: + - id + - name + maxItems: 25 + properties: + id: + type: string + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector + required: + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. type: object properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "good" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "total" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. + type: object required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. + type: object required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. + type: object required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object + required: + - url + properties: + organisation: + type: string + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: type: string + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. + type: object required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + - url + properties: + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + type: string + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. type: object + required: + - webhookIntegrationUrl properties: - params: - description: An object containing the indicator parameters. - nullable: false + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: + type: string + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: type: string + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. type: object properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). + type: boolean + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. + type: object required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + - accessKey + - secret properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + accessKey: type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + description: The AWS access key for authentication. + secret: type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. type: string - title: Settings + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. + required: + - token type: object - SLOs_slo_definition_response: - title: SLO definition response + properties: + token: + type: string + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + clientSecret: type: string - description: - description: The description of the SLO. - example: My SLO description + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. + type: object + required: + - credentialsJson + properties: + credentialsJson: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: + type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. type: object properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + apiToken: + description: The Jira API authentication token for HTTP basic authentication. type: string - description: - description: The description of the SLO. - example: My SLO description + email: + description: The account email for HTTP Basic authentication. type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object + required: + - webhookUrl + properties: + webhookUrl: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + type: object + properties: + apiKey: type: string - name: - description: The name of the SLO. - example: My Service SLO + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: + type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. + type: object properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. + type: string + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object required: - - status - - sliValue - - errorBudget - title: Summary + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. + type: string + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + required: + - token + properties: + token: + description: The A SentinelOne API token. + type: string + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. + type: object + properties: + clientSecret: + type: string + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: + type: string + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: + type: string + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: + type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. + required: + - token + type: object + properties: + token: + type: string + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. + type: string + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. + required: + - apiKey type: object properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + apiKey: type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. - enum: - - rolling - - calendarAligned - example: rolling + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. + type: object + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. type: string + token: + description: The Tines API token. + type: string + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. + type: object required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - token + properties: + token: + description: The secret of the webhook authentication header. + type: string + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. type: object properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - field: - description: The field of the metric. - example: processor.processed + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. type: object + required: + - apiProvider + - apiUrl + - defaultModel properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" + apiProvider: + type: string + description: The OpenAI API provider. enum: - - percentile - example: percentile + - Other + apiUrl: type: string - field: - description: The field of the metric. - example: processor.processed + description: The OpenAI-compatible API endpoint. + defaultModel: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: The default model to use for requests. + certificateData: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: type: string - percentile: - description: The percentile value. - example: 95 - type: number + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: + type: object + description: Custom headers to include in requests. + additionalProperties: + type: string + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + clientSecret: + description: The client secret for your app in the Azure portal. type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. type: object - Synthetics_browserMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object - properties: - ignore_https_errors: - default: false - description: Ignore HTTPS errors. - type: boolean - inline_script: - description: The inline script. - type: string - playwright_options: - description: Playwright options. - type: object - screenshots: - default: 'on' - description: The screenshot option. - enum: - - 'on' - - 'off' - - only-on-failure - type: string - synthetics_args: - description: Synthetics agent CLI arguments. - items: - type: string - type: array - type: - description: The monitor type. - enum: - - browser - type: string - required: - - inline_script - - type - title: Browser monitor fields - Synthetics_commonMonitorFields: - title: Common monitor fields + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. type: object + required: + - message + - subject properties: - alert: - description: > - The alert configuration. The default is `{ status: { enabled: true - }, tls: { enabled: true } }`. - type: object - enabled: - default: true - description: Specify whether the monitor is enabled. - type: boolean - labels: - additionalProperties: - type: string - description: > - Key-value pairs of labels to associate with the monitor. Labels can - be used for filtering and grouping monitors. - type: object - locations: - description: > - The location to deploy the monitor. - - Monitors can be deployed in multiple locations so that you can - detect differences in availability and response times across those - locations. - - To list available locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Management* and click *Create monitor*. - Locations will be listed in *Locations*. - externalDocs: - url: >- - https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - name: - description: The monitor name. - type: string - namespace: - default: default - description: > - The namespace field should be lowercase and not contain spaces. The - namespace must not include any of the following characters: `*`, - `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or - `-`. - type: string - params: - description: The monitor parameters. - type: string - private_locations: - description: > - The private locations to which the monitors will be deployed. - - These private locations refer to locations hosted and managed by - you, whereas `locations` are hosted by Elastic. - - You can specify a private location using the location's name. - - To list available private locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Settings* and click *Private locationsr*. - Private locations will be listed in the table. - - - > info - - > You can provide `locations` or `private_locations` or both. At - least one is required. items: type: string - type: array - retest_on_failure: - default: true - description: > - Turn retesting for when a monitor fails on or off. By default, - monitors are automatically retested if the monitor goes from "up" to - "down". If the result of the retest is also "down", an error will be - created and if configured, an alert sent. The monitor will then - resume running according to the defined schedule. Using - `retest_on_failure` can reduce noise related to transient problems. - type: boolean - schedule: - description: > - The monitor's schedule in minutes. Supported values are `1`, `3`, - `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is - `3` minutes for HTTP, TCP, and ICMP monitors. The default value is - `10` minutes for Browser monitors. - type: number - service.name: - description: The APM service name. + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: type: string - tags: - description: An array of tags. + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: + type: array + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. items: type: string - type: array - timeout: - default: 16 - description: > - The monitor timeout in seconds. The monitor will fail if it doesn't - complete within this time. - - - For browser monitors, the minimum timeout is 30 seconds. Browser - monitor timeouts are only applied when the monitor runs on private - locations. If a browser monitor specifies a timeout but has no - private locations configured, the timeout will have no effect and a - warning will be returned in the response. - type: number + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - name - Synthetics_getParameterResponse: - title: Get parameter response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. + type: object + required: + - message + properties: + message: + type: string + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. type: object + required: + - eventAction properties: - description: - description: > - The description of the parameter. It is included in the response if - the user has read-only permissions to the Synthetics app. + class: + description: The class or type of the event. type: string - id: - description: The unique identifier of the parameter. + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - key: - description: The key of the parameter. + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string - namespaces: - description: > - The namespaces associated with the parameter. It is included in the - response if the user has read-only permissions to the Synthetics - app. - items: - type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - tags: - description: > - An array of tags associated with the parameter. It is included in - the response if the user has read-only permissions to the Synthetics - app. items: - type: string - type: array - value: - description: > - The value associated with the parameter. It will be included in the - response if the user has write permissions. + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - Synthetics_getPrivateLocation: - additionalProperties: true + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: - agentPolicyId: - description: The ID of the agent policy associated with the private location. + subAction: type: string - geo: - description: Geographic coordinates (WGS84) for the location. + description: The action to test. + enum: + - addEvent + subActionParams: type: object + description: The set of configuration properties for the action. properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - id: - description: The unique identifier of the private location. - type: string - isInvalid: - description: > - Indicates whether the location is invalid. If `true`, the location - is invalid, which means the agent policy associated with the - location is deleted. - type: boolean - label: - description: A label for the private location. - type: string - namespace: - description: >- - The namespace of the location, which is the same as the namespace of - the agent policy associated with the location. + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: type: string - title: Post a private location + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction type: object - Synthetics_httpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: type: object + required: + - incident properties: - check: - description: The check request settings. + incident: type: object + anyOf: + - required: + - correlation_id + - required: + - externalId properties: - request: - description: An optional request to send to the remote host. - type: object - properties: - body: - description: Optional request body content. - type: string - headers: - description: > - A dictionary of additional HTTP headers to send. By - default, Synthetics will set the User-Agent header to - identify itself. - type: object - method: - description: The HTTP method to use. - enum: - - HEAD - - GET - - POST - - OPTIONS - type: string - response: - additionalProperties: true - description: The expected response. - type: object - properties: - body: - type: object - headers: - description: >- - A dictionary of expected HTTP headers. If the header is - not found, the check fails. - type: object - ipv4: - default: true - description: If `true`, ping using the ipv4 protocol. - type: boolean - ipv6: - default: true - description: If `true`, ping using the ipv6 protocol. - type: boolean - max_redirects: - default: 0 - description: The maximum number of redirects to follow. - type: number - mode: - default: any - description: > - The mode of the monitor. If it is `all`, the monitor pings all - resolvable IPs for a hostname. If it is `any`, the monitor pings - only one IP address for a hostname. If you're using a DNS-load - balancer and want to ping every IP address for the specified - hostname, you should use `all`. - enum: - - all - - any + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: type: string - password: - description: > - The password for authenticating with the server. The credentials - are passed with the request. + description: The unique identifier used for alert deduplication in Opsgenie. + description: type: string - proxy_headers: - description: Additional headers to send to proxies during CONNECT requests. + description: A description that provides detailed information about the alert. + details: type: object - proxy_url: - description: The URL of the proxy to use for this monitor. + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: type: string - response: - description: >- - Controls the indexing of the HTTP response body contents to the - `http.response.body.contents field`. - type: object - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. enum: - - http + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: + type: string + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: + type: string + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: type: string - url: - description: The URL to monitor. + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + type: type: string - username: - description: > - The username for authenticating with the server. The credentials - are passed with the request. + description: The type of alert in TheHive connectors. + user: type: string - required: - - type - - url - title: HTTP monitor fields - Synthetics_icmpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object + required: + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: type: object + required: + - id properties: - host: - description: The host to ping. - type: string - type: - description: The monitor type. - enum: - - icmp + id: type: string - wait: - default: 1 - description: The wait time in seconds. - type: number - required: - - host - - type - title: ICMP monitor fields - Synthetics_monitorWarning: - title: Monitor warning + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - message: - description: A human-readable warning message. - type: string - monitorId: - description: The monitor ID associated with the warning. + subAction: type: string - publicLocationIds: - description: The public location IDs associated with the warning. - items: - type: string - type: array - Synthetics_parameterRequest: - title: Parameter request + description: The action to test. + enum: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - description: - description: A description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - share_across_spaces: - description: Specify whether the parameter should be shared across spaces. - type: boolean - tags: - description: An array of tags to categorize the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + subAction: type: string - required: - - key - - value - Synthetics_postParameterResponse: - title: Post parameter response + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - description: - description: A description of the parameter. - type: string - id: - description: The unique identifier for the parameter. + subAction: type: string - key: - description: The parameter key. + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction + type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: type: string - share_across_spaces: - description: Indicates whether the parameter is shared across spaces. - type: boolean - tags: - description: An array of tags associated with the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + required: + - subAction + - subActionParams + properties: + subAction: type: string - Synthetics_tcpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The action to test. + enum: + - getIncident + subActionParams: type: object + required: + - externalId properties: - host: - description: > - The host to monitor; it can be an IP address or a hostname. The - host can include the port using a colon, for example - "example.com:9200". - type: string - proxy_url: - description: > - The URL of the SOCKS5 proxy to use when connecting to the - server. The value must be a URL with a scheme of `socks5://`. If - the SOCKS5 proxy server requires client authentication, then a - username and password can be embedded in the URL. When using a - proxy, hostnames are resolved on the proxy server instead of on - the client. You can change this behavior by setting the - `proxy_use_local_resolver` option. + externalId: type: string - proxy_use_local_resolver: - default: false - description: > - Specify that hostnames are resolved locally instead of being - resolved on the proxy server. If `false`, name resolution occurs - on the proxy server. - type: boolean - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. - enum: - - tcp + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction + type: object + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction + type: object + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object required: - - host - - type - title: TCP monitor fields - Task_manager_health_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object - Task_manager_health_APIs_health_response: - title: Task health response properties + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - postMessage + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - pushToService + subActionParams: type: object + description: The set of configuration properties for the action. properties: - capacity_estimation: - description: > - This object provides a rough estimate about the sufficiency of - its capacity. These are estimates based on historical data and - should not be used as predictions. - type: object - configuration: - $ref: '#/components/schemas/Task_manager_health_APIs_configuration' - runtime: - description: > - This object tracks runtime performance of Task Manager, tracking - task drift, worker load, and stats broken down by type, - including duration and run results. + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: type: object - workload: - $ref: '#/components/schemas/Task_manager_health_APIs_workload' - status: - type: string - timestamp: - type: string - Task_manager_health_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: > - These APIs use key-based authentication. You must create an API key and - use the encoded value in the request header. For example: - `Authorization: ApiKey base64AccessApiKey` + description: | + These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http -security: - - apiKeyAuth: [] - - basicAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - description: Case APIs enable you to open and track issues. - name: cases - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet remote synced integrations - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - description: > - Programmatically integrate with Logstash configuration management. - - > warn - - > Do not directly access the `.logstash` index. The structure of the - `.logstash` index is subject to change, which could cause your integration - to break. Instead, use the Logstash configuration management APIs. - externalDocs: - description: Centralized pipeline management - url: >- - https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management - name: logstash - x-displayName: Logstash configuration management - - name: Message Signing Service - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. - - - ## Lists requirements - - - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: Manage Kibana short URLs. - name: short url - x-displayName: Short URLs - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - name: synthetics - - description: System - name: system - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager - - description: > - The Kibana Upgrade Assistant API helps you prepare for the next major - Elasticsearch release. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. - > warn + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - > This is a Kibana REST API (not an Elasticsearch API) and requests must - target your Kibana URL: + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` - > * Self-managed URL pattern: `https://localhost:5601` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - > * Elastic Cloud URL pattern: - `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` - name: upgrade - x-displayName: Upgrade assistant - - description: Uptime APIs enable you to view and update uptime monitoring settings. - externalDocs: - description: Uptime monitoring - url: https://www.elastic.co/docs/solutions/observability/uptime - name: uptime - x-displayName: Uptime - - name: user session - x-displayName: User session management + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). From 69cdee6e482fa7aa991c6495b3067a70b1df6f7e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 26 May 2026 15:28:24 +0000 Subject: [PATCH 7/7] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 149769 +++++++++++++------- oas_docs/output/kibana.yaml | 164244 +++++++++++++++------- 2 files changed, 210785 insertions(+), 103228 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b7881e232734a..27d1419a62d1f 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -2,52 +2,32 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > + description: | The Kibana REST APIs for Elastic serverless enable you to manage resources - such as connectors, data views, and saved objects. The API calls are - stateless. Each request that you make happens in isolation from other calls - and must include all of the necessary information for Kibana to fulfill the - request. API requests return JSON output, which is a format that is - machine-readable and works well for automation. - To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` - ## Documentation source and versions - - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana Serverless APIs version: '' x-doc-license: @@ -55,554 +35,1228 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: http://localhost:5622 - url: https://{kibana_url} variables: kibana_url: - default: localhost:5601 - - url: / + default: +security: + - apiKeyAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Dashboards + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + externalDocs: + description: Dashboards documentation + url: https://www.elastic.co/docs/explore-analyze/dashboards + x-displayName: Dashboards + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/serverless-custom-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export or import sets of saved objects. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + [Data views](../group/endpoint-data-views). + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - name: Visualizations + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + externalDocs: + description: Visualizations documentation + url: https://www.elastic.co/docs/explore-analyze/visualize/lens + x-displayName: Visualizations + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + /api/actions/connector_types: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector_types
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': content: application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. + type: boolean + description: + description: Description of the connector type. + type: string + enabled: + description: Indicates whether the connector is enabled. + type: boolean + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. + type: boolean + enabled_in_license: + description: Indicates whether the connector is enabled through the license. + type: boolean + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_experimental: + description: Indicates whether the connector type is in technical preview. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. + type: boolean + minimum_license_required: + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial + type: string + name: + description: The name of the connector type. + type: string + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack + type: string + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity + type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source + type: array examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback + parameters: + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string + responses: + '200': + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: - examples: - saveApmServerSchemaRequest: - description: >- - An example request payload for `POST - /api/apm/fleet/apm_server_schema`. - value: - schema: - foo: bar schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + description: Indicates that this call is forbidden. + summary: Create a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - in: path - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false + - description: An identifier for the connector. + in: path + name: id + required: true schema: - format: date-time type: string - responses: - '200': - content: - application/json: - examples: - getAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_search_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations - tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: - examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: - examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration + description: Indicates that this call is forbidden. + summary: Run a connector tags: - - APM agent configuration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/actions/connectors: get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + operationId: get-actions-connectors + parameters: [] responses: '200': content: application/json: - examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get all connectors tags: - - APM agent configuration - put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + - connectors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead. + To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true schema: - type: boolean + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery. To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: The unique identifier of the agent to get A2A metadata for. + in: path + name: agentId required: true schema: type: string @@ -611,415 +1265,569 @@ paths: content: application/json: examples: - getAgentNameForServiceResponse1: - $ref: >- - #/components/examples/APM_UI_service_agent_name_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents: get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] responses: '200': content: application/json: examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true - responses: - '200': - content: - application/json: - examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration - tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: - get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod - in: query - name: environment - schema: - type: string + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent tags: - - APM agent configuration - /api/apm/sourcemaps: - get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege. To learn more about monitoring agent token usage, refer to the [monitor usage documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/monitor-usage).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: Number of records per page - in: query - name: perPage + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id + required: true schema: - type: number + type: string + requestBody: + content: + application/json: + examples: + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin + schema: + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - examples: - uploadSourceMapRequest: - $ref: '#/components/examples/APM_UI_source_maps_upload_request1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ - - -H 'kbn-xsrf: true' \ - - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - - -F 'service_name="foo"' \ + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
get /s/{space_id}/api/agent_builder/agents/{id}
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: The unique identifier of the agent to retrieve. in: path name: id required: true @@ -1030,1011 +1838,7434 @@ paths: content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
put /s/{space_id}/api/agent_builder/agents/{id}
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the agent to update. + in: path + name: id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for type: string + requestBody: + content: + application/json: + examples: + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + schema: + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent tags: - - Security Entity Analytics API + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/agents/{id}/acl: get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}/acl
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the access control list (ACL) for a specific agent. Callers without permission to manage the ACL receive `can_manage: false` and an empty `entries` list — the principal list itself is sensitive. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id-acl parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: The unique identifier of the agent whose ACL to retrieve. + in: path + name: id required: true schema: type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request + examples: + getAgentAclMaskedResponseExample: + description: Example response for a caller without manage permission — the principal list is hidden and `entries` is always empty. + value: + acl: + entries: [] + can_manage: false + getAgentAclResponseExample: + description: Example response for a caller who can manage the ACL — the agent has two grantees. + value: + acl: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user + can_manage: true + description: Indicates a successful response '404': - description: Criticality record not found - summary: Get an asset criticality record + content: + application/json: + examples: + agentNotFoundResponseExample: + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Not Found + message: Agent custom-agent-id not found + statusCode: 404 + description: Not Found — no agent with this ID is visible to the caller. Matches the existing `agentNotFound` shape, so unprivileged callers cannot probe for hidden agents. + summary: Get an agent's access control list tags: - - Security Entity Analytics API - post: - description: > - Create or update an asset criticality record for a specific entity. + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id}/acl + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/agent_builder/agents/{id}/acl
- If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record - tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: - post: - description: > - Bulk upsert up to 1000 asset criticality records. - + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + Replace the per-agent access control list (ACL). The agent owner, cluster admins, and anyone the ACL grants Editor or higher can call this endpoint (or anyone with `manageAgents` on a Public agent). Each call replaces the entire entries list — the most recent successful update wins. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id-acl + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent whose ACL to update. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: + examples: + clearAgentAclRequestExample: + description: Submit an empty entries list to remove all ACL grants. Access then falls back to the agent's visibility setting. + value: + entries: [] + updateAgentAclRequestExample: + description: Example request granting two users access to the agent — Alice as Editor (can update the agent and its ACL), Bob as User (can run the agent). + value: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: + entries: + description: Access control entries to apply to the agent. Each entry has a `type` (currently only `user` is supported; role-based grants are planned for a future release), a `name` (the principal username), and a `role`. Submitting this field replaces the existing ACL entirely; submit an empty array to clear all grants. items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 + additionalProperties: false + type: object + properties: + name: + description: Case-sensitive Kibana username of the principal to grant access to. + maxLength: 1024 + minLength: 1 + type: string + role: + description: 'Role granted to the principal. Roles are hierarchical: `user` allows viewing, listing, reading, and running the agent; `editor` adds updating the agent and its ACL; `manager` adds deleting the agent and changing visibility.' + enum: + - user + - editor + - manager + type: string + type: + enum: + - user + type: string + required: + - type + - name + - role + maxItems: 100 type: array required: - - records + - entries responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + updateAgentAclResponseExample: + description: Example response returning the persisted ACL after the update. + value: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user + description: Indicates a successful response + '400': + content: + application/json: + examples: + aclOnDefaultAgentResponseExample: + description: The built-in Elastic default agent (`elastic-ai-agent`) cannot have a custom ACL — its access is governed by the platform, not per-agent grants. + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Bad Request + message: The default agent (elastic-ai-agent) does not support custom access controls. + statusCode: 400 + tooManyEntriesResponseExample: + description: Request body exceeds the 100-entry maximum. + value: + error: Bad Request + message: '[request body.entries]: array size is [101], but cannot be greater than [100]' + statusCode: 400 + description: Bad Request — the request body failed validation, or the request targets the built-in Elastic default agent (which cannot have an ACL). + '404': + content: + application/json: + examples: + agentNotFoundResponseExample: + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Not Found + message: Agent custom-agent-id not found + statusCode: 404 + description: Not Found — no agent with this ID is visible to the caller, or the caller lacks write access. Matches the existing `agentNotFound` shape so unprivileged callers cannot probe for hidden agents. + summary: Update an agent's access control list tags: - - Security Entity Analytics API - /api/asset_criticality/list: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "entries": [ + { "type": "user", "name": "alice", "role": "editor" }, + { "type": "user", "name": "bob", "role": "user" } + ] + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id}/acl + { + "entries": [ + { "type": "user", "name": "alice", "role": "editor" }, + { "type": "user", "name": "bob", "role": "user" } + ] + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations: get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations parameters: - - description: The field to sort by. + - description: Optional agent ID to filter conversations by a specific agent. in: query - name: sort_field + name: agent_id required: false schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false + responses: + '200': + content: + application/json: + examples: + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - asc - - desc + example: 'true' type: string - - description: The page number to return. - in: query - name: page - required: false + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id + required: true schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false + type: string + responses: + '200': + content: + application/json: + examples: + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id + parameters: + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id + required: true schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. + type: string + responses: + '200': + content: + application/json: + examples: + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments + parameters: + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: Whether to include deleted attachments in the list. in: query - name: kuery + name: include_deleted required: false schema: - type: string + type: boolean responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryBulkRequestBodyExample: - summary: Acknowledge two Attack discoveries in bulk. + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment value: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation - type: object - properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string required: - - update - description: Bulk update parameters for Attack discoveries - required: true + - type + - data responses: '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse200Example: - summary: >- - A successful bulk update response containing the modified - Attack discoveries. - value: - data: - - alert_ids: - - alert-abc-1 - alert_workflow_status: acknowledged - connector_id: gen-ai-connector - connector_name: OpenAI GPT-4 - details_markdown: >- - - **Host** `workstation-01` showed credential access - patterns consistent with mimikatz. - generation_uuid: 550e8400-e29b-41d4-a716-446655440000 - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - summary_markdown: >- - A user account was compromised using mimikatz to dump - credentials. - timestamp: '2024-01-15T10:00:00.000Z' - title: Credential theft via mimikatz - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PostAttackDiscoveryBulkResponse400Example: - summary: >- - Bad Request error returned when the bulk update payload is - invalid. + createAttachmentResponseExample: + description: Example response returning the created attachment value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: - get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + type: string + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true schema: type: string - - description: Filter results to the Attack discoveries with the specified IDs + - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids + name: permanent required: false schema: type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false + responses: + '200': + content: + application/json: + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + type: string + requestBody: + content: + application/json: + examples: + renameAttachmentExample: + description: Example request for renaming an attachment + value: + description: Updated attachment name + schema: + additionalProperties: false + type: object + properties: + description: + description: The new description/name for the attachment. + type: string + required: + - description + responses: + '200': + content: + application/json: + examples: + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) + value: + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true schema: - default: true - type: boolean + type: string + requestBody: + content: + application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 + schema: + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data responses: '200': content: application/json: examples: - AttackDiscoveryFindResponse200Example: - summary: >- - Paginated list of Attack discoveries matching the search - criteria. + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version value: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: - type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - AttackDiscoveryFindResponse400Example: - summary: >- - Bad Request error returned when find query parameters are - invalid. + restoreAttachmentResponseExample: + description: Example response returning the restored attachment value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: - post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryGenerateRequestBodyExample: - summary: Generate Attack discoveries from alerts in the last 24 hours. + updateOriginExample: + description: Example request for linking an attachment to a saved visualization value: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI + origin: abc123 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string + required: + - origin responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerateResponse200Example: - summary: >- - Generation started; use the returned execution UUID to track - progress. + updateOriginResponseExample: + description: Example response returning the attachment with updated origin value: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale + parameters: + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - PostAttackDiscoveryGenerateResponse400Example: - summary: >- - Bad Request error returned when the generate payload is - invalid. + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness + tags: + - agent builder + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more about agent chat, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + application/json: + examples: + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': + content: + text/event-stream: + examples: + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent + value: + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more about the Agent Builder MCP server, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. + in: query + name: namespace + required: false + schema: + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': + content: + application/json: + examples: + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins). To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful + value: + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPluginByIdResponseExample: + description: Example response returning a single installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/plugins/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL + value: + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + schema: + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url + responses: + '200': + content: + application/json: + examples: + installPluginResponseExample: + description: Example response returning the definition of the installed plugin + value: + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created). To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills + parameters: + - description: Set to true to include skills from plugins. + in: query + name: include_plugins + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + listSkillsResponseExample: + description: Example response returning a list of skills + value: + results: + - description: A built-in skill provided by the platform. + experimental: false + id: built-in-skill-id + name: Built-in Skill + readonly: true + referenced_content_count: 0 + - description: A user-created skill for data analysis. + experimental: false + id: custom-skill-id + name: Custom Skill + readonly: false + referenced_content_count: 1 + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: List skills + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createSkillRequestExample: + description: Example request to create a user-defined skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + id: my-custom-skill + name: Custom Analysis Skill + tool_ids: + - platform.core.search + schema: + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: + '200': + content: + application/json: + examples: + createSkillResponseExample: + description: Example response returning the created skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Create a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/skills + { + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: + '200': + content: + application/json: + examples: + getSkillResponseExample: + description: Example response returning a skill by ID + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Get a skill by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + requestBody: + content: + application/json: + examples: + updateSkillRequestExample: + description: Example request to update a user-defined skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + name: Updated Skill Name + tool_ids: + - platform.core.search + - platform.core.execute_esql + schema: + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array + responses: + '200': + content: + application/json: + examples: + updateSkillResponseExample: + description: Example response returning the updated skill + value: + content: Updated skill instructions content. + description: Updated description for the skill. + experimental: false + id: my-custom-skill + name: Updated Skill Name + readonly: false + tool_ids: + - platform.core.search + - platform.core.execute_esql + description: Indicates a successful response + summary: Update a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Updated Skill Name", + "description": "Updated description for the skill." + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/skills/{skillId} + { + "name": "Updated Skill Name", + "description": "Updated description for the skill." + } + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] + responses: + '200': + content: + application/json: + examples: + listToolsResponseExample: + description: Example response returning a list of existing tools + value: + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration + responses: + '200': + content: + application/json: + examples: + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool + value: + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 + schema: + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + responses: + '200': + content: + application/json: + examples: + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool + value: + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool + value: + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true + schema: + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful + value: + success: true + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: toolId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool + value: + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + updateEsqlToolExample: + description: Example response showing the updated ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: '' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule + value: + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: post-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule + params: + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h + schema: + anyOf: + - discriminator: + mapping: + .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule' + responses: + '200': + content: + application/json: + examples: + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' + updated_by: elastic + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule' + responses: + '200': + content: + application/json: + examples: + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: + post: + operationId: post-alerting-rule-id-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts + value: + untrack: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/query_inspector: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}/query_inspector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the Elasticsearch query that a rule executes, and optionally its response. + operationId: get-alerting-rule-id-query-inspector + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + - description: The inspection mode. Use "build" to return only the query, or "execute" to run the query and include the response. + in: query + name: mode + required: false + schema: + default: build + enum: + - build + - execute + type: string + - description: The alert document ID. When provided, the query inspector uses the evaluation time range from the alert instead of the current time. + in: query + name: alert_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getRuleQueryInspectorResponse: + summary: A query inspector response for a custom threshold rule + value: + queries: + - index: metrics-* + request: + aggs: + groupings: + composite: + size: 500 + sources: [] + query: + bool: + filter: + - range: + '@timestamp': + gte: '2026-01-01T00:00:00.000Z' + lte: '2026-01-01T00:05:00.000Z' + size: 0 + schema: + additionalProperties: false + type: object + properties: + queries: + items: + additionalProperties: false + type: object + properties: + index: + type: string + label: + type: string + request: + additionalProperties: + nullable: true + type: object + response: + additionalProperties: + nullable: true + type: object + required: + - index + - request + maxItems: 1000 + type: array + required: + - queries + description: Indicates a successful call. + '400': + description: Indicates the rule type is not supported or the request parameters are invalid. + '404': + description: Indicates a rule with the specified rule ID does not exist. + summary: Get the Elasticsearch query for a rule + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule + value: + schedule: + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + schema: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + required: + - schedule + responses: + '200': + content: + application/json: + examples: + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 + schema: + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-mute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule + tags: + - alerting + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find + parameters: + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json: + examples: + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + additionalProperties: false + type: object + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: + post: + operationId: post-alerting-rules-backfill-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef + schema: + items: + additionalProperties: false + type: object + properties: + ranges: + items: + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end + type: array + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array + responses: + '200': + content: + application/json: + examples: + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_error_response' + type: array + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rules-backfill-id + parameters: + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getBackfillResponse: + summary: Get a backfill for an index threshold rule + value: + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + examples: + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key + tags: + - APM agent keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/fleet/apm_server_schema: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + saveApmServerSchemaRequest: + description: An example request payload for `POST /api/apm/fleet/apm_server_schema`. + value: + schema: + foo: bar + schema: + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true + responses: + '200': + content: + application/json: + examples: + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema + tags: + - APM server schema + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true + responses: + '200': + content: + application/json: + examples: + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation + tags: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/services/{serviceName}/annotation/search: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string + responses: + '200': + content: + application/json: + examples: + getAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_search_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': + content: + application/json: + examples: + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + '200': + content: + application/json: + examples: + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + responses: + '200': + content: + application/json: + examples: + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + examples: + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' + schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentNameForServiceResponse1: + $ref: '#/components/examples/APM_UI_service_agent_name_get_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/search: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true + responses: + '200': + content: + application/json: + examples: + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' + schema: + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json: + schema: + type: object + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + example: my_host + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/bulk: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk + requestBody: + content: + application/json: + examples: + PostAttackDiscoveryBulkRequestBodyExample: + summary: Acknowledge two Attack discoveries in bulk. + value: + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true + schema: + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries + required: true + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryBulkResponse200Example: + summary: A successful bulk update response containing the modified Attack discoveries. + value: + data: + - alert_ids: + - alert-abc-1 + alert_workflow_status: acknowledged + connector_id: gen-ai-connector + connector_name: OpenAI GPT-4 + details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.' + generation_uuid: 550e8400-e29b-41d4-a716-446655440000 + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + summary_markdown: A user account was compromised using mimikatz to dump credentials. + timestamp: '2024-01-15T10:00:00.000Z' + title: Credential theft via mimikatz + schema: + type: object + properties: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryBulkResponse400Example: + summary: Bad Request error returned when the bulk update payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + AttackDiscoveryFindResponse200Example: + summary: Paginated list of Attack discoveries matching the search criteria. + value: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': + content: + application/json: + examples: + AttackDiscoveryFindResponse400Example: + summary: Bad Request error returned when find query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + examples: + PostAttackDiscoveryGenerateRequestBodyExample: + summary: Generate Attack discoveries from alerts in the last 24 hours. + value: + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerateResponse200Example: + summary: Generation started; use the returned execution UUID to track progress. + value: + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerateResponse400Example: + summary: Bad Request error returned when the generate payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", "id": "taiJW5gB4U27o8XO8oLg" }, { @@ -2909,2164 +10140,12014 @@ paths: "connectorId": "12345678-1234-1234-1234-123456789012", "actionTypeId": ".gen-ai" }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse200Example: + summary: Latest Attack Discovery generation metadata for the current user. + value: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse400Example: + summary: Bad Request error returned when the size parameter is invalid. + value: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse200Example: + summary: Single Attack Discovery generation with its discoveries and metadata. + value: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse400Example: + summary: Bad Request error returned when the get-generation request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse200Example: + summary: Successfully dismissed an Attack Discovery generation. + value: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse400Example: + summary: Bad Request error returned when the dismiss request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + CreateAttackDiscoverySchedulesRequestBodyExample: + summary: Create a daily Attack Discovery schedule that runs every 24 hours. + value: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse200Example: + summary: A newly created Attack Discovery schedule. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the create schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes multiple Attack Discovery schedules by ID. + operationId: BulkDeleteAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesRequestBodyExample: + summary: Delete two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse200Example: + summary: Bulk delete response for two successfully deleted schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk delete request. + '400': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk delete payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk delete Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables multiple Attack Discovery schedules by ID. + operationId: BulkDisableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesRequestBodyExample: + summary: Disable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse200Example: + summary: Bulk disable response for two successfully disabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk disable request. + '400': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk disable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk disable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_bulk_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables multiple Attack Discovery schedules by ID. + operationId: BulkEnableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesRequestBodyExample: + summary: Enable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse200Example: + summary: Bulk enable response for two successfully enabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk enable request. + '400': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk enable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk enable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse200Example: + summary: Paginated list of Attack Discovery schedules matching the search criteria. + value: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when find-schedules query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after deleting an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the delete schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule retrieved by ID, including last execution metadata. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the get-schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-codeSamples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesRequestBodyExample: + summary: Update an Attack Discovery schedule to run every 12 hours over a 48-hour window. + value: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule after being updated. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the update schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after disabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the disable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after enabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the enable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/dashboards: + get: + tags: + - Dashboards + summary: Get dashboards + operationId: get-dashboards-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + post: + tags: + - Dashboards + summary: Create a dashboard + operationId: create-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/dashboards/{id}: + get: + tags: + - Dashboards + summary: Get a dashboard + operationId: get-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + put: + tags: + - Dashboards + summary: Update a dashboard + operationId: update-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + delete: + tags: + - Dashboards + summary: Delete a dashboard + operationId: delete-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/data_views: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space. + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getAllDataViewsBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + createDataViewResponse: + $ref: '#/components/examples/Data_views_create_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view + {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing data view. Only the fields provided in the request body are updated. + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + updateDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"name":"Updated data view name"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId} + {"data_view":{"name":"Updated data view name"}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + examples: + updateFieldsMetadataResponse: + $ref: '#/components/examples/Data_views_update_field_metadata_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateFieldsMetadataBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update field metadata + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/fields + {"fields":{"field_name":{"customLabel":"My custom label"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition. + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createUpdateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + PUT kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a runtime field from a data view. + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single runtime field by name from a data view. + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing runtime field in a data view. Only the fields provided in the request body are updated. + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/default: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the identifier of the default data view for the current Kibana space. + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/default + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected. + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + examples: + setDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_set_default_data_view_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + setDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' + - lang: Console + source: | + POST kbn://api/data_views/default + {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + swapDataViewResponse: + $ref: '#/components/examples/Data_views_swap_data_view_response' + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references + {"fromId":"abcd-efg","toId":"xyz-123","delete":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + previewSwapDataViewResponse: + $ref: '#/components/examples/Data_views_preview_swap_data_view_response' + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview swap references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123"}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references/_preview + {"fromId":"abcd-efg","toId":"xyz-123"} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/rules/preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: | + Indicates a successful call. The body matches an Elasticsearch update-by-query response + (for example `took`, `updated`, `failures`). + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: expected value of type [object] but got [undefined]' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Either "item_id" or "id" needs to be defined in the request + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: id or item_id required + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: "block-malicious-file" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item item_id: "block-malicious-file" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received string' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items/_find] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "endpoint_list" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of response actions to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A list of response action command names to filter by. + in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - description: A list of Elastic Agent IDs to filter the response actions by. + in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - description: A list of user IDs that submitted the response actions. + in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - description: A start date in ISO 8601 format or Date Math format (for example, `now-24h`). + in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - description: An end date in ISO 8601 format or Date Math format (for example, `now`). + in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - description: The agent type to filter response actions by. Defaults to `endpoint`. + in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - description: A list of response action IDs whose outputs should be included in the response. + in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - description: A list of response action types to filter by (`automated`, `manual`). + in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + examples: + actionsList: + summary: A list of response actions + value: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + examples: + actionStatus: + summary: Pending response actions per agent + value: + data: + - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + pending_actions: + execute: 0 + get-file: 0 + isolate: 0 + kill-process: 1 + running-processes: 0 + scan: 0 + unisolate: 0 + upload: 0 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - description: The ID of the response action to retrieve. + in: path + name: action_id + required: true + schema: + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + actionDetails: + summary: Details of an isolate response action + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + fileInfo: + summary: File information for a response action upload + value: + data: + actionId: 233db9ea-6733-4849-9226-5a7039c7161d + agentId: ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + created: '2025-02-26T13:37:30.452Z' + id: 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 + mimeType: application/zip + name: memory_dump.zip + size: 1048576 + status: READY + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + examples: + fileDownload: + summary: Password-protected ZIP archive containing the response action file + value: binary file content (password-protected .zip) + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + Elastic Defend: + description: Endpoint runscript to collect logs + summary: Run a script against an Elastic Defend agent + value: + agent_type: endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--path= /usr/log/exec.log' + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + examples: + actionsState: + summary: Response actions state with encryption enabled + value: + data: + canEncrypt: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + examples: + uploadFile: + summary: Upload a script file to a specific endpoint + value: + comment: Pushing remediation script to host + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: + overwrite: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of endpoints to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A KQL string to filter the endpoint metadata results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - description: A set of host statuses to filter the results by (for example, `healthy`, `updating`). + in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - description: The field used to sort the results. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - description: The sort order, either `asc` or `desc`. + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + examples: + metadataList: + summary: A list of endpoint host metadata + value: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + examples: + endpointMetadata: + summary: Host metadata for a specific endpoint + value: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + examples: + policyResponse: + summary: The most recent policy response for an endpoint + value: + policy_response: + '@timestamp': '2023-07-04T15:48:57.360Z' + agent: + id: ed518850-681a-4d60-bb98-e22640cae2a8 + version: 7.16.0 + Endpoint: + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: My endpoint policy + status: success + version: '3' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + protectionUpdatesNote: + summary: The protection updates note for a package policy + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + setNote: + summary: Set a new protection updates note + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + examples: + noteSaved: + summary: Protection updates note saved + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of scripts + operationId: EndpointScriptLibraryListScripts + parameters: + - description: Page number of the results to return. Defaults to 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: Number of results to return per page. Defaults to 10. Max value is 1000. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + - description: The field to sort the results by. Defaults to name. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + - description: The direction to sort the results by. Defaults to asc (ascending). + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + - description: | + A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. + in: query + name: kuery + required: false + schema: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - example: platform:windows + responses: + '200': + content: + application/json: + examples: + response: + summary: List of scripts response example + value: + data: [] + page: 1 + pageSize: 10 + sortDirection: asc + sortField: name + total: 100 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' + type: array + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + sortDirection: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + sortField: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + total: + description: The total number of scripts matching the query + type: integer + description: List of scripts response + summary: Get a list of scripts + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new script entry by uploading a script file + operationId: EndpointScriptLibraryCreateScript + requestBody: + content: + multipart/form-data: + examples: + CreateArchiveScriptEntry: + summary: Create an archive script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.zip + fileType: archive + instructions: Collects host data for investigation + name: Collect host data + pathToExecutable: ./bin/collect_host_data.sh + platform: + - linux + - macos + requiresInput: false + CreateScriptEntry: + summary: Create a script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.sh + fileType: script + instructions: Collects host data for investigation + name: Collect host data + platform: + - linux + - macos + requiresInput: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CreateScriptEntrySuccess: + summary: Create a script entry + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully created + summary: Create script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library/{script_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a script + operationId: EndpointScriptLibraryDeleteScript + parameters: + - description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + response: + summary: Delete script response example. + value: {} + schema: + type: object + description: Delete script response. + summary: Delete a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a script + operationId: EndpointScriptLibraryGetOneScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Get one script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Get script response + summary: Get script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update (full or partial) a script entry + operationId: EndpointScriptLibraryPatchUpdateScript + parameters: + - description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + requestBody: + content: + multipart/form-data: + examples: + PatchUpdateScriptEntry: + summary: Update script entry instructions + value: + instructions: ./collect_host_data.sh --help + PatchUpdateScriptEntryFromArchiveToScript: + summary: Update script entry from an archive to a script + value: + fileType: script + PatchUpdateScriptEntryToArchive: + summary: Update script entry to be an archive + value: + fileType: archive + pathToExecutable: ./bin/collect_host_data.sh + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Update script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully updated + summary: Update script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/endpoint/scripts_library/{script_id}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a script file + operationId: EndpointScriptLibraryDownloadScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/octet-stream: + examples: + response: + summary: Download script file response example. + value: null + schema: + description: A download stream is returned. + format: binary + type: string + description: Download script file response. + summary: Download a script file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + examples: + InitMonitoringEngineError: + summary: Internal server error during engine initialization + value: + error: + message: Failed to initialize monitoring engine + status: error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + examples: + ScheduleMonitoringEngineConflict: + summary: Engine is already running + value: + message: Monitoring engine is already running + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + examples: + PrivMonPrivilegesResponse: + summary: Privileges check response + value: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + examples: + PrivmonBulkUploadUsersCSVRequest: + summary: CSV file with privileged users + value: + file: | + username,is_privileged + john.doe,true + jane.smith,true + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + examples: + PrivmonBulkUploadUsersCSVResponse: + summary: Bulk upload response with mixed results + value: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 2 + schema: + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - description: The document ID of the monitored user to delete + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - description: The document ID of the monitored user to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. + + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_analytics/watchlists/list: get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true schema: - type: string - - description: The maximum number of generations to retrieve - example: 50 + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. in: query - name: size + name: delete_data required: false schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. in: query - name: start + name: data required: false schema: - type: string + type: boolean responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse200Example: - summary: >- - Latest Attack Discovery generation metadata for the current - user. + deleteEntityEngineExample: + description: Example response after deleting 'host' engine value: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours - to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded + deleted: true schema: type: object properties: - generations: - description: List of Attack Discovery generations + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully + value: + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array - required: - - generations - description: Indicates a successful call. - '400': + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse400Example: - summary: >- - Bad Request error returned when the size parameter is - invalid. + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed value: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false schema: type: object properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. type: string - status_code: - description: HTTP status code - example: 400 + statusCode: + description: HTTP status code. type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + description: Error response + summary: Apply DataView indices to all installed engines tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: - get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + - example: user in: path - name: execution_uuid + name: entityType required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 in: query - name: enable_field_rendering + name: per_page required: false schema: - default: false - type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. in: query - name: with_replacements + name: filterQuery required: false schema: - default: true - type: boolean + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array responses: '200': content: application/json: - examples: - GetAttackDiscoveryGenerationResponse200Example: - summary: >- - Single Attack Discovery generation with its discoveries and - metadata. - value: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded schema: type: object properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. - required: - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - GetAttackDiscoveryGenerationResponse400Example: - summary: >- - Bad Request error returned when the get-generation request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer required: - - status_code - - error - - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - in: path - name: execution_uuid - required: true + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: boolean responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerationsDismissResponse200Example: - summary: Successfully dismissed an Attack Discovery generation. + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines value: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running schema: type: object properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 - type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 - type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - status - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PostAttackDiscoveryGenerationsDismissResponse400Example: - summary: >- - Bad Request error returned when the dismiss request is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + - engines + description: Successful response + summary: Get the status of the Entity Store tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: - post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - CreateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Create a daily Attack Discovery schedule that runs every 24 - hours. - value: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - CreateAttackDiscoverySchedulesResponse200Example: - summary: A newly created Attack Discovery schedule. + detectionExceptionList: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - examples: - CreateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the create schedule payload - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Create an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_bulk_delete: - post: - description: Deletes multiple Attack Discovery schedules by ID. - operationId: BulkDeleteAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesRequestBodyExample: - summary: Delete two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesResponse200Example: - summary: Bulk delete response for two successfully deleted schedules. - value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk delete request. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - BulkDeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk delete payload is - invalid. + badRequest: value: error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk delete Attack Discovery schedules - tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_disable: - post: - description: Disables multiple Attack Discovery schedules by ID. - operationId: BulkDisableAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDisableAttackDiscoverySchedulesRequestBodyExample: - summary: Disable two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Bulk disable response for two successfully disabled - schedules. + unauthorized: value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk disable request. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk disable payload is - invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk disable Attack Discovery schedules - tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_enable: - post: - description: Enables multiple Attack Discovery schedules by ID. - operationId: BulkEnableAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkEnableAttackDiscoverySchedulesRequestBodyExample: - summary: Enable two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - BulkEnableAttackDiscoverySchedulesResponse200Example: - summary: Bulk enable response for two successfully enabled schedules. + notFound: value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 + message: 'exception list list_id: "foo" does not exist' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk enable request. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - BulkEnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk enable payload is - invalid. + serverError: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk enable Attack Discovery schedules + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_find: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 + - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query - name: per_page + name: id required: false schema: - type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query - name: sort_field + name: list_id required: false schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single in: query - name: sort_direction + name: namespace_type required: false schema: - enum: - - asc - - desc - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - FindAttackDiscoverySchedulesResponse200Example: - summary: >- - Paginated list of Attack Discovery schedules matching the - search criteria. + detectionType: value: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - FindAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when find-schedules query - parameters are invalid. + badRequest: value: error: Bad Request - message: Invalid request payload. - status_code: 400 + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria - tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - DeleteAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after deleting an Attack Discovery - schedule. + unauthorized: value: - id: 12345678-1234-1234-1234-123456789012 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule - required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - DeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the delete schedule request - is invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Delete an Attack Discovery schedule - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - GetAttackDiscoverySchedulesResponse200Example: - summary: >- - An Attack Discovery schedule retrieved by ID, including last - execution metadata. + notFound: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': content: application/json: examples: - GetAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the get-schedule request is - invalid. + serverError: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: Internal Server Error + status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details tags: - - Security Attack discovery API - x-codeSamples: - - label: Get an Attack Discovery schedule by ID - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList requestBody: content: application/json: examples: - UpdateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Update an Attack Discovery schedule to run every 12 hours over - a 48-hour window. + createDetection: value: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties required: true responses: '200': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse200Example: - summary: An Attack Discovery schedule after being updated. + autogeneratedListId: value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata - '400': - content: - application/json: - examples: - UpdateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the update schedule payload - is invalid. + version: 1 + namespaceAgnostic: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: - post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - DisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after disabling an Attack Discovery - schedule. + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: value: - id: 12345678-1234-1234-1234-123456789012 + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' + updated_by: elastic + version: 1 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule - required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - DisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the disable schedule request - is invalid. + badRequest: value: error: Bad Request - message: Invalid request parameters. - status_code: 400 + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: - post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - EnableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after enabling an Attack Discovery - schedule. + unauthorized: value: - id: 12345678-1234-1234-1234-123456789012 + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule - required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - EnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the enable schedule request - is invalid. + forbidden: value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule - tags: - - Security Attack discovery API - x-codeSamples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/data_views: - get: - description: > - Retrieve a list of all data views. Use this endpoint to identify - available data views in the current Kibana space. - operationId: getAllDataViewsDefault - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': content: application/json: examples: - getAllDataViewsBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views - /api/data_views/data_view: - post: - description: > - Create a data view. Data views identify the Elasticsearch data you want - to explore and visualize. They can point to one or more data streams, - indices, or index aliases, and use optional runtime fields to compute - values at query time. Note that data views are not required for - ES|QL-based visualizations. To learn more, refer to the [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList requestBody: content: application/json: examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + description: Exception list's properties required: true responses: '200': content: application/json: examples: - createDataViewResponse: - $ref: '#/components/examples/Data_views_create_data_view_response' + simpleList: + value: + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - createDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view - {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} - /api/data_views/data_view/{viewId}: - delete: - description: > - Delete a data view by its identifier. WARNING: When you delete a data - view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deleteDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/data_views/data_view/{viewId} - get: - description: > - Retrieve a single data view by its identifier. Data views identify the - Elasticsearch data you want to explore and visualize. They can point to - one or more data streams, indices, or index aliases, and use optional - runtime fields to compute values at query time. Note that data views are - not required for ES|QL-based visualizations. To learn more, refer to the - [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: - getDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/data_view/{viewId} - post: - description: > - Update an existing data view. Only the fields provided in the request - body are updated. - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': - content: - application/json: - examples: - updateDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - updateDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"name":"Updated data view name"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId} - {"data_view":{"name":"Updated data view name"}} - /api/data_views/data_view/{viewId}/fields: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_duplicate: post: - description: > - Update field metadata for a data view. Use this endpoint to set custom - labels, custom descriptions, and format overrides for individual fields. - operationId: updateFieldsMetadataDefault + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_duplicate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Duplicate an existing exception list. + operationId: DuplicateExceptionList parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true + - description: The `list_id` of the existing exception list to copy (source list). + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true + type: string responses: '200': content: application/json: examples: - updateFieldsMetadataResponse: - $ref: >- - #/components/examples/Data_views_update_field_metadata_response + detectionExceptionList: + value: + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: examples: - updateFieldsMetadataBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update field metadata - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId}/fields - {"fields":{"field_name":{"customLabel":"My custom label"}}} - /api/data_views/data_view/{viewId}/runtime_field: - post: - description: > - Create a runtime field for a data view. Runtime fields are computed at - query time using a [Painless - script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) - and do not require reindexing. If no `script` is provided, the runtime - field returns the corresponding value from the document `_source`. - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json: - examples: - createRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' + statusCode: 400 schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST kbn://api/data_views/data_view/{viewId}/runtime_field - - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - put: - description: > - Create or update a runtime field for a data view. If the runtime field - already exists, it is replaced with the new definition. - operationId: createUpdateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - createUpdateRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - createUpdateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - PUT kbn://api/data_views/data_view/{viewId}/runtime_field - - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - description: | - Delete a runtime field from a data view. - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: - deleteRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: > - DELETE - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - get: - description: | - Retrieve a single runtime field by name from a data view. - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': content: application/json: examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': content: application/json: examples: - getRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: > - GET - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_export: post: - description: > - Update an existing runtime field in a data view. Only the fields - provided in the request body are updated. - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. + description: |- + **Spaces method and path for this operation:** - You can update following fields: +
post /s/{space_id}/api/exception_lists/_export
- - `type` - - `script` - type: object - required: - - runtimeField - required: true + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': - description: Indicates a successful call. + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response '400': content: application/json: examples: - updateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequest: + value: + error: Bad Request + message: '[request query]: list_id: Required, namespace_type: Required' + statusCode: 400 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - - {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/default: - get: - description: > - Retrieve the identifier of the default data view for the current Kibana - space. - operationId: getDefaultDataViewDefault - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - getDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/default - post: - description: > - Set the default data view for the current Kibana space. The default data - view is used as a fallback when no specific data view is selected. - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - setDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_set_default_data_view_response + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json: examples: - setDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' - - lang: Console - source: | - POST kbn://api/data_views/default - {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} - /api/data_views/swap_references: - post: - description: > - Swap saved object references from one data view to another. Use this - endpoint to update dashboards, visualizations, and other saved objects - that reference a data view. WARNING: Misuse can break large numbers of - saved objects! Use the - [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) - endpoint to see which saved objects would be affected before making - changes. - operationId: swapDataViewsDefault + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list containers. + operationId: FindExceptionLists parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true + - description: | + Filters the returned results according to the value of the specified field. + + Uses the `so type.field name:field` value syntax, where `so type` can be: + + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string responses: '200': content: application/json: examples: - swapDataViewResponse: - $ref: '#/components/examples/Data_views_swap_data_view_response' + simpleLists: + value: + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: type: object properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: + data: items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references - {"fromId":"abcd-efg","toId":"xyz-123","delete":true} - /api/data_views/swap_references/_preview: - post: - description: > - Preview the effect of swapping saved object references from one data - view to another. Returns the list of affected saved objects without - making any changes. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': content: application/json: examples: - previewSwapDataViewResponse: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_response + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview swap references + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123"}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references/_preview - {"fromId":"abcd-efg","toId":"xyz-123"} - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/_import: + post: + description: |- + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
post /s/{space_id}/api/exception_lists/_import
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + ndjsonUpload: + value: + file: exception_lists.ndjson + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string + required: true responses: '200': content: application/json: examples: - success: + withErrors: value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, schema: type: object properties: - has_encryption_key: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: type: boolean - is_authenticated: + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: type: boolean required: - - is_authenticated - - has_encryption_key + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Multipart part `file` is required and must contain a valid .ndjson exception list export + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -5074,12 +22155,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -5089,6365 +22181,7383 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Returns user privileges for the Kibana space + summary: Import an exception list tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items: delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - + description: |- + **Spaces method and path for this operation:** - The URL query must include one of the following: - - - * `id` - `DELETE /api/detection_engine/rules?id=` - - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` +
delete /s/{space_id}/api/exception_lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem parameters: - - description: The rule's `id` value. + - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query - name: rule_id + name: item_id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - deletedRule: - summary: Response shape after a rule is deleted + simpleExceptionItem: value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic - version: 3 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `GET /api/detection_engine/rules?id=` + description: |- + **Spaces method and path for this operation:** - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` +
get /s/{space_id}/api/exception_lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem parameters: - - description: The rule's `id` value. + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query - name: rule_id + name: item_id required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - example1: - summary: Example response for a retrieved rule + simpleListItem: value: - created_at: '2020-02-03T11:19:04.259Z' + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
post /s/{space_id}/api/exception_lists/items
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json: examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) - - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule + simpleItem: value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties required: true responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + autogeneratedItemId: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule - tags: - - Security Detections API - - Rules API - post: - description: > - Create a new detection rule. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", - - "job_type": "anomaly_detector", - - "job_version": "7.7.0", - - "groups": [ - "auditbeat", - "process", - "siem" - ], - - ... - - ``` - - - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: - - - * Slack - - * Email - - * PagerDuty - - * Webhook - - * Microsoft Teams - - * IBM Resilient - - * Jira - - * ServiceNow ITSM - - > info - - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). - - - To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. - - - For detailed information on Kibana actions and alerting, and additional - API calls, see: - - - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) - - * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) - - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule - requestBody: - content: - application/json: - examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties required: true responses: '200': content: application/json: examples: - example1: - description: Example response for a query rule - summary: Query rule response + simpleListItem: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single + os_types: [] + tags: [] + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response + error: Bad Request + message: '[request body]: item_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string + responses: + '200': + content: + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response + error: Forbidden + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + message: 'exception list list_id: "foo" does not exist' + status_code: 404 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exception_lists/summary: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/exception_lists/summary
- The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > warn + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" + type: string + responses: + '200': + content: + application/json: + examples: + summary: + value: + linux: 0 + macos: 0 + total: 0 + windows: 0 + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
post /s/{space_id}/api/exceptions/shared
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList requestBody: content: application/json: examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule + createSharedExceptionList: value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ - - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info - - > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. + - malware + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description required: true responses: '200': content: application/json: examples: - example1: - summary: Example response for an updated rule + sharedList: value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic - version: 2 + version: 1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: list_id: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction - parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - + - Security Exceptions API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. +
get /s/{space_id}/api/fleet/agent_download_sources
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) - value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] + responses: + '200': + content: + application/json: + examples: + getDownloadSourcesExample: + description: List of agent binary download sources value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDownloadSourceRequestExample: + description: Create a new agent binary download source value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host responses: '200': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure + postDownloadSourceExample: + description: The created agent binary download source value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteDownloadSourceExample: + description: The download source was successfully deleted value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags + id: download-source-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getDownloadSourceExample: + description: An agent binary download source + value: + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putDownloadSourceRequestExample: + description: Update an agent binary download source + value: + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host + responses: + '200': + content: + application/json: + examples: + putDownloadSourceExample: + description: The updated agent binary download source + value: + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/fleet/agent_policies
- > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with upgradeable agents + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPoliciesExample: + description: List of agent policies + value: + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. +
post /s/{space_id}/api/fleet/agent_policies
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies parameters: - - description: Determines whether a summary of the exported rules is returned. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to add the system integration to the new agent policy in: query - name: exclude_export_details + name: sys_monitoring required: false schema: - default: false type: boolean - - description: > - File name for saving the exported rules. + requestBody: + content: + application/json: + examples: + postAgentPolicyRequestExample: + description: Create a new agent policy + value: + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + responses: + '200': + content: + application/json: + examples: + postAgentPolicyExample: + description: The created agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' in: query - name: file_name + name: format required: false schema: - default: export.ndjson + enum: + - simplified + - legacy type: string requestBody: content: application/json: examples: - exportByRuleIds: - summary: Request body to export a subset of rules + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - nullable: true + additionalProperties: false type: object properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id + type: string + maxItems: 1000 type: array + ignoreMissing: + type: boolean required: - - objects - required: false + - ids responses: '200': content: - application/ndjson: + application/json: examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} + postBulkGetAgentPoliciesExample: + description: The requested agent policies + value: + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled - - - tags - - - createdBy - - - interval + description: |- + **Spaces method and path for this operation:** - - updatedBy +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true schema: type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page + - description: 'Format for the response: simplified or legacy' in: query - name: per_page + name: format required: false schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start - required: false + enum: + - simplified + - legacy + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyExample: + description: An agent policy + value: + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Gaps range end - in: query - name: gaps_range_end - required: false + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true schema: type: string - - description: Gap fill statuses - in: query - name: gap_fill_statuses - required: false - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + - description: 'Format for the response: simplified or legacy' in: query - name: gap_auto_fill_scheduler_id + name: format required: false schema: + enum: + - simplified + - legacy type: string + requestBody: + content: + application/json: + examples: + putAgentPolicyRequestExample: + description: Update an agent policy + value: + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - example1: + putAgentPolicyExample: + description: The updated agent policy value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - page - - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules + - message + - attributes + description: Bad Request + summary: Update an agent policy tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: - post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - > info - - > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. - - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - rulesFile: - summary: Multipart part containing a rule export - value: - file: rules_import.ndjson - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true + type: string responses: '200': content: application/json: examples: - example1: - summary: Import rules with success + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 schema: additionalProperties: false type: object properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: + currentVersions: items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer + totalAgents: + type: number required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules + - currentVersions + - totalAgents + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy in: path - name: id + name: agentPolicyId required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - addItems: - value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception items. - required: true - responses: - '200': - content: - application/json: - examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name + value: + description: A copy of the original agent policy + name: Copy of my agent policy + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' + responses: + '200': + content: + application/json: + examples: + postCopyAgentPolicyExample: + description: The copied agent policy + value: + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' description: Successful response '400': content: application/json: examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request params]: id: Invalid uuid' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number + responses: + '200': content: application/json: examples: - unauthorized: + getDownloadAgentPolicyExample: + description: The agent policy download response value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + type: string + description: Successful response — returns the agent policy as a YAML file download + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Unable to create exception-list - status_code: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No agent policy was found with the given ID value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: Agent policy not found + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy tags: - - Security Exceptions API - /api/detection_engine/rules/preview: - post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
- matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file in: query - name: enable_logged_requests + name: download required: false schema: type: boolean - requestBody: - content: - application/json: - examples: - queryRule: - value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. - required: true + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number responses: '200': content: application/json: examples: - success: + getFullAgentPolicyExample: + description: The full agent policy configuration value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString - required: - - logs + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - unauthorized: + notFoundExample: + description: No agent policy was found with the given ID value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy + value: + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/delete: post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' responses: '200': content: application/json: examples: - add: + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 + id: agent-policy-id-1 + name: My agent policy schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: > - Indicates a successful call. The body matches an Elasticsearch - update-by-query response - - (for example `took`, `updated`, `failures`). + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' + description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_policies/outputs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies + value: + ids: + - agent-policy-id-1 + - agent-policy-id-2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' + responses: + '200': content: application/json: examples: - forbidden: + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies value: - error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections - statusCode: 403 + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Not enough privileges response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Assign and unassign users from detection alerts + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status + parameters: + - description: Filter by agent policy ID + in: query + name: policyId + required: false + schema: + type: string + - description: Filter by one or more agent policy IDs + in: query + name: policyIds + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string responses: '200': content: application/json: examples: - success: + getAgentStatusExample: + description: Agent status summary for an agent policy value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 schema: - additionalProperties: true - description: Elasticsearch search response + additionalProperties: false type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary + tags: + - Elastic Agent status + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agent_status/data: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data + parameters: + - description: Agent IDs to check data for, as an array or comma-separated string + in: query + name: agentsIds + required: true + schema: + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name + in: query + name: pkgName + required: false + schema: + type: string + - description: Filter by integration package version + in: query + name: pkgVersion + required: false + schema: + type: string + - description: When true, return a preview of the ingested data + in: query + name: previewData + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': + additionalProperties: false + type: object + properties: + dataPreview: + items: + nullable: true + maxItems: 10000 + type: array + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies: post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified + type: string requestBody: content: application/json: examples: - byId: + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector + value: + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - byId: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol + value: + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false type: object - description: Successful response + properties: + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + required: + - item + description: Indicates a successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: - post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. - - > info - - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json: - examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove - schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, - schema: - additionalProperties: true - description: Elasticsearch update by query response + additionalProperties: false + description: Generic Error type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: - get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json: - examples: - example1: - value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/endpoint_list: - post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList - responses: - '200': - content: - application/json: - examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created - value: - created_at: '2025-01-01T00:00:00.000Z' - created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic - os_types: [] - tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' - updated_by: elastic - version: 1 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request body]: expected value of type [object] but got - [undefined] - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/endpoint_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - serverError: + conflictErrorResponseExample: + description: Example of a conflict error response value: - message: Internal Server Error - status_code: 500 + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: + - Fleet agentless policies + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agentless_policies/{policyId}: delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - responses: - '200': - content: - application/json: - examples: - deleted: - summary: Deleted endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - Either "item_id" or "id" needs to be defined in the - request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - examples: - notFound: - value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item - tags: - - Security Endpoint Exceptions API - get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false + example: 'true' + type: string + - description: The ID of the policy to delete. + in: path + name: policyId + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified + type: string + - description: Force delete the policy even if the policy is managed. in: query - name: item_id + name: force required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + type: boolean responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: id or item_id required - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - error: Forbidden - message: >- - API [GET - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + additionalProperties: false + description: Response for deleting an agentless package policy. + type: object + properties: + id: + description: The ID of the deleted agentless package policy. + type: string + required: + - id + description: Indicates a successful response + '400': content: application/json: examples: - notFound: + genericErrorResponseExample: + description: Example of a generic error response value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - serverError: + conflictErrorResponseExample: + description: Example of a conflict error response value: - message: Internal Server Error - status_code: 500 + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Delete an agentless policy tags: - - Security Endpoint Exceptions API - post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem - requestBody: - content: - application/json: - examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash - value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file - os_types: - - windows - tags: - - policy:all - type: simple - schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + - Fleet agentless policies + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination + in: query + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive + required: false + schema: + type: string responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + getAgentsExample: + description: List of agents value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number + required: + - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: name: Required' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: >- - exception list item id: "block-malicious-file" already - exists - status_code: 409 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents tags: - - Security Endpoint Exceptions API - put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateName: - summary: Update an endpoint exception list item + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple + actionIds: + - action-id-1 + - action-id-2 schema: + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + actionIds: + items: + type: string + maxItems: 1000 + type: array required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + - actionIds responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic + items: + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: name: Required' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item item_id: "block-malicious-file" not found' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents by action ids tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: - get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true schema: - enum: - - desc - - asc type: string responses: '200': content: application/json: examples: - foundItems: - summary: Found endpoint exception list items + deleteAgentExample: + description: Agent successfully deleted value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + id: agent-id-1 + success: true schema: + additionalProperties: false type: object properties: - data: - description: The list of endpoint exception list items. - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string - total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received string' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/endpoint_list/items/_find] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': + action: + enum: + - deleted + type: string + required: + - action + description: Successful response + '400': content: application/json: examples: - notFound: + genericErrorResponseExample: + description: Example of a generic error response value: - message: 'list id: "endpoint_list" does not exist' - status_code: 404 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - serverError: + notFoundExample: + description: No agent was found with the given ID value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent tags: - - Security Endpoint Exceptions API - /api/endpoint/action: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of response actions to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A list of response action command names to filter by. - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - description: A list of Elastic Agent IDs to filter the response actions by. - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - description: A list of user IDs that submitted the response actions. - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - description: >- - A start date in ISO 8601 format or Date Math format (for example, - `now-24h`). - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - description: >- - An end date in ISO 8601 format or Date Math format (for example, - `now`). - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - description: >- - The agent type to filter response actions by. Defaults to - `endpoint`. - in: query - name: agentTypes - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - description: >- - A list of response action IDs whose outputs should be included in - the response. - in: query - name: withOutputs - required: false + - description: The agent ID + in: path + name: agentId + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - description: >- - A list of response action types to filter by (`automated`, - `manual`). + type: string + - description: When true, include CPU and memory metrics in the response in: query - name: types + name: withMetrics required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + default: false + type: boolean responses: '200': content: application/json: examples: - actionsList: - summary: A list of response actions + getAgentExample: + description: Agent details + value: + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID value: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse - description: Indicates a successful call. - summary: Get response actions + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux + schema: + additionalProperties: false + type: object + properties: + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: + nullable: true + type: object responses: '200': content: application/json: examples: - actionStatus: - summary: Pending response actions per agent + putAgentExample: + description: Updated agent details value: - data: - - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - pending_actions: - execute: 0 - get-file: 0 - isolate: 0 - kill-process: 1 - running-processes: 0 - scan: 0 - unisolate: 0 - upload: 0 + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - description: The ID of the response action to retrieve. - in: path - name: action_id - required: true - schema: - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item + description: Successful response + '400': content: application/json: examples: - actionDetails: - summary: Details of an isolate response action + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: - get: - description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - fileInfo: - summary: File information for a response action upload + notFoundExample: + description: No agent was found with the given ID value: - data: - actionId: 233db9ea-6733-4849-9226-5a7039c7161d - agentId: ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - created: '2025-02-26T13:37:30.452Z' - id: >- - 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 - mimeType: application/zip - name: memory_dump.zip - size: 1048576 - status: READY - schema: - properties: - data: - type: object - properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time - type: string - id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. - type: string - name: - description: The file name. - type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED - type: string - description: Indicates a successful call. - summary: Get file information + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/actions: + post: + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + - description: The agent ID in: path - name: file_id + name: agentId required: true schema: type: string - responses: - '200': - content: - application/octet-stream: - examples: - fileDownload: - summary: >- - Password-protected ZIP archive containing the response - action file - value: binary file content (password-protected .zip) - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction requestBody: content: application/json: examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + action: + type: UNENROLL schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data + required: + - action responses: '200': content: application/json: examples: - CancelSuccess: - summary: Cancel action successfully created + postAgentActionExample: + description: Created agent action value: - data: + item: agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json: - examples: - executeCommand: - summary: Execute a shell command on an endpoint - value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - ExecuteSuccess: - summary: Execute action successfully created - value: - data: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get a file - tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 + errorType: type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config + parameters: + - description: The agent ID to get effective config of + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - IsolateSuccess: - summary: Isolate action successfully created + successResponse: value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + effective_config: {} schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse - description: Indicates a successful call. - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + effective_config: + nullable: true + required: + - effective_config + description: 'OK: A successful request.' + '400': content: application/json: examples: - KillProcessSuccess: - summary: Kill process action successfully created + badRequestResponse: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Terminate a process + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get an agent's effective config tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/migrate: post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token responses: '200': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + postMigrateAgentExample: + description: Agent migration initiated value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Generate a memory dump from the host machine - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json: - examples: - singleEndpoint: - summary: Get running processes on a single endpoint - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - Elastic Defend: - description: Endpoint runscript to collect logs - summary: Run a script against an Elastic Defend agent - value: - agent_type: endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--path= /usr/log/exec.log' - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent + changeAgentPrivilegeLevelRequest: value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt + user_info: + groupname: groupname + password: password + username: username schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody - required: true + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + successResponse: value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level tags: - - Security Endpoint Management API - /api/endpoint/action/scan: + - Elastic Agents + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/reassign: post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - scanFile: - summary: Scan a file on an endpoint + postReassignAgentRequestExample: + description: Reassign an agent to a different policy value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt + policy_id: agent-policy-id-2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id responses: '200': content: application/json: examples: - ScanSuccess: - summary: Scan action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + postReassignAgentExample: + description: Agent successfully reassigned + value: {} schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory - tags: - - Security Endpoint Management API - /api/endpoint/action/state: - get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState - responses: - '200': + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': content: application/json: examples: - actionsState: - summary: Response actions state with encryption enabled + genericErrorResponseExample: + description: Example of a generic error response value: - data: - canEncrypt: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/remove_collector: post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The collector agent ID + in: path + name: agentId + required: true + schema: + type: string responses: '200': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + postRemoveCollectorExample: + description: Collector successfully removed + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Suspend a process + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Remove an OpAMP collector tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e + additional_metrics: + - CPU schema: + additionalProperties: false + nullable: true type: object properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 + additional_metrics: items: - minLength: 1 + enum: + - CPU type: string - maxItems: 50 - minItems: 1 + maxItems: 1 type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true responses: '200': content: application/json: examples: - UnisolateSuccess: - summary: Unisolate action successfully created + postRequestDiagnosticsExample: + description: Diagnostics action result value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - examples: - uploadFile: - summary: Upload a script file to a specific endpoint - value: - comment: Pushing remediation script to host - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - file: RWxhc3RpYw== - parameters: - overwrite: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - UploadSuccess: - summary: Upload action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + error: Bad Request + message: Agent agent-id-1 does not support request diagnostics action. + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Request agent diagnostics tags: - - Security Endpoint Management API - /api/endpoint/metadata: - get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of endpoints to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A KQL string to filter the endpoint metadata results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - description: >- - A set of host statuses to filter the results by (for example, - `healthy`, `updating`). - in: query - name: hostStatuses + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - description: The field used to sort the results. - in: query - name: sortField - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - description: The sort order, either `asc` or `desc`. - in: query - name: sortDirection - required: false + example: 'true' + type: string + - description: The agent ID to rollback + in: path + name: agentId + required: true schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection + type: string responses: '200': content: application/json: examples: - metadataList: - summary: A list of endpoint host metadata + successResponse: value: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 1 + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: - get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll parameters: - - description: The agent ID of the endpoint. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: id + name: agentId required: true schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean responses: '200': content: application/json: examples: - endpointMetadata: - summary: Host metadata for a specific endpoint + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade parameters: - - description: The agent ID to retrieve the policy response for. - in: query + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path name: agentId required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 + schema: + additionalProperties: false + type: object + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version responses: '200': content: application/json: examples: - policyResponse: - summary: The most recent policy response for an endpoint + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} + schema: + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - policy_response: - '@timestamp': '2023-07-04T15:48:57.360Z' - agent: - id: ed518850-681a-4d60-bb98-e22640cae2a8 - version: 7.16.0 - Endpoint: - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: My endpoint policy - status: success - version: '3' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/{agentId}/uploads: get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads parameters: - - description: The package policy ID to retrieve the protection updates note for. + - description: The agent ID in: path - name: package_policy_id + name: agentId required: true schema: type: string @@ -11456,1748 +29566,1959 @@ paths: content: application/json: examples: - protectionUpdatesNote: - summary: The protection updates note for a package policy + getAgentUploadsExample: + description: List of files uploaded by the agent value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - setNote: - summary: Set a new protection updates note - value: - note: >- - Pinned protection updates to 2025-01-01 while validating new - signatures. - schema: - type: object - properties: - note: - description: The note content. - type: string - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - noteSaved: - summary: Protection updates note saved + genericErrorResponseExample: + description: Example of a generic error response value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads tags: - - Security Endpoint Management API - /api/endpoint/scripts_library: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/action_status: get: - description: Retrieve a list of scripts - operationId: EndpointScriptLibraryListScripts + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status parameters: - - description: Page number of the results to return. Defaults to 1. + - description: Page number in: query name: page required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: >- - Number of results to return per page. Defaults to 10. Max value is - 1000. + default: 0 + type: number + - description: Number of results per page in: query - name: pageSize + name: perPage required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - - description: The field to sort the results by. Defaults to name. + default: 20 + type: number + - description: Return actions created before this date in: query - name: sortField + name: date required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - - description: The direction to sort the results by. Defaults to asc (ascending). + type: string + - description: Return only the latest N actions in: query - name: sortDirection + name: latest required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - - description: > - A KQL query string to filter the list of scripts. Nearly all fields - in the script object are searchable. + type: number + - description: Number of error details to include per action in: query - name: kuery + name: errorSize required: false schema: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - example: platform:windows + default: 5 + type: number responses: '200': content: application/json: examples: - response: - summary: List of scripts response example + getActionStatusExample: + description: Status of recent agent actions value: - data: [] - page: 1 - pageSize: 10 - sortDirection: asc - sortField: name - total: 100 + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: + additionalProperties: false type: object properties: - data: + items: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScript + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 type: array - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiPageSize - sortDirection: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - sortField: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiSortField - total: - description: The total number of scripts matching the query - type: integer - description: List of scripts response - summary: Get a list of scripts + required: + - items + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status tags: - - Security Endpoint Management API + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: post: - description: Create a new script entry by uploading a script file - operationId: EndpointScriptLibraryCreateScript + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId + required: true + schema: + type: string requestBody: content: - multipart/form-data: + application/json: examples: - CreateArchiveScriptEntry: - summary: Create an archive script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.zip - fileType: archive - instructions: Collects host data for investigation - name: Collect host data - pathToExecutable: ./bin/collect_host_data.sh - platform: - - linux - - macos - requiresInput: false - CreateScriptEntry: - summary: Create a script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.sh - fileType: script - instructions: Collects host data for investigation - name: Collect host data - platform: - - linux - - macos - requiresInput: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody - required: true + postCancelActionRequestExample: + description: Cancel an agent action + value: {} responses: '200': content: application/json: examples: - CreateScriptEntrySuccess: - summary: Create a script entry + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully created - summary: Create script + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}: - delete: - description: Delete a script - operationId: EndpointScriptLibraryDeleteScript - parameters: - - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] responses: '200': content: application/json: examples: - response: - summary: Delete script response example. - value: {} + getAvailableVersionsExample: + description: List of available agent versions for upgrade + value: + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: + additionalProperties: false type: object - description: Delete script response. - summary: Delete a script - tags: - - Security Endpoint Management API - get: - description: Get a script - operationId: EndpointScriptLibraryGetOneScript - parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - UpdateScriptEntrySuccess: - summary: Get one script entry success + genericErrorResponseExample: + description: Example of a generic error response value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Get script response - summary: Get script + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get available agent versions tags: - - Security Endpoint Management API - patch: - description: Update (full or partial) a script entry - operationId: EndpointScriptLibraryPatchUpdateScript + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate parameters: - - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - PatchUpdateScriptEntry: - summary: Update script entry instructions - value: - instructions: ./collect_host_data.sh --help - PatchUpdateScriptEntryFromArchiveToScript: - summary: Update script entry from an archive to a script - value: - fileType: script - PatchUpdateScriptEntryToArchive: - summary: Update script entry to be an archive + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster value: - fileType: archive - pathToExecutable: ./bin/collect_host_data.sh + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - UpdateScriptEntrySuccess: - summary: Update script entry success - value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully updated - summary: Update script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}/download: - get: - description: Download a script file - operationId: EndpointScriptLibraryDownloadScript - parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/octet-stream: - examples: - response: - summary: Download script file response example. - value: null - schema: - description: A download stream is returned. - format: binary - type: string - description: Download script file response. - summary: Download a script file - tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token responses: '200': content: application/json: examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: - deleted: true + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - deleted: - type: boolean + actionId: + type: string required: - - deleted + - actionId description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': + '400': content: application/json: examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully + genericErrorResponseExample: + description: Example of a generic error response value: - status: disabled + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate multiple agents tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_privilege_level_change: post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: + value: + agents: agent + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + required: + - agents responses: '200': content: application/json: examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully + successResponse: value: - status: started + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': content: application/json: examples: - InitMonitoringEngineError: - summary: Internal server error during engine initialization + badRequestResponse: value: - error: - message: Failed to initialize monitoring engine - status: error + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: + - Elastic Agents + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_reassign: post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy + value: + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: + type: string + required: + - policy_id + - agents responses: '200': content: application/json: examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully + postBulkReassignAgentsExample: + description: Bulk reassign action result value: - success: true + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - success: - description: Indicates the scheduling was successful - type: boolean + actionId: + type: string + required: + - actionId description: Successful response - '409': + '400': content: application/json: examples: - ScheduleMonitoringEngineConflict: - summary: Engine is already running + genericErrorResponseExample: + description: Example of a generic error response value: - message: Monitoring engine is already running + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: Error message indicating the engine is already running type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: - get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_remove_collectors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors + value: + agents: + - collector-id-1 + - collector-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean + required: + - agents responses: '200': content: application/json: examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result value: - status: started - users: - current_count: 42 - max_allowed: 1000 + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed + actionId: + type: string required: - - status + - actionId description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges - responses: - '200': + '400': content: application/json: examples: - PrivMonPrivilegesResponse: - summary: Privileges check response + genericErrorResponseExample: + description: Example of a generic error response value: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk remove OpAMP collectors tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_request_diagnostics: post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - CreatePrivMonUserRequest: - summary: Create a monitored user + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true + additionalProperties: false + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents responses: '200': content: application/json: examples: - CreatePrivMonUserResponse: - summary: Created monitored user + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_rollback: post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: - multipart/form-data: + application/json: examples: - PrivmonBulkUploadUsersCSVRequest: - summary: CSV file with privileged users + bulkRollbackAgentsRequest: value: - file: | - username,is_privileged - john.doe,true - jane.smith,true + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false schema: + additionalProperties: false type: object properties: - file: - description: The CSV file to upload. - format: binary - type: string + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean required: - - file + - agents responses: '200': content: application/json: examples: - PrivmonBulkUploadUsersCSVResponse: - summary: Bulk upload response with mixed results + successResponse: value: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 2 + actionIds: + - actionId1 + - actionId2 schema: + additionalProperties: false type: object properties: - errors: + actionIds: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem + type: string + maxItems: 10000 type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: - delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - description: The document ID of the monitored user to delete - in: path - name: id - required: true - schema: - type: string - responses: - '200': + - actionIds + description: 'OK: A successful request.' + '400': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + badRequestResponse: value: - acknowledged: true - message: User deleted successfully + message: Bad Request schema: + additionalProperties: false + description: Generic Error type: object properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: >- - A message providing additional information about the - deletion status type: string + statusCode: + type: number required: - - success - description: User deleted successfully - summary: Delete a monitored user + - message + - attributes + description: A bad request. + summary: Bulk rollback agents tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser + - Elastic Agent actions + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll parameters: - - description: The document ID of the monitored user to update - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: - get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users - in: query - name: kql - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage + agents: + - agent-id-1 + - agent-id-2 + revoke: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents responses: '200': content: application/json: examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result value: - message: Privileged access detection package installed successfully + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - message: + actionId: type: string required: - - message + - actionId description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': + '400': content: application/json: examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running + genericErrorResponseExample: + description: Example of a generic error response value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - jobs: - items: - type: object - properties: - description: - type: string - job_id: - type: string - state: - enum: - - closing - - closed - - opened - - failed - - opening - type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete + attributes: + nullable: true + error: type: string - package_installation_status: - enum: - - complete - - incomplete + errorType: + type: string + message: type: string + statusCode: + type: number required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_update_agent_tags: post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging schema: + additionalProperties: false type: object properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns + agents: + anyOf: + - items: type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 + maxItems: 10000 + type: array + - type: string + batchSize: type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array required: - - name - - riskModifier - required: true + - agents responses: '200': content: application/json: examples: - CreateWatchlistResponse: - summary: Created watchlist + postBulkUpdateAgentTagsExample: + description: Bulk action result value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' + actionId: action-id-1 schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - GetWatchlistResponse: - summary: Watchlist details + genericErrorResponseExample: + description: Example of a generic error response value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade parameters: - - description: The ID of the watchlist to update - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - UpdateWatchlistRequest: - summary: Update watchlist request + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 schema: + additionalProperties: false type: object properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string required: - - name - - riskModifier - required: true + - agents + - version responses: '200': content: application/json: examples: - UpdateWatchlistResponse: - summary: Updated watchlist + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: - post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity - - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - - - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` + - Elastic Agent actions + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** - field is updated in the entity store. +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the uploaded file in: path - name: watchlist_id + name: fileId required: true schema: type: string - requestBody: - content: - multipart/form-data: - examples: - csvUpload: - summary: CSV file with user entities - value: - file: | - type,user.name - user,john.doe - user,jane.smith - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - required: true responses: '200': content: application/json: examples: - CsvUploadResponse: - summary: CSV upload response with mixed results + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - failed: 1 - items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 + deleted: true + id: file-id-1 + schema: + additionalProperties: false + type: object + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem - type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - total - - unmatched - - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist + - message + - attributes + description: Bad Request + summary: Delete an uploaded file tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. - - The entities must already exist in the entity store. + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
- If an entity is already on the watchlist, no new document is created — - the "manual" label + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - is added to its existing source labels instead. - operationId: AssignWatchlistEntities + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors + - description: The ID of the uploaded file in: path - name: watchlist_id + name: fileId + required: true + schema: + type: string + - description: The name of the uploaded file + in: path + name: fileName required: true schema: type: string - requestBody: - content: - application/json: - examples: - assignEntities: - summary: Assign two entities to a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true responses: '200': content: application/json: examples: - assignEntitiesResponse: - summary: Successful assignment of two entities + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: + schema: + type: object + description: Successful response — returns the uploaded file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + - message + - attributes + description: Bad Request + summary: Get an uploaded file tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: - description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities - parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] responses: '200': content: application/json: examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': content: application/json: examples: - ListWatchlistsResponse: - summary: List of watchlists + genericErrorResponseExample: + description: Example of a generic error response value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string responses: '200': content: application/json: examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true + isInitialized: true + nonFatalErrors: [] schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - engines: - description: The engine descriptors created during initialization. + isInitialized: + type: boolean + nonFatalErrors: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean - description: Successful response + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': - description: Invalid request - summary: Initialize the Entity Store + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - description: A KQL query string to filter results in: query - name: entityTypes + name: kuery required: false schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. + type: string + - description: When true, include tags from inactive agents in: query - name: delete_data + name: showInactive required: false schema: + default: false type: boolean responses: '200': content: application/json: examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine + getAgentTagsExample: + description: List of tags used across agents value: - deleted: - - host - still_running: - - generic - - user - - service + items: + - production + - linux + - datacenter-1 schema: + additionalProperties: false type: object properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. + items: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType + type: string + maxItems: 10000 type: array + required: + - items description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': + '400': content: application/json: examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed + genericErrorResponseExample: + description: Example of a generic error response value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine + - Elastic Agents + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges in: query - name: data + name: fleetServerSetup required: false schema: type: boolean @@ -13206,3534 +31527,3332 @@ paths: content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - deleted: true + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true schema: + additionalProperties: false type: object properties: - deleted: - description: Whether the engine was successfully deleted. + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: type: boolean + required: + - success description: Successful response - summary: Delete the Entity Engine + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions tags: - - Security Entity Analytics API + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors: get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType - required: true + - description: The page number for pagination. + in: query + name: page + required: false schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false + schema: + type: string responses: '200': content: application/json: examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 + type: array + required: + - items description: Successful response - summary: Get an Entity Engine + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors parameters: - - description: The entity type of the engine. - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + example: 'true' + type: string requestBody: content: application/json: + examples: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector + value: + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} schema: + additionalProperties: false type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 type: string - description: Schema for the engine initialization - required: true + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + required: + - name + - cloudProvider + - vars responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + postCloudConnectorExample: + description: The created Fleet cloud connector value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + genericErrorResponseExample: + description: Example of a generic error response value: - started: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: - post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - - description: The entity type of the engine to stop. - example: host + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to delete. in: path - name: entityType + name: cloudConnectorId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - stopped: true + id: cloud-connector-id-1 schema: + additionalProperties: false type: object properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean + id: + type: string + required: + - id description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': + '400': content: application/json: examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated + genericErrorResponseExample: + description: Example of a generic error response value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) + tags: + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed + getCloudConnectorExample: + description: A Fleet cloud connector value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error + genericErrorResponseExample: + description: Example of a generic error response value: - body: An internal error occurred while updating engine indices - statusCode: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - body: - description: Error message. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string statusCode: - description: HTTP status code. type: number - description: Error response - summary: Apply DataView indices to all installed engines + required: + - message + - attributes + description: Bad Request + summary: Get cloud connector tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid parameters: - - example: user + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. in: path - name: entityType + name: cloudConnectorId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string requestBody: content: application/json: + examples: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector + value: + name: Updated AWS connector + vars: {} schema: + additionalProperties: false type: object properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account type: string - required: - - id - description: Schema for the deleting entity - required: true + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - deleted: true + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. - - > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. - - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. - - The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities - parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true schema: - enum: - - asc - - desc type: string - - description: Page number to return (1-indexed). - example: 1 + - description: The page number for pagination. in: query name: page required: false schema: minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 + type: number + - description: The number of items per page. in: query - name: per_page + name: perPage required: false schema: - maximum: 10000 minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array + type: number responses: '200': content: application/json: + examples: + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector + value: + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: + additionalProperties: false type: object properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. + items: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 type: array + page: + type: number + perPage: + type: number total: - description: Total number of entities matching the query. - minimum: 0 - type: integer + type: number required: - - records - - page - - per_page + - items - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/entity_store/status: - get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': + - page + - perPage + description: 'OK: A successful request.' + '400': content: application/json: examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines + genericErrorResponseExample: + description: Example of a generic error response value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running + error: Bad Request + message: Cloud connector not found + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object - properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus - type: array - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList - parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the + - Fleet cloud connectors + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] responses: '200': content: application/json: examples: - detectionExceptionList: + getDataStreamsExample: + description: List of Fleet-managed data streams value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + data_streams: + items: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + type: object + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + maxItems: 10000 + type: array + required: + - data_streams description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams tags: - - Security Exceptions API + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys: get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. + - description: Page number in: query - name: list_id + name: page required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single + default: 1 + type: number + - description: Number of results per page in: query - name: namespace_type + name: perPage required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json: - examples: - detectionType: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + getEnrollmentApiKeysExample: + description: List of enrollment API keys value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get enrollment API keys tags: - - Security Exceptions API + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/enrollment_api_keys
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createDetection: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: application/json: examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: + postEnrollmentApiKeyExample: + description: The created enrollment API key value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an enrollment API key tags: - - Security Exceptions API - put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - fullReplace: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection - type: object - properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - required: - - name - - description - - type - description: Exception list's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' responses: '200': content: application/json: examples: - simpleList: + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 + action: deleted + count: 2 + errorCount: 0 + successCount: 2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: Either tokenIds or kuery must be provided statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk revoke or delete enrollment API keys tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList + - Fleet enrollment API keys + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid parameters: - - description: The `list_id` of the existing exception list to copy (source list). - in: query - name: list_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type + example: 'true' + type: string + - description: The ID of the enrollment API key + in: path + name: keyId required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. + type: string + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. in: query - name: include_expired_exceptions - required: true + name: forceDelete + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true - type: string + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + in: query + name: includeHidden + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - detectionExceptionList: + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 + action: deleted schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - unauthorized: + notFoundExample: + description: No enrollment API key was found with the given ID value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeyExample: + description: An enrollment API key + value: + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '404': content: application/json: examples: - notFound: + notFoundExample: + description: No enrollment API key was found with the given ID value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' + responses: + '200': content: application/json: examples: - notAllowed: + postBulkGetAssetsExample: + description: Requested assets value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk get assets tags: - - Security Exceptions API - /api/exception_lists/_export: - post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single + - description: When true, include prerelease packages in the results in: query - name: namespace_type - required: true + name: prerelease + required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true + type: boolean + - description: When true, include categories that only contain policy templates in: query - name: include_expired_exceptions - required: true + name: include_policy_templates + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string + type: boolean responses: '200': content: - application/ndjson: + application/json: examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + getCategoriesExample: + description: List of integration categories + value: + items: + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get package categories + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' + responses: + '200': content: application/json: examples: - unauthorized: + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration + value: + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs + schema: + additionalProperties: false + type: object + properties: + categories: + items: + type: string + maxItems: 10 + type: array + readMeData: + type: string + required: + - readMeData + responses: + '200': content: application/json: examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update a custom integration tags: - - Security Exceptions API - /api/exception_lists/_find: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/data_streams: get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - + description: |- + **Spaces method and path for this operation:** - Uses the `so type.field name:field` value syntax, where `so type` - can be: +
get /s/{space_id}/api/fleet/epm/data_streams
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - `exception-list`: Specify a space-aware exception list. - - - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams + parameters: + - description: Filter by data stream type in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: Filter data streams by dataset name in: query - name: sort_field + name: datasetQuery required: false schema: - example: name type: string - - description: Determines the sort order, which can be `desc` or `asc`. + - description: Sort order, ascending or descending in: query - name: sort_order + name: sortOrder required: false schema: + default: asc enum: - - desc - asc - example: desc + - desc type: string + - description: When true, only return data streams that are not associated with a package + in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - simpleLists: + getDataStreamsExample: + description: List of data streams from installed packages value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages + parameters: + - description: Filter packages by category + in: query + name: category + required: false + schema: + type: string + - description: When true, include prerelease packages in the results + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, exclude the install status from the response + in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - description: When true, include the number of package policies per package + in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - forbidden: + getPackagesExample: + description: List of available integration packages value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get packages tags: - - Security Exceptions API - /api/exception_lists/_import: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
- If any exception items have the same `item_id`, those are also - overwritten. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, ignore mapping update errors during installation in: query - name: overwrite + name: ignoreMappingUpdateErrors required: false schema: default: false - example: false type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. - - Additional `item_id`'s are generated for each exception item. Both - the exception - - list and its items are overwritten. + - description: When true, skip data stream rollover after installation in: query - name: as_new_list + name: skipDataStreamRollover required: false schema: default: false - example: false type: boolean requestBody: content: - multipart/form-data: + application/gzip: examples: - ndjsonUpload: - value: - file: exception_lists.ndjson + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary - type: string - required: true + format: binary + type: string responses: '200': content: - application/json: + application/gzip; application/zip: examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: + postInstallByUploadExample: + description: Package successfully installed from upload value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + application/json: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template description: Successful response '400': content: - application/json: + application/gzip; application/zip: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Install a package by upload tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified - in: query - name: item_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single + example: 'true' + type: string + - description: When true, allow installing prerelease versions in: query - name: namespace_type + name: prerelease required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: boolean + requestBody: + content: + application/json: + examples: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - simpleExceptionItem: + postBulkInstallPackagesExample: + description: Bulk install results value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + items: + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk install packages tags: - - Security Exceptions API - get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem - parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_namespace_customization: + post: + description: |- + **Spaces method and path for this operation:** - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false +
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkNamespaceCustomizationRequest: + value: + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - simpleListItem: + successResponse: value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + items: + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - badRequest: + badRequestResponse: value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackRequest: + value: + packages: + - name: system + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' + responses: + '200': content: application/json: examples: - unauthorized: + successResponse: value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + taskId: taskId schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + successResponse: value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + status: success schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get Bulk rollback packages details tags: - - Security Exceptions API + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: post: - description: > - Create an exception item and associate it with the specified exception - list. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - simpleItem: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + packages: + - name: aws + - name: gcp schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic + taskId: task-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: application/json: examples: - badRequest: - value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk uninstall packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - alreadyExists: + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk uninstall packages details tags: - - Security Exceptions API - put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateItem: + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple + packages: + - name: system + - name: elastic_agent schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' responses: '200': content: application/json: examples: - simpleListItem: + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic + taskId: task-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: item_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get Bulk upgrade packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - notFound: + deletePackageExample: + description: Package successfully deleted value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package tags: - - Security Exceptions API - /api/exception_lists/items/_find: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
- or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). - in: query - name: search - required: false + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname + parameters: + - description: Package name + in: path + name: pkgName + required: true schema: - example: host.name type: string - - description: The page number to return + - description: When true, returns the package even if the signature cannot be verified in: query - name: page + name: ignoreUnverified required: false schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page + type: boolean + - description: When true, include prerelease versions in: query - name: per_page + name: prerelease required: false schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name + type: boolean + - description: When true, return the full package info including assets in: query - name: sort_field + name: full required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. + type: boolean + - description: When true, include package metadata such as whether it has package policies in: query - name: sort_order + name: withMetadata required: false schema: - enum: - - desc - - asc - example: desc - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - simpleListItems: + getPackageInfoExample: + description: Package details and installation status value: - data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname parameters: - - description: Exception list's identifier generated upon creation. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, allow installing prerelease versions in: query - name: id + name: prerelease required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. + type: boolean + - description: When true, ignore mapping update errors during installation in: query - name: list_id + name: ignoreMappingUpdateErrors required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must - - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single + default: false + type: boolean + - description: When true, skip data stream rollover after installation in: query - name: namespace_type + name: skipDataStreamRollover required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies in: query - name: filter + name: skipDependencyCheck required: false schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" - type: string + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - summary: + postInstallPackageExample: + description: Package successfully installed value: - linux: 0 - macos: 0 - total: 0 - windows: 0 + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install a package from the registry tags: - - Security Exceptions API - /api/exceptions/shared: - post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string requestBody: content: application/json: examples: - createSharedExceptionList: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - sharedList: + putUpdatePackageExample: + description: Updated package settings value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - serverError: + deletePackageExample: + description: Package successfully deleted value: - message: Internal Server Error - status_code: 500 + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - /api/fleet/agent_download_sources: - get: - description: >- - List all agent binary download sources.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources - parameters: [] - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': content: application/json: examples: - getDownloadSourcesExample: - description: List of agent binary download sources + genericErrorResponseExample: + description: Example of a generic error response value: - items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - page: 1 - perPage: 20 - total: 1 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: type: number required: - - items - - total - - page - - perPage + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackageInfoExample: + description: Package details and installation status + value: + item: + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' description: Successful response '400': content: @@ -16764,14 +34883,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent binary download sources + summary: Get a package tags: - - Elastic Agent binary download sources + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Create a new agent binary download source.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -16780,242 +34907,72 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source + ignore_constraints: false schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true responses: '200': content: application/json: examples: - postDownloadSourceExample: - description: The created agent binary download source + postInstallPackageExample: + description: Package successfully installed value: - item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -17046,15 +35003,22 @@ paths: - message - attributes description: Bad Request - summary: Create an agent binary download source + summary: Install a package from the registry tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: - delete: - description: >- - Delete an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -17063,29 +35027,48 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source + - description: Package name in: path - name: sourceId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted + putUpdatePackageExample: + description: Updated package settings value: - id: download-source-id-1 + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' description: Successful response '400': content: @@ -17116,157 +35099,52 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source + summary: Update package settings tags: - - Elastic Agent binary download sources + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: - description: >- - Get an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - - description: The ID of the download source + - description: Package name in: path - name: sourceId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath required: true schema: type: string responses: '200': content: - application/json: - examples: - getDownloadSourceExample: - description: An agent binary download source - value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item - description: Successful response + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content '400': content: application/json: @@ -17296,25 +35174,23 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source + summary: Get a package file tags: - - Elastic Agent binary download sources - put: - description: >- - Update an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -17323,248 +35199,37 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source + - description: Package name in: path - name: sourceId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: The ID of the package policy + in: query + name: packagePolicyId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source - value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host responses: '200': content: application/json: examples: - putDownloadSourceExample: - description: The updated agent binary download source + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted value: - item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source + items: + - id: logs-my_package.access-default + type: index_template schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' description: Successful response '400': content: @@ -17595,138 +35260,133 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Download source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent binary download source + summary: Delete assets for an input package tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: get: - description: >- - List all agent policies.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with upgradeable agents - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: Package name + in: path + name: pkgName + required: true schema: type: string - - description: use withAgentCount instead - in: query - name: noAgentCount - required: false - schema: - deprecated: true - type: boolean - - description: get policies with agent count - in: query - name: withAgentCount - required: false - schema: - type: boolean - - description: get full policies with package policies populated - in: query - name: full - required: false - schema: - type: boolean - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: - enum: - - simplified - - legacy type: string responses: '200': content: application/json: examples: - getAgentPoliciesExample: - description: List of agent policies + dependenciesResponse: value: items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 - total: 1 + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' schema: additionalProperties: false + description: Generic Error type: object properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_agent_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: type: number required: - - items - - total - - page - - perPage + - message + - attributes + description: A bad request. + summary: Get package dependencies + tags: + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17757,14 +35417,22 @@ paths: - message - attributes description: Bad Request - summary: Get agent policies + summary: Delete Kibana assets for a package tags: - - Elastic Agent policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Create a new agent policy.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -17773,49 +35441,42 @@ paths: schema: example: 'true' type: string - - description: Whether to add the system integration to the new agent policy - in: query - name: sys_monitoring - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - type: boolean + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - postAgentPolicyRequestExample: - description: Create a new agent policy - value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true responses: '200': content: application/json: examples: - postAgentPolicyExample: - description: The created agent policy + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + items: + - id: dashboard-id-1 + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17846,16 +35507,23 @@ paths: - message - attributes description: Bad Request - summary: Create an agent policy + summary: Install Kibana assets for a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: post: - description: >- - Get multiple agent policies by ID.

[Required authorization] - Route required privileges: fleet-agent-policies-read OR - fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -17864,63 +35532,42 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true schema: - enum: - - simplified - - legacy type: string requestBody: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} schema: - additionalProperties: false - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean - required: - - ids + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies + postInstallRuleAssetsExample: + description: Rule assets successfully installed value: items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + - id: rule-asset-id-1 + type: security_rule schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -17951,65 +35598,89 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more agent policies were not found - value: - error: Not Found - message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + summary: Install Kibana alert rule for a package tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: >- - Get an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - - description: The ID of the agent policy + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow prerelease versions in: query - name: format + name: prerelease required: false schema: - enum: - - simplified - - legacy - type: string + type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + - success: true + transformId: logs-transform-1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -18040,25 +35711,23 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy + summary: Authorize transforms tags: - - Elastic Agent policies - put: - description: >- - Update an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -18067,68 +35736,40 @@ paths: schema: example: 'true' type: string - - description: The ID of the agent policy + - description: Package name to review upgrade for in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string requestBody: content: application/json: examples: - putAgentPolicyRequestExample: - description: Update an agent policy + acceptUpgrade: value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default + action: accept + target_version: 2.0.0 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' responses: '200': content: application/json: examples: - putAgentPolicyExample: - description: The updated agent policy + successResponse: value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + success: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -18147,21 +35788,36 @@ paths: required: - message - attributes - description: Bad Request - summary: Update an agent policy + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: - description: >- - Get the auto-upgrade status for agents assigned to an agent - policy.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + - Elastic Package Manager (EPM) + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback parameters: - - description: The ID of the agent policy + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back in: path - name: agentPolicyId + name: pkgName required: true schema: type: string @@ -18170,72 +35826,20 @@ paths: content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + successResponse: value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 + success: true + version: 1.0.0 schema: - additionalProperties: false - type: object - properties: - currentVersions: - items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: >- - Number of agents that failed to upgrade to this - version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -18254,72 +35858,44 @@ paths: required: - message - attributes - description: Bad Request - summary: Get auto upgrade agent status + description: A bad request. + summary: Rollback a package to previous version tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: - post: - description: >- - Copy an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + - Elastic Package Manager (EPM) + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the agent policy + - description: Package name in: path - name: agentPolicyId + name: pkgName required: true schema: type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name - value: - description: A copy of the original agent policy - name: Copy of my agent policy - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + getPackageStatsExample: + description: Usage stats for a specific package value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + response: + agent_policy_count: 3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -18350,104 +35926,108 @@ paths: - message - attributes description: Bad Request - summary: Copy an agent policy + summary: Get package stats tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/installed: get: - description: >- - Download an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: Filter by data stream type + in: query + name: dataStreamType + required: false schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: If true, returns the policy as a downloadable file + - description: When true, only return packages with active data streams in: query - name: download + name: showOnlyActiveDataStreams required: false schema: type: boolean - - description: If true, returns the policy formatted for standalone agents + - description: Filter packages by name in: query - name: standalone + name: nameQuery required: false schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment + type: string + - description: Sort values from the previous page for `search_after` pagination in: query - name: kubernetes + name: searchAfter required: false schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page in: query - name: revision + name: perPage required: false schema: + default: 15 type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + getInstalledPackagesExample: + description: List of installed integration packages value: - item: >- - id: agent-policy-id-1\nrevision: 1\noutputs:\n - default:\n type: elasticsearch\n hosts:\n - - https://elasticsearch.example.com:9200\n + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 schema: - type: string - description: >- - Successful response — returns the agent policy as a YAML file - download + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID + genericErrorResponseExample: + description: Example of a generic error response value: - error: Not Found - message: Agent policy not found - statusCode: 404 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -18466,73 +36046,38 @@ paths: required: - message - attributes - description: Not Found - summary: Download an agent policy + description: Bad Request + summary: Get installed packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/full: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/packages/limited: get: - description: >- - Get a full agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full - parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 + items: + - elastic_agent + - fleet_server schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' description: Successful response '400': content: @@ -18563,54 +36108,80 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy + summary: Get a limited package list tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/outputs: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: >- - Get a list of outputs associated with agent policy by policy - id.

[Required authorization] Route required privileges: - fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - - description: The ID of the agent policy + - description: Package name in: path - name: agentPolicyId + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion required: true schema: type: string + - description: 'Output format for the inputs template: json, yml, or yaml' + in: query + name: format + required: false + schema: + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return inputs even if the package signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy + getInputsTemplateExample: + description: Inputs template for a package value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' description: Successful response '400': content: @@ -18641,58 +36212,35 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy + summary: Get an inputs template tags: - - Elastic Agent policies - /api/fleet/agent_policies/delete: - post: - description: >- - Delete an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures value: - id: agent-policy-id-1 - name: My agent policy + id: D27D666CD88E42B4 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' description: Successful response '400': content: @@ -18723,58 +36271,165 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy + summary: Get a package signature verification key ID tags: - - Elastic Agent policies - /api/fleet/agent_policies/outputs: - post: - description: >- - Get a list of outputs associated with agent policies.

[Required - authorization] Route required privileges: fleet-agent-policies-read AND - fleet-settings-read. - operationId: post-fleet-agent-policies-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies - value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] responses: '200': content: application/json: examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies + getFleetServerHostsExample: + description: List of Fleet Server hosts value: items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage description: Successful response '400': content: @@ -18805,95 +36460,271 @@ paths: - message - attributes description: Bad Request - summary: Get outputs for agent policies + summary: Get Fleet Server hosts tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - description: Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - - description: Filter by agent policy ID - in: query - name: policyId - required: false - schema: - type: string - - description: Filter by one or more agent policy IDs - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postFleetServerHostRequestExample: + description: Create a new Fleet Server host + value: + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls responses: '200': content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + postFleetServerHostExample: + description: The created Fleet Server host value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server schema: additionalProperties: false type: object properties: - results: + item: additionalProperties: false type: object properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active + - name + - host_urls + - id required: - - results + - item description: Successful response '400': content: @@ -18924,85 +36755,54 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + summary: Create a Fleet Server host tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - description: >- - Get the data streams that an agent is actively sending data - to.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-status-data + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query - name: pkgName - required: false - schema: + example: 'true' type: string - - description: Filter by integration package version - in: query - name: pkgVersion - required: false + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true schema: type: string - - description: When true, return a preview of the ingested data - in: query - name: previewData - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array + id: + type: string required: - - items - - dataPreview + - id description: Successful response '400': content: @@ -19023,879 +36823,697 @@ paths: nullable: true error: type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get incoming agent data - tags: - - Elastic Agents - /api/fleet/agentless_policies: - post: - description: Create an agentless policy - operationId: post-fleet-agentless-policies - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The format of the response package policy. - in: query - name: format - required: false - schema: - default: simplified - enum: - - legacy - - simplified - type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: >- - Example request to create agentless policy reusing an existing - AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: >- - Example request to create agentless policy with AWS cloud - connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: >- - Example request to create agentless policy with Azure cloud - connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid + parameters: + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getFleetServerHostExample: + description: A Fleet Server host value: item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: additionalProperties: false type: object properties: item: additionalProperties: false - description: The created agentless package policy. type: object properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added - to the agent policy. + host_urls: items: type: string - maxItems: 1000 - nullable: true + maxItems: 10 + minItems: 1 type: array - agents: - type: number - cloud_connector_id: - description: >- - ID of the cloud connector associated with this package - policy. - nullable: true - type: string - cloud_connector_name: - description: >- - Transient field for cloud connector name during - creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this integration to its - inputs. - type: string - created_at: + id: type: string - created_by: + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: type: string - description: - description: Package policy description + proxy_id: + nullable: true type: string - elasticsearch: - additionalProperties: true + secrets: + additionalProperties: false type: object properties: - privileges: - additionalProperties: true + ssl: + additionalProperties: false type: object properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: >- - The name of the custom field. Cannot contain - spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false + agent_key: + anyOf: + - additionalProperties: false type: object properties: - frozen: - type: boolean - type: + id: type: string - value: - nullable: true required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putFleetServerHostRequestExample: + description: Update a Fleet Server host + value: + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: id: type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: type: string - policy_template: + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - proxy_id + responses: + '200': + content: + application/json: + examples: + putFleetServerHostExample: + description: The updated Fleet Server host + value: + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: id: type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group - name to the selected option name within that - group. - type: object - vars: - additionalProperties: - additionalProperties: false + - id + - type: string + es_key: + anyOf: + - additionalProperties: false type: object properties: - frozen: - type: boolean - type: + id: type: string - value: - nullable: true required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that input. Defaults to - `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false + - id + - type: string + key: + anyOf: + - additionalProperties: false type: object properties: - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. + id: type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults - to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to - the integration documentation for more - information. - type: object required: - - deprecated - description: >- - Input streams. Refer to the integration - documentation to know which streams are - available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration - documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit - the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: + - id + - type: string + ssl: additionalProperties: false - description: >- - Override settings that are defined in the package - policy. The override option should be used only in - unusual circumstances and not as a routine procedure. nullable: true type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_package - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: >- - ID of the agent policy which the package policy will - be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy - will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an - agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: >- - Indicates whether the package policy supports cloud - connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation - for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string required: - name - - enabled - - package - - inputs + - host_urls - id - - revision - - updated_at - - updated_by - - created_at - - created_by required: - item - description: Indicates a successful response + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/health_check: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID + value: + id: fleet-server-host-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + responses: + '200': + content: + application/json: + examples: + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy + value: + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) + value: + host_id: fleet-server-host-id-1 + status: OFFLINE + schema: + additionalProperties: false + type: object + properties: + host_id: + type: string + name: + type: string + status: + type: string + required: + - status + description: Successful health check response + '400': + content: + application/json: + examples: + badRequestExample: + description: The host ID exists but has no associated host URLs configured + value: + error: Bad Request + message: The requested host id fleet-server-host-id-1 does not have associated host urls. + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Check Fleet Server health + tags: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes + parameters: + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false + schema: + type: string + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent + value: + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' + description: Successful response '400': content: application/json: @@ -19925,16 +37543,63 @@ paths: - message - attributes description: Bad Request - '409': + summary: Get a full K8s agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download + parameters: + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false + schema: + type: string + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' + schema: + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Conflict + error: Bad Request message: An error message describing what went wrong - statusCode: 409 + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -19953,15 +37618,53 @@ paths: required: - message - attributes - description: Conflict - summary: Create an agentless policy + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No manifest was found + value: + error: Not Found + message: Agent manifest not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent manifest tags: - - Fleet agentless policies - x-state: Technical Preview - /api/fleet/agentless_policies/{policyId}: - delete: - description: Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + - Elastic Agent policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header @@ -19970,41 +37673,223 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. - in: path - name: policyId + responses: + '200': + content: + application/json: + examples: + postLogstashApiKeyExample: + description: The generated Logstash API key + value: + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + schema: + additionalProperties: false + type: object + properties: + api_key: + type: string + required: + - api_key + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Generate a Logstash API key + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: Force delete the policy even if the policy is managed. + - description: Set to true to confirm you understand the risks of rotating the key pair in: query - name: force + name: acknowledge required: false schema: + default: false type: boolean responses: '200': content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + message: Key pair rotated successfully. schema: additionalProperties: false - description: Response for deleting an agentless package policy. type: object properties: - id: - description: The ID of the deleted agentless package policy. + message: type: string required: - - id - description: Indicates a successful response + - message + description: Key pair rotated successfully + '400': + content: + application/json: + examples: + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true + value: + error: Bad Request + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair + tags: + - Message Signing Service + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] + responses: + '200': + content: + application/json: + examples: + getOutputsExample: + description: List of Fleet outputs + value: + items: + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: @@ -20034,16 +37919,88 @@ paths: - message - attributes description: Bad Request - '409': + summary: Get outputs + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postOutputRequestExample: + description: Create a new Elasticsearch output + value: + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + postOutputExample: + description: The created Fleet output value: - error: Conflict + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request message: An error message describing what went wrong - statusCode: 409 + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -20062,109 +38019,135 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: Bad Request + summary: Create output tags: - - Fleet agentless policies - x-state: Technical Preview - /api/fleet/agents: - get: - description: >- - List agents, with optional filtering and pagination.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable - in: query - name: showUpgradeable - required: false - schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response - in: query - name: getStatusSummary - required: false - schema: - default: false - type: boolean - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false - schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + - description: The ID of the output + in: path + name: outputId + required: true schema: type: string - - description: Duration to keep the point-in-time alive, for example, `1m` - in: query - name: pitKeepAlive - required: false + responses: + '200': + content: + application/json: + examples: + deleteOutputExample: + description: The output was successfully deleted + value: + id: output-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Delete output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid + parameters: + - description: The ID of the output + in: path + name: outputId + required: true schema: type: string responses: @@ -20172,398 +38155,377 @@ paths: content: application/json: examples: - getAgentsExample: - description: List of agents + getOutputExample: + description: A Fleet output value: - items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putOutputRequestExample: + description: Update a Fleet output + value: + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' + responses: + '200': + content: + application/json: + examples: + putOutputExample: + description: The updated Fleet output + value: + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch + schema: + additionalProperties: false + type: object + properties: + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health + parameters: + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getOutputHealthExample: + description: The latest health status of a Fleet output + value: + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + required: + - state + - message + - timestamp + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get the latest output health + tags: + - Fleet outputs + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all package policies. + operationId: get-fleet-package-policies + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackagePoliciesExample: + description: List of package policies + value: + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 + schema: + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' maxItems: 10000 type: array - nextSearchAfter: - type: string page: type: number perPage: type: number - pit: - type: string - statusSummary: - additionalProperties: - type: number - type: object total: type: number required: @@ -20601,14 +38563,159 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Get package policies tags: - - Elastic Agents + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Retrieve agents associated with specific action IDs.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + postPackagePolicyRequestExample: + description: Create a new nginx package policy + value: + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. + responses: + '200': + content: + application/json: + examples: + postPackagePolicyExample: + description: The created package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '409': + content: + application/json: + examples: + conflictExample: + description: A package policy with the same name already exists + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -20617,52 +38724,160 @@ paths: schema: example: 'true' type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - actionIds: - - action-id-1 - - action-id-2 + ids: + - package-policy-id-1 + - package-policy-id-2 schema: additionalProperties: false type: object properties: - actionIds: + ids: + description: list of package policy ids items: type: string maxItems: 1000 type: array + ignoreMissing: + type: boolean required: - - actionIds + - ids responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + postBulkGetPackagePoliciesExample: + description: The requested package policies value: items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - items: - items: - type: string - maxItems: 10000 - type: array + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - items + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePackagePolicyExample: + description: The package policy was successfully deleted + value: + id: package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' description: Successful response '400': content: @@ -20693,49 +38908,68 @@ paths: - message - attributes description: Bad Request - summary: Get agents by action ids + summary: Delete a package policy tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - description: >- - Delete an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the package policy + in: path + name: packagePolicyId required: true schema: - example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string responses: '200': content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted + getPackagePolicyExample: + description: A package policy value: - id: agent-id-1 - success: true + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - action: - enum: - - deleted - type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - - action + - item description: Successful response '400': content: @@ -20771,422 +39005,107 @@ paths: application/json: examples: notFoundExample: - description: No agent was found with the given ID + description: No package policy was found with the given ID value: error: Not Found - message: Agent agent-id-1 not found + message: Package policy package-policy-id-1 not found statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message description: Not Found - summary: Delete an agent + summary: Get a package policy tags: - - Elastic Agents - get: - description: >- - Get an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid parameters: - - description: The agent ID + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the package policy in: path - name: agentId + name: packagePolicyId required: true schema: type: string - - description: When true, include CPU and memory metrics in the response + - description: 'Format for the response: simplified or legacy' in: query - name: withMetrics + name: format required: false schema: - default: false - type: boolean + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details + putPackagePolicyExample: + description: The updated package policy value: item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' + schema: + additionalProperties: false + type: object + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - item description: Successful response @@ -21219,25 +39138,52 @@ paths: - message - attributes description: Bad Request - '404': + '403': content: application/json: examples: - notFoundExample: - description: No agent was found with the given ID + forbiddenExample: + description: The update is not authorized for this package value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent + error: Forbidden + message: An error message describing what went wrong + statusCode: 403 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Forbidden + summary: Update a package policy tags: - - Elastic Agents - put: - description: >- - Update an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -21246,419 +39192,117 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - putAgentRequestExample: - description: Update agent tags + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID value: - tags: - - production - - linux + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 schema: - additionalProperties: false - type: object - properties: - tags: - items: - type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: - nullable: true - type: object + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + summary: Bulk delete package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' + responses: + '200': + content: + application/json: + examples: + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation + value: + - id: package-policy-id-1 + name: nginx-1 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array description: Successful response '400': content: @@ -21689,26 +39333,23 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Upgrade a package policy tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/package_policies/upgrade/dryrun: post: - description: >- - Create a new action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks in: header @@ -21717,134 +39358,167 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy value: - action: - type: UNENROLL + packagePolicyIds: + - package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - action: - anyOf: - - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: items: - type: string + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id maxItems: 10000 type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: + maxItems: 1 + type: array + body: + additionalProperties: false + type: object + properties: + message: type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data - required: - - item + required: + - message + diff: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array description: Successful response '400': content: @@ -21875,46 +39549,103 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action + summary: Dry run a package policy upgrade tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/effective_config: + - Fleet package policies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies: get: - description: >- - Get an agent's effective config by ID.

[Required authorization] - Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config - parameters: - - description: The agent ID to get effective config of - in: path - name: agentId - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] responses: '200': content: application/json: examples: - successResponse: + getFleetProxiesExample: + description: List of Fleet proxies value: - effective_config: {} + items: + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - effective_config: - nullable: true + items: + items: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - effective_config - description: 'OK: A successful request.' + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -21933,16 +39664,23 @@ paths: required: - message - attributes - description: A bad request. - summary: Get an agent's effective config + description: Bad Request + summary: Get proxies tags: - - Elastic Agents - /api/fleet/agents/{agentId}/migrate: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Migrate a single agent to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header @@ -21951,89 +39689,101 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster + postFleetProxyRequestExample: + description: Create a new Fleet proxy value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: - enrollment_token: + certificate: + nullable: true type: string - settings: - additionalProperties: false + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - replace_token: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri + url: type: string required: - - uri - - enrollment_token + - url + - name responses: '200': content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + postFleetProxyExample: + description: The created Fleet proxy value: - actionId: action-id-1 + item: + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name required: - - actionId + - item description: Successful response '400': content: @@ -22064,16 +39814,23 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + summary: Create a proxy tags: - - Elastic Agents - /api/fleet/agents/{agentId}/privilege_level_change: - post: - description: >- - Change the privilege level of a single agent to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/proxies/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -22082,58 +39839,40 @@ paths: schema: example: 'true' type: string - - description: The agent ID to change privilege level for + - description: The ID of the proxy in: path - name: agentId + name: itemId required: true schema: type: string - requestBody: - content: - application/json: - examples: - changeAgentPrivilegeLevelRequest: - value: - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - nullable: true - type: object - properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string responses: '200': content: application/json: examples: - successResponse: + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - actionId: actionId + id: proxy-id-1 schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22152,59 +39891,94 @@ paths: required: - message - attributes - description: A bad request. - summary: Change agent privilege level + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Elastic Agents - x-state: Technical Preview - /api/fleet/agents/{agentId}/reassign: - post: - description: >- - Reassign an agent to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID + - description: The ID of the proxy in: path - name: agentId + name: itemId required: true schema: type: string - requestBody: - content: - application/json: - examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy - value: - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - policy_id: - type: string - required: - - policy_id responses: '200': content: application/json: examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} + getFleetProxyExample: + description: A Fleet proxy + value: + item: + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object - properties: {} + properties: + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + required: + - item description: Successful response '400': content: @@ -22235,61 +40009,33 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/remove_collector: - post: - description: >- - Remove a specific OpAMP collector from the Fleet agents list. Marks the - collector as unenrolled. This action does not invalidate API keys, so - the collector can reconnect on its own.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No proxy was found with the given ID value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Remove an OpAMP collector + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/{agentId}/request_diagnostics: - post: - description: >- - Request a diagnostics bundle from a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -22298,9 +40044,9 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: The ID of the proxy in: path - name: agentId + name: itemId required: true schema: type: string @@ -22308,40 +40054,93 @@ paths: content: application/json: examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent + putFleetProxyRequestExample: + description: Update a Fleet proxy value: - additional_metrics: - - CPU + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false - nullable: true type: object properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key responses: '200': content: application/json: examples: - postRequestDiagnosticsExample: - description: Diagnostics action result + putFleetProxyExample: + description: The updated Fleet proxy value: - actionId: action-id-1 + item: + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name required: - - actionId + - item description: Successful response '400': content: @@ -22351,9 +40150,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: >- - Agent agent-id-1 does not support request diagnostics - action. + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -22374,15 +40171,34 @@ paths: - message - attributes description: Bad Request - summary: Request agent diagnostics + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/rollback: + - Fleet proxies + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/service_tokens: post: - description: >- - Rollback an agent to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks in: header @@ -22391,33 +40207,54 @@ paths: schema: example: 'true' type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server + value: + remote: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + remote: + default: false + type: boolean responses: '200': content: application/json: examples: - successResponse: + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - actionId: actionId + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' + additionalProperties: false + type: object + properties: + name: + type: string + value: + type: string + required: + - name + - value + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22436,57 +40273,119 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback an agent + description: Bad Request + summary: Create a service token tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/{agentId}/unenroll: - post: - description: >- - Unenroll a specific agent, optionally revoking its enrollment API - key.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key - value: - revoke: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean + - Fleet service tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] responses: '200': content: application/json: examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} + getSettingsExample: + description: The current Fleet settings + value: + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item description: Successful response '400': content: @@ -22498,16 +40397,60 @@ paths: error: Bad Request message: An error message describing what went wrong statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes description: Bad Request - summary: Unenroll an agent + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/upgrade: - post: - description: >- - Upgrade a specific agent to a newer version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -22516,46 +40459,143 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - version: 8.17.0 + prerelease_integrations_enabled: true schema: additionalProperties: false type: object properties: - force: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true type: boolean - skipRateLimitCheck: + integration_knowledge_enabled: type: boolean - source_uri: - type: string - version: + kibana_ca_sha256: + deprecated: true type: string - required: - - version + kibana_urls: + deprecated: true + items: + format: uri + type: string + maxItems: 10 + type: array + prerelease_integrations_enabled: + type: boolean responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + putSettingsExample: + description: The updated Fleet settings + value: + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= schema: additionalProperties: false type: object - properties: {} + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item description: Successful response '400': content: @@ -22586,79 +40626,92 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Update settings tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/uploads: - get: - description: >- - Get a list of files uploaded by a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/setup: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup parameters: - - description: The agent ID - in: path - name: agentId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string responses: '200': content: application/json: examples: - getAgentUploadsExample: - description: List of files uploaded by the agent + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup + value: + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError schema: additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: - items: + isInitialized: + type: boolean + nonFatalErrors: items: additionalProperties: false type: object properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: + message: type: string name: type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string required: - - id - name - - filePath - - createTime - - status - - actionId + - message maxItems: 10000 type: array required: - - items - description: Successful response + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: @@ -22688,66 +40741,221 @@ paths: - message - attributes description: Bad Request - summary: Get agent uploads + '500': + content: + application/json: + examples: + internalErrorResponseExample: + description: Example of an internal server error response + value: + error: Internal Server Error + message: An error message describing what went wrong + statusCode: 500 + schema: + additionalProperties: false + description: Internal Server Error + type: object + properties: + message: + type: string + required: + - message + description: Internal Server Error + summary: Initiate Fleet setup tags: - - Elastic Agents - /api/fleet/agents/action_status: + - Fleet internals + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/space_settings: get: - description: >- - Get the current status of recent agent actions.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] + responses: + '200': + content: + application/json: + examples: + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings parameters: - - description: Page number - in: query - name: page - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: 0 - type: number - - description: Number of results per page + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space + value: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 10 + type: array + responses: + '200': + content: + application/json: + examples: + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item + description: Successful response + summary: Create space settings + tags: [] + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens + parameters: + - description: Partial match filtering for policy IDs in: query - name: perPage + name: policyId required: false schema: - default: 20 - type: number - - description: Return actions created before this date + maxLength: 50 + type: string + - description: Partial match filtering for uninstall token values in: query - name: date + name: search required: false schema: + maxLength: 50 type: string - - description: Return only the latest N actions + - description: The number of items to return in: query - name: latest + name: perPage required: false schema: + minimum: 5 type: number - - description: Number of error details to include per action + - description: Page number in: query - name: errorSize + name: page required: false schema: - default: 5 + minimum: 1 type: number responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies value: items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 schema: additionalProperties: false type: object @@ -22757,118 +40965,47 @@ paths: additionalProperties: false type: object properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action + created_at: type: string - expiration: + id: type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: + namespaces: items: - additionalProperties: false - description: >- - latest errors that happened when the agents - executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 + type: string + maxItems: 100 type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK + policy_id: type: string - version: - description: agent version number (UPGRADE action) + policy_name: + nullable: true type: string required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime + - id + - policy_id + - created_at maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided value: error: Bad Request - message: An error message describing what went wrong + message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false @@ -22889,50 +41026,46 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Get metadata for latest uninstall tokens tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: - post: - description: >- - Cancel a pending action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the action to cancel + - description: The ID of the uninstall token in: path - name: actionId + name: uninstallTokenId required: true schema: type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy value: item: - agents: - - agent-id-1 created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE schema: additionalProperties: false type: object @@ -22941,46 +41074,27 @@ paths: additionalProperties: false type: object properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array created_at: type: string - data: - nullable: true - expiration: - type: string id: type: string - minimum_execution_duration: - type: number namespaces: items: type: string maxItems: 100 type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: + policy_id: type: string - start_time: + policy_name: + nullable: true type: string - total: - type: number - type: + token: type: string required: - id - - type - - data + - policy_id - created_at - - ack_data + - token required: - item description: Successful response @@ -23013,3135 +41127,2448 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + '404': + content: + application/json: + examples: + notFoundExample: + description: No uninstall token was found with the given ID + value: + error: Not Found + message: Uninstall Token not found with ID token-id-1 + statusCode: 404 + description: Not Found + summary: Get a decrypted uninstall token tags: - - Elastic Agent actions - /api/fleet/agents/available_versions: - get: - description: >- - Get a list of Elastic Agent versions available for - upgrade.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agents-available-versions - parameters: [] + - Fleet uninstall tokens + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: Value list identifier to delete, including all of its list items. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + example: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + example: false + type: boolean responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + ipList: value: - items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get available agent versions - tags: - - Elastic Agents - /api/fleet/agents/bulk_migrate: - post: - description: >- - Bulk migrate agents to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster - value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + unauthorized: value: - actionId: action-id-1 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Migrate multiple agents + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list tags: - - Elastic Agents - /api/fleet/agents/bulk_privilege_level_change: - post: - description: >- - Change multiple agents' privilege level to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Value list identifier (`id`) returned when the list was created. + in: query + name: id required: true schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: - successResponse: + ip: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - actionId: actionId + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: 'OK: A successful request.' - '400': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - badRequestResponse: + unauthorized: value: - message: Bad Request + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk change agent privilege level + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details tags: - - Elastic Agents - x-state: Technical Preview - /api/fleet/agents/bulk_reassign: - post: - description: >- - Reassign multiple agents to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList requestBody: content: application/json: examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy + patchName: value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 + id: ip_list + name: Bad ips list - UPDATED schema: - additionalProperties: false + example: + id: ip_list + name: Bad ips list - UPDATED type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - policy_id - - agents + - id + description: Value list's properties + required: true responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + ip: value: - actionId: action-id-1 + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 2 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: name: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk reassign agents + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list tags: - - Elastic Agent actions - /api/fleet/agents/bulk_remove_collectors: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Remove multiple OpAMP collectors from the Fleet agents list. Marks the - collectors as unenrolled. This action does not invalidate API keys, so - collectors can reconnect on their own.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList requestBody: content: application/json: examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors + ip: value: - agents: - - collector-id-1 - - collector-id-2 + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword schema: - additionalProperties: false type: object properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: >- - When passing collectors by KQL query, also removes inactive - collectors - type: boolean + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer required: - - agents + - name + - description + - type + description: Value list's properties + required: true responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + ip: value: - actionId: action-id-1 + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFound: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk remove OpAMP collectors + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/bulk_request_diagnostics: - post: - description: >- - Request diagnostics bundles from multiple agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList requestBody: content: application/json: examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents + replaceList: value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: - additionalProperties: false + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated type: object properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - - agents + - id + - name + - description + description: Value list's properties + required: true responses: '200': content: application/json: examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result + ip: value: - actionId: action-id-1 + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk request diagnostics from agents - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_rollback: - post: - description: >- - Rollback multiple agents to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - successResponse: + unauthorized: value: - actionIds: - - actionId1 - - actionId2 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 10000 - type: array - required: - - actionIds - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - badRequestResponse: + forbidden: value: - message: Bad Request + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback agents - tags: - - Elastic Agent actions - x-state: Technical Preview - /api/fleet/agents/bulk_unenroll: - post: - description: >- - Unenroll multiple agents, optionally revoking their enrollment API - keys.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + notFound: value: - actionId: action-id-1 + message: 'list id: \"foo\" not found' + status_code: 404 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk unenroll agents + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list tags: - - Elastic Agent actions - /api/fleet/agents/bulk_update_agent_tags: - post: - description: >- - Add or remove tags across multiple agents.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - example: 'true' + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 type: string - requestBody: - content: - application/json: - examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents - value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: - items: - type: string - maxItems: 10 - type: array - required: - - agents + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result + ipList: value: - actionId: action-id-1 + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false type: object properties: - actionId: - type: string + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - actionId + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk update agent tags - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_upgrade: - post: - description: >- - Upgrade multiple agents to a newer version, with optional rollout - controls.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists + tags: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + acknowledged: value: - actionId: action-id-1 + acknowledged: true schema: - additionalProperties: false type: object properties: - actionId: - type: string + acknowledged: + type: boolean required: - - actionId + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade agents - tags: - - Elastic Agent actions - /api/fleet/agents/files/{fileId}: - delete: - description: >- - Delete a file uploaded by an agent.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the uploaded file - in: path - name: fileId - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + unauthorized: value: - deleted: true - id: file-id-1 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - deleted: - type: boolean - id: - type: string - required: - - id - - deleted - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete an uploaded file - tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}/{fileName}: - get: - description: >- - Get a file uploaded by an agent.

[Required authorization] Route - required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename - parameters: - - description: The ID of the uploaded file - in: path - name: fileId - required: true - schema: - type: string - - description: The name of the uploaded file - in: path - name: fileName - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + notFound: + value: + message: The value list data stream was not found in this space + status_code: 404 schema: - type: object - description: Successful response — returns the uploaded file content - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an uploaded file + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams tags: - - Elastic Agents - /api/fleet/agents/setup: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the current Fleet setup status, including whether Fleet is ready to - enroll agents and which requirements or optional features are - missing.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: application/json: examples: - agentsSetupNotReadyExample: - description: >- - Fleet is not ready — a Fleet Server and API keys are - required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met + bothExist: value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC + list_index: true + list_item_index: true schema: - additionalProperties: false - description: >- - A summary of the agent setup status. `isReady` indicates - whether the setup is ready. If the setup is not ready, - `missing_requirements` lists which requirements are missing. type: object properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: + list_index: type: boolean - isReady: + list_item_index: type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status + - list_index + - list_item_index + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Unable to read value list data stream status for this space + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent setup info + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: Value list backing indices were not found for this space + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams tags: - - Elastic Agents + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Initialize Fleet. This endpoint is used by Elastic Agents to trigger - Fleet setup. Safe to call multiple times; subsequent calls are - idempotent.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-agents-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. + operationId: CreateListIndex responses: '200': content: application/json: examples: - agentsSetupSuccessExample: - description: >- - Fleet setup initialized successfully with no non-fatal - errors + acknowledged: value: - isInitialized: true - nonFatalErrors: [] + acknowledged: true schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. type: object properties: - isInitialized: + acknowledged: type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + - acknowledged + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Initiate Fleet setup + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - description: >- - Get a list of all tags used across enrolled agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem parameters: - - description: A KQL query string to filter results + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query - name: kuery + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value required: false schema: + example: 255.255.255.255 type: string - - description: When true, include tags from inactive agents + - description: Determines when changes made by the request are made visible to search. in: query - name: showInactive + name: refresh required: false schema: - default: false - type: boolean + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + ip: + value: + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: value: - items: - - production - - linux - - datacenter-1 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + unauthorized: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get agent tags - tags: - - Elastic Agents - /api/fleet/check-permissions: - get: - description: >- - Check whether the current user has the required permissions to use - Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions - parameters: - - description: >- - When true, check Fleet Server setup privileges in addition to - standard Fleet privileges - in: query - name: fleetServerSetup - required: false - schema: - type: boolean - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges + forbidden: value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: value: - success: true + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Check permissions + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item tags: - - Fleet internals - /api/fleet/cloud_connectors: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - List all Fleet cloud connectors.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem parameters: - - description: The page number for pagination. + - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query - name: page + name: id required: false schema: - type: string - - description: The number of items per page. + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query - name: perPage + name: list_id required: false schema: - type: string - - description: KQL query to filter cloud connectors. + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: kuery + name: value required: false schema: + example: 127.0.0.2 type: string responses: '200': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + ip: value: - items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - maxItems: 10000 + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array - required: - - items description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connectors - tags: - - Fleet cloud connectors - x-state: Technical Preview - post: - description: >- - Create a new Fleet cloud connector.

[Required authorization] - Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector - value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} - schema: - additionalProperties: false - type: object - properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account - type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 - type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object - required: - - name - - cloudProvider - - vars - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + unauthorized: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create cloud connector + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/cloud_connectors/{cloudConnectorId}: - delete: - description: >- - Delete a cloud connector by ID. Use the `force` query parameter to - delete even if package policies are still using it.

[Required - authorization] Route required privileges: fleet-agent-policies-all OR - integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to delete. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + schema: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted + ipItem: value: - id: cloud-connector-id-1 + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete cloud connector (supports force deletion) - tags: - - Fleet cloud connectors - x-state: Technical Preview - get: - description: >- - Get a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + unauthorized: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get cloud connector + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item tags: - - Fleet cloud connectors - x-state: Technical Preview - put: - description: >- - Update a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The unique identifier of the cloud connector to update. - in: path - name: cloudConnectorId - required: true - schema: - type: string + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a value list item and associate it with the specified value list. + + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem requestBody: content: application/json: examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector + ip: value: - name: Updated AWS connector - vars: {} + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek schema: - additionalProperties: false type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. enum: - - single-account - - organization-account - type: string - name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 + - 'true' + - 'false' + - wait_for + example: wait_for type: string - vars: - additionalProperties: - anyOf: - - maxLength: 1000 - type: string - - type: number - - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value - type: object + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + ip: value: - item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - accountType: - type: string - cloudProvider: - type: string - created_at: - type: string - id: - type: string - name: - type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: - additionalProperties: - nullable: true - type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: - type: string - required: - - id - - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at - required: - - item + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update cloud connector + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: - get: - description: >- - Get a list of package policies that are using a given cloud - connector.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage - parameters: - - description: The unique identifier of the cloud connector. - in: path - name: cloudConnectorId - required: true - schema: - type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - minimum: 1 - type: number + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json: + examples: + fullReplace: + value: + id: ip_item + value: 255.255.255.255 + schema: + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - getCloudConnectorUsageResponseExample: - description: >- - Example response showing package policies using the cloud - connector + ip: value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - name: - type: string - package: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array - updated_at: - type: string - required: - - id - - name - - policy_ids - - created_at - - updated_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: Cloud connector not found + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) - tags: - - Fleet cloud connectors - x-state: Technical Preview - /api/fleet/data_streams: - get: - description: >- - List all Fleet-managed data streams with metadata including package, - namespace, size, and last activity.

[Required authorization] - Route required privileges: fleet-agents-all AND fleet-agent-policies-all - AND fleet-settings-all. - operationId: get-fleet-data-streams - parameters: [] - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getDataStreamsExample: - description: List of Fleet-managed data streams + unauthorized: value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx - package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system - package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - type: object - properties: - data_streams: - items: - additionalProperties: false - type: object - properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - serviceDetails: - additionalProperties: false - nullable: true - type: object - properties: - environment: - type: string - serviceName: - type: string - required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string - required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails - maxItems: 10000 - type: array - required: - - data_streams - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - /api/fleet/enrollment_api_keys: - get: - description: >- - List all enrollment API keys.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys - parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + notFound: value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + message: 'list item id: \"foo\" not found' + status_code: 404 schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - - list - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get enrollment API keys + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item tags: - - Fleet enrollment API keys + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_export: post: - description: >- - Create an enrollment API key for a given agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-enrollment-api-keys + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Value list's `id` to export. + in: query + name: list_id required: true schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy - value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: - application/json: + application/ndjson: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key - value: - action: created - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong + error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create an enrollment API key - tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/_bulk_delete: - post: - description: >- - Revoke or delete multiple enrollment API keys.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs - value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query - value: - forceDelete: false - kuery: policy_id:"policy-id-1" - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed + notFound: value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 + message: 'list id: "unknown_list" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: Either tokenIds or kuery must be provided - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk revoke or delete enrollment API keys + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items tags: - - Fleet enrollment API keys - x-state: Generally available - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: >- - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to - remove the document.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Parent value list's `id` to page through items for. + in: query + name: list_id required: true schema: - example: 'true' + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page + required: false + schema: + example: 1 + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: value + format: nonempty + minLength: 1 type: string - - description: The ID of the enrollment API key - in: path - name: keyId - required: true + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false schema: + enum: + - desc + - asc + example: asc type: string - - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. in: query - name: forceDelete + name: cursor required: false schema: - default: false - type: boolean - - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. in: query - name: includeHidden + name: filter required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked - value: - action: deleted - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + ip: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - message - - attributes - description: Bad Request - '404': + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': content: application/json: examples: - notFoundExample: - description: No enrollment API key was found with the given ID + badRequest: value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key - tags: - - Fleet enrollment API keys - get: - description: >- - Get an enrollment API key by ID.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid - parameters: - - description: The ID of the enrollment API key - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getEnrollmentApiKeyExample: - description: An enrollment API key + unauthorized: value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': content: application/json: examples: - notFoundExample: - description: No enrollment API key was found with the given ID + serverError: value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an enrollment API key + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items tags: - - Fleet enrollment API keys - /api/fleet/epm/bulk_assets: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/items/_import: post: - description: >- - Retrieve multiple Kibana saved object assets by their IDs and - types.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false schema: - example: 'true' + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + example: true type: string requestBody: content: - application/json: + multipart/form-data: examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types + ipLinesFile: value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern + file: list_values.txt schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' + type: object + properties: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + required: true responses: '200': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + ip: value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either type or list_id need to be defined in the query + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk get assets + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + conflict: + value: + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/lists/privileges: get: - description: >- - Get a list of integration categories.

[Required authorization] - Route required privileges: integrations-read OR fleet-setup OR - fleet-all. - operationId: get-fleet-epm-categories - parameters: - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, include categories that only contain policy templates - in: query - name: include_policy_templates - required: false - schema: - type: boolean + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - getCategoriesExample: - description: List of integration categories + privileges: value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: 'Unable to resolve list privileges: invalid or missing space context for this request' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package categories - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations: - post: - description: >- - Create a new custom integration package with user-defined data - streams.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created + unauthorized: value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a custom integration + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations/{pkgName}: - put: - description: >- - Update the datasets of an existing custom integration - package.

[Required authorization] Route required privileges: - fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname + - Security Lists API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header @@ -26150,265 +43577,221 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string requestBody: content: application/json: examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window schema: - additionalProperties: false - type: object - properties: - categories: - items: - type: string - maxItems: 10 - type: array - readMeData: - type: string - required: - - readMeData + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_maintenance_window' responses: '200': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update a custom integration + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Create a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/data_streams: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/_find: get: - description: >- - Get a list of data streams created by installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find parameters: - - description: Filter by data stream type - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: Filter data streams by dataset name - in: query - name: datasetQuery - required: false - schema: - type: string - - description: Sort order, ascending or descending + - description: The title of the maintenance window. in: query - name: sortOrder + name: title required: false schema: - default: asc - enum: - - asc - - desc type: string - - description: >- - When true, only return data streams that are not associated with a - package + - description: The user who created the maintenance window. in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - getDataStreamsExample: - description: List of data streams from installed packages - value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_data_streams_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get data streams - tags: - - Data streams - /api/fleet/epm/packages: - get: - description: >- - Get a list of integration packages available in the - registry.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages - parameters: - - description: Filter packages by category - in: query - name: category + name: created_by required: false schema: type: string - - description: When true, include prerelease packages in the results + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". in: query - name: prerelease + name: status required: false schema: - type: boolean - - description: When true, exclude the install status from the response + items: + enum: + - running + - finished + - upcoming + - archived + - disabled + type: string + type: array + - description: The page number to return. in: query - name: excludeInstallStatus + name: page required: false schema: - type: boolean - - description: When true, include the number of package policies per package + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. in: query - name: withPackagePoliciesCount + name: per_page required: false schema: - type: boolean + default: 10 + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: examples: - getPackagesExample: - description: List of available integration packages + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_maintenance_windows_response' + description: Indicates a successful call. '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get packages + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a package by uploading a .zip or .tar.gz archive (max 100MB). - Only available to superusers.

[Required authorization] Route - required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -26417,108 +43800,104 @@ paths: schema: example: 'true' type: string - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false + - description: The identifier for the maintenance window to be deleted. + in: path + name: id + required: true schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id + parameters: + - description: The identifier for the maintenance window. + in: path + name: id + required: true schema: - default: false - type: boolean - requestBody: - content: - application/gzip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: - examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - schema: - format: binary - type: string + type: string responses: '200': content: - application/gzip; application/zip: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - application/json: - examples: - postInstallByUploadExample: - description: Package successfully installed from upload - value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': - content: - application/gzip; application/zip: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - description: >- - Install multiple packages from the Elastic Package Registry in a single - request.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -26527,86 +43906,174 @@ paths: schema: example: 'true' type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false + - description: The identifier for the maintenance window. + in: path + name: id + required: true schema: - type: boolean + type: string requestBody: content: application/json: examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window value: - packages: - - system - - aws + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_maintenance_window' responses: '200': content: application/json: examples: - postBulkInstallPackagesExample: - description: Bulk install results + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_namespace_customization: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/maintenance_window/{id}/_unarchive: post: - description: >- - Enable or disable namespace-level index template customization for a - list of packages in one call. Use this for IaC-style declarative - flows.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header @@ -26615,1799 +44082,2182 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkNamespaceCustomizationRequest: - value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request + - description: The identifier for the maintenance window to be unarchived. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - successResponse: + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - items: - - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': content: application/json: examples: - badRequestResponse: - value: - error: Bad Request - message: >- - Namespaces must not appear in both enable and disable: - production - statusCode: 400 + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_jobs_spaces: post: - description: >- - Rollback multiple packages to their previous - versions.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces requestBody: content: application/json: examples: - bulkRollbackRequest: + updateADJobSpacesRequest: value: - packages: - - name: system - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' responses: '200': content: application/json: examples: - successResponse: + successADResponse: value: - taskId: taskId - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response - description: 'OK: A successful request.' - '400': + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': content: application/json: examples: - badRequestResponse: + successTMResponse: value: - message: Bad Request - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback/{taskId}: + - ml + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/note: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote + requestBody: + content: + application/json: + examples: + deleteOne: + summary: Delete a single note by id + value: + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + description: Saved object IDs of the notes to delete. + items: + type: string + nullable: true + type: array + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the status and results of a bulk package rollback - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter schema: + nullable: true type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: - successResponse: + notesPage: + summary: Paged notes for a timeline value: - status: success + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute + requestBody: + content: + application/json: + examples: + addNote: + summary: Add a note on an event + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true + type: string + version: + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true + type: string + required: + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. + required: true + responses: + '200': content: application/json: examples: - badRequestResponse: + persisted: + summary: Persisted note wrapper value: - message: Bad Request + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/observability_ai_assistant/chat/complete: post: - description: >- - Uninstall multiple packages in a single operation.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete requestBody: content: application/json: examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request + type: object + properties: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. + type: string + required: + - messages + - connectorId + - persist responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated - value: - taskId: task-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages + description: Successful response + summary: Generate a chat completion tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/history: get: - description: >- - Get the status and results of a bulk package uninstall - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + in: query + name: nextPage + required: false + schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - description: A search string to filter history entries by pack name, query text, or query ID. + in: query + name: kuery + required: false + schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + unifiedHistoryExample: + summary: Example unified history response value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueriesList: + summary: A list of recent live queries value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + user_id: elastic + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Upgrade multiple packages to their latest versions.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery requestBody: content: application/json: examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions + singleQueryAllAgents: + summary: Run a single query on all agents value: - packages: - - name: system - - name: elastic_agent + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; + targetedQuery: + summary: Run a query against specific agents + value: + agent_ids: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + query: select * from processes; schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true responses: '200': content: application/json: examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated - value: - taskId: task-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryCreated: + summary: Live query created value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}: get: - description: >- - Get the status and results of a bulk package upgrade - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task - value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}: - delete: - description: >- - Uninstall a package and remove all its assets.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name + - description: The ID of the live query. in: path - name: pkgName + name: id required: true schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted - value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryDetails: + summary: Live query details with execution status value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 1 + failed: 0 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + status: completed + successful: 1 + status: completed + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details tags: - - Elastic Package Manager (EPM) + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: get: - description: >- - Get information about a package by name, returning the latest installed - or available version. - operationId: get-fleet-epm-packages-pkgname + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults parameters: - - description: Package name + - description: The ID of the live query. in: path - name: pkgName + name: id required: true schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - - description: >- - When true, returns the package even if the signature cannot be - verified + - description: A KQL search string to filter results. in: query - name: ignoreUnverified + name: kuery required: false schema: - type: boolean - - description: When true, include prerelease versions + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. in: query - name: prerelease + name: page required: false schema: - type: boolean - - description: When true, return the full package info including assets + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: full + name: pageSize required: false schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: withMetadata + name: sort required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryResults: + summary: Result rows from a live query execution value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + edges: + - _id: doc1 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '12345' + - _id: doc2 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '67890' + total: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install the latest version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, allow installing prerelease versions + - description: The page number to return. in: query - name: prerelease + name: page required: false schema: - type: boolean - - description: When true, ignore mapping update errors during installation + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: ignoreMappingUpdateErrors + name: pageSize required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: skipDataStreamRollover + name: sort required: false schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: skipDependencyCheck + name: sortOrder required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + packsList: + summary: A list of query packs value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + queries: + - id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a package, such as whether policies are kept up to - date automatically.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks requestBody: content: application/json: examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package + createPack: + summary: Create a pack with a single query value: - keepPoliciesUpToDate: true + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + packCreated: + summary: Pack created value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + packDeleted: + summary: Pack deleted (empty response body) + value: {} schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings + properties: {} + description: Indicates a successful call. + summary: Delete a pack tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: >- - Uninstall a specific version of a package and remove all its - assets.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name + - description: The pack ID. in: path - name: pkgName + name: id required: true schema: - type: string - - description: Package version + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + examples: + packDetails: + summary: Pack details + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. in: path - name: pkgVersion + name: id required: true schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + examples: + renamePack: + summary: Rename a pack and update its description + value: + description: Updated pack description + enabled: true + name: my_pack_renamed + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true responses: '200': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + packUpdated: + summary: Pack updated value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + data: + description: Updated pack description + enabled: true + name: my_pack_renamed + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + version: 2 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + copyPackExample: + summary: Example response for copying a pack value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack tags: - - Elastic Package Manager (EPM) + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries: get: - description: Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - When true, returns the package even if the signature cannot be - verified + - description: The page number to return. in: query - name: ignoreUnverified + name: page required: false schema: - type: boolean - - description: When true, include prerelease versions + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: prerelease + name: pageSize required: false schema: - type: boolean - - description: When true, return the full package info including assets + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: full + name: sort required: false schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: withMetadata + name: sortOrder required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status - value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueriesList: + summary: A list of saved queries value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries tags: - - Elastic Package Manager (EPM) + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Install a specific version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery requestBody: content: application/json: examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints + createSavedQuery: + summary: Create a saved query value: - ignore_constraints: false + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed - value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueryCreated: + summary: Saved query created value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a specific version of a package.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The saved query ID. in: path - name: pkgVersion + name: id required: true schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings - value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + savedQueryDeleted: + summary: Saved query deleted (empty response body) + value: {} schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: Indicates a successful call. + summary: Delete a saved query tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get the contents of a specific file from a package.

[Required - authorization] Route required privileges: integrations-read OR - fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version + - description: The saved query ID. in: path - name: pkgVersion + name: id required: true schema: - type: string - - description: File path within the package + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + examples: + savedQueryDetails: + summary: Saved query details + value: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: Indicates a successful call. + summary: Get saved query details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - description: The saved query ID. in: path - name: filePath + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json: + examples: + updateSavedQuery: + summary: Update a saved query + value: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + timeout: 60 + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': + savedQueryUpdated: + summary: Saved query updated + value: + data: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 60 + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: Indicates a successful call. + summary: Update a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - description: The ID of the saved query to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + copySavedQueryExample: + summary: Example response for copying a saved query value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: Indicates a successful call. + summary: Copy a saved query tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: >- - Delete datastream assets for a specific input package, by data stream - name.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name + - description: The schedule ID of the scheduled query. in: path - name: pkgName + name: scheduleId required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Package version + - description: The execution count for this scheduled query run. in: path - name: pkgVersion + name: executionCount required: true schema: - type: string - - description: The ID of the package policy + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: packagePolicyId - required: true + name: kuery + required: false schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted - value: - items: - - id: logs-my_package.access-default - type: index_template - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + scheduledActionResultsExample: + summary: Example scheduled action results response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: Indicates a successful call. + summary: Get scheduled action results tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: get: - description: >- - Get the list of packages that a specific package depends - on.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults parameters: - - description: Package name + - description: The schedule ID of the scheduled query. in: path - name: pkgName + name: scheduleId required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Package version + - description: The execution count for this scheduled query run. in: path - name: pkgVersion + name: executionCount required: true schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' type: string responses: '200': content: application/json: examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + scheduledQueryResultsExample: + summary: Example scheduled query results response value: - items: [] + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_dependencies_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: Indicates a successful call. + summary: Get scheduled query results + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json: + examples: + pinEvent: + summary: Pin an event + value: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true + responses: + '200': content: application/json: examples: - packageNotFoundResponse: + pinnedSaved: + summary: Pinned event saved object value: - message: '[my-package-1.0.0] package not found in registry' + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates a successful call. + summary: Pin/unpin an event tags: - - Elastic Package Manager (EPM) - x-state: Generally available - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/dangerously_delete_data: delete: - description: >- - Delete Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine responses: '200': content: application/json: examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted - value: - items: - - id: dashboard-id-1 - type: dashboard - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + CleanUpRiskEngineResponse: + summary: Successful cleanup response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cleanup_successful: true schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request - nullable: true - responses: - '200': + cleanup_successful: + type: boolean + description: Successful response + '400': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + taskManagerUnavailable: + summary: Task manager is unavailable value: - items: - - id: dashboard-id-1 - type: dashboard + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + cleanupFailed: + summary: Cleanup failed value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cleanup_successful: false + errors: + - error: Risk engine is disabled or deleted already. + seq: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: >- - Install Kibana alert rule assets for a specific package - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request - nullable: true + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + page_size: + description: | + Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). + maximum: 10000 + minimum: 100 + type: integer + range: + type: object + properties: + end: + type: string + start: + type: string + required: true responses: '200': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - items: - - id: rule-asset-id-1 - type: security_rule + risk_engine_saved_object_configured: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response + type: object + properties: + risk_engine_saved_object_configured: + type: boolean description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + configureError: + summary: Configure saved object failed + value: + errors: + - error: Internal server error + seq: 1 + risk_engine_saved_object_configured: false + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/risk_score/engine/schedule_now: post: - description: >- - Reauthorize Elasticsearch transforms installed by a package with - secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow requestBody: content: application/json: examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package - value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 + emptyRequest: + summary: No request body + value: {} schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request + type: object responses: '200': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: - - success: true - transformId: logs-transform-1 + success: true schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + scheduleNowError: + summary: Schedule now failed + value: + full_error: '{}' + message: Internal server error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/review_upgrade: + - Security Entity Analytics API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_export: post: - description: >- - Review and accept or reject a pending policy upgrade for a package that - contains deprecations.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header @@ -28416,70 +46266,155 @@ paths: schema: example: 'true' type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true - schema: - type: string requestBody: content: application/json: examples: - acceptUpgrade: + exportSavedObjectsRequest: + summary: Export a specific saved object value: - action: accept - target_version: 2.0.0 + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: example-dashboard-1 + type: dashboard schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' + additionalProperties: false + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. responses: '200': content: - application/json: + application/x-ndjson: examples: - successResponse: - value: - success: true - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' - description: 'OK: A successful request.' + exportSavedObjectsResponse: + summary: The export response contains an NDJSON record for each exported object + value: | + {"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false} + {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} + schema: {} + description: Indicates a successfull call. '400': content: application/json: examples: badRequestResponse: + summary: A bad request error value: - message: Bad Request + error: Bad Request + message: 'Either `type` or `objects` are required.: Bad Request' + statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations + - statusCode + description: Bad request. + summary: Export saved objects tags: - - Elastic Package Manager (EPM) - x-state: Generally available - /api/fleet/epm/packages/{pkgName}/rollback: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}' + - lang: Console + source: | + POST kbn://api/saved_objects/_export + {"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true} + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_import: post: - description: >- - Rollback a package to its previously installed - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import parameters: - description: A required header to protect against CSRF attacks in: header @@ -28488,326 +46423,521 @@ paths: schema: example: 'true' type: string - - description: Package name to roll back - in: path - name: pkgName - required: true + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: overwrite + required: false schema: - type: string + default: false + type: boolean + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + importObjectsRequest: + summary: Import saved objects from an NDJSON file + value: + file: file.ndjson + schema: + additionalProperties: false + type: object + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file responses: '200': content: application/json: examples: - successResponse: + importObjectsResponse: + summary: A successful import response value: + errors: [] success: true - version: 1.0.0 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_rollback_package_response - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: - value: - message: Bad Request + successCount: 1 + successResults: + - destinationId: example-dashboard-1-copy + id: example-dashboard-1 + managed: false + type: dashboard schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version - tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: >- - Get usage statistics for a specific package, such as the number of agent - policies using it.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getPackageStatsExample: - description: Usage stats for a specific package - value: - response: - agent_policy_count: 3 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' - description: Successful response + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array + required: + - success + - successCount + - errors + - successResults + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - summary: Get package stats + - statusCode + description: Bad request. + summary: Import saved objects tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/installed: - get: - description: >- - Get a list of all currently installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson + - lang: Console + source: | + POST kbn://api/saved_objects/_import?createNewCopies=true + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects + operationId: post-saved-objects-resolve-import-errors parameters: - - description: Filter by data stream type - in: query - name: dataStreamType - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling + example: 'true' type: string - - description: When true, only return packages with active data streams + - description: Creates copies of saved objects, regenerates each object ID, and resets the origin. in: query - name: showOnlyActiveDataStreams + name: createNewCopies required: false schema: + default: false type: boolean - - description: Filter packages by name - in: query - name: nameQuery - required: false - schema: - type: string - - description: Sort values from the previous page for `search_after` pagination - in: query - name: searchAfter - required: false - schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 15 - type: number - - description: Sort order, ascending or descending + - description: Applies adjustments to maintain compatibility between different Kibana versions. in: query - name: sortOrder + name: compatibilityMode required: false schema: - default: asc - enum: - - asc - - desc - type: string + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + summary: Resolve import errors by retrying objects + value: + file: file.ndjson + retries: + - id: example-dashboard-1 + overwrite: true + replaceReferences: [] + type: dashboard + schema: + additionalProperties: false + type: object + properties: + file: + type: object + retries: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + type: boolean + destinationId: + type: string + id: + type: string + ignoreMissingReferences: + type: boolean + overwrite: + default: false + type: boolean + replaceReferences: + default: [] + items: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + required: + - type + - from + - to + maxItems: 100 + type: array + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + required: + - file + - retries responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + resolveImportErrorsResponse: + summary: A successful resolve import errors response value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response - description: Successful response + errors: [] + success: true + successCount: 1 + successResults: + - id: example-dashboard-1 + managed: false + type: dashboard + description: A successful resolve import errors response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get installed packages + description: A bad request. + summary: Resolve import errors tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/limited: - get: - description: >- - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, - fleet_server).

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson \ + --form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_resolve_import_errors + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + examples: + PerformAnonymizationFieldsBulkActionRequest: + value: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 + schema: + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 + type: object + properties: + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + type: array responses: '200': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + PerformAnonymizationFieldsBulkActionResponse200Example: value: - items: - - elastic_agent - - fleet_server + anonymization_fields_count: 4 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 0 + skipped: 1 + succeeded: 3 + total: 4 + message: Bulk action completed successfully + status_code: 200 + success: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + PerformAnonymizationFieldsBulkActionResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request body statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type or name. type: string message: + description: Detailed error message. type: string statusCode: + description: Status code of the response. type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list + description: Bad Request response. + summary: Apply a bulk action to anonymization fields tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: get: - description: >- - Get an inputs template for a package, used to pre-populate package - policy forms.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields parameters: - - description: Package name - in: path - name: pkgName - required: true + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false schema: type: string - - description: 'Output format for the inputs template: json, yml, or yaml' + - description: Field to sort by + example: created_at in: query - name: format + name: sort_field required: false schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc in: query - name: prerelease + name: sort_order required: false schema: - type: boolean - - description: >- - When true, return inputs even if the package signature cannot be - verified + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 in: query - name: ignoreUnverified + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data required: false schema: type: boolean @@ -28816,1288 +46946,978 @@ paths: content: application/json: examples: - getInputsTemplateExample: - description: Inputs template for a package + FindAnonymizationFieldsResponse200Example: value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text + aggregations: + field_status: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 schema: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' - description: Successful response + type: object + properties: + aggregations: + type: object + properties: + field_status: + type: object + properties: + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindAnonymizationFieldsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request parameters statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: type: number - required: - - message - - attributes - description: Bad Request - summary: Get an inputs template + description: Bad Request response. + summary: Get anonymization fields tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/verification_key_id: - get: - description: >- - Get the GPG key ID used to verify the signatures of packages from the - Elastic Package Registry.

[Required authorization] Route - required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + ChatCompleteRequest: + value: + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: + application/octet-stream: examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures - value: - id: D27D666CD88E42B4 + ChatCompleteResponse200Example: + value: (streaming binary response) schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response - description: Successful response + format: binary + type: string + description: Indicates a successful model response call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ChatCompleteResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request payload. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type. + example: Bad Request type: string message: + description: Human-readable error message. + example: Invalid request payload. type: string statusCode: + description: HTTP status code. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID + description: Bad Request response. + summary: Create a model response tags: - - Elastic Package Manager (EPM) - /api/fleet/fleet_server_hosts: - get: - description: >- - List all Fleet Server hosts.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + examples: + DeleteAllConversationsRequest: + value: + excludedIds: + - abc123 + - def456 + schema: + type: object + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false responses: '200': content: application/json: examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts + DeleteAllConversationsResponse200Example: value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 + failures: [] + success: true + totalDeleted: 10 schema: - additionalProperties: false type: object properties: - items: + failures: items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 + type: string type: array - page: - type: number - perPage: - type: number - total: + success: + example: true + type: boolean + totalDeleted: + example: 10 type: number - required: - - items - - total - - page - - perPage - description: Successful response + description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteAllConversationsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts + description: Bad Request response. + summary: Delete conversations tags: - - Fleet Server hosts + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"excludedIds":["abc123"]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: >- - Create a new Fleet Server host.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation requestBody: content: application/json: examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host + CreateConversationRequest: value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion schema: - additionalProperties: false - type: object - properties: - host_urls: - items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + CreateConversationResponse200Example: + value: + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. + '400': + content: + application/json: + examples: + CreateConversationResponse400Example: + value: + error: Bad Request + message: 'Missing required parameter: title' + statusCode: 400 + schema: + type: object + properties: + error: + example: Bad Request type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls + message: + example: 'Missing required parameter: title' + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Create a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations + parameters: + - description: A list of fields to include in the response. If omitted, all fields are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + in: query + name: filter + required: false + schema: + example: Security Issue + type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: examples: - postFleetServerHostExample: - description: The created Fleet Server host + FindConversationsResponse200Example: value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server + data: + - category: assistant + createdAt: '2023-10-31T12:00:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: conv-abc123 + messages: [] + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:05:00Z' + users: + - id: user1 + name: John Doe + page: 1 + perPage: 20 + total: 5 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindConversationsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid filter parameter. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid filter query parameter type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host + description: Bad Request response. + summary: Get conversations tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: delete: - description: >- - Delete a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host + - description: The conversation's `id` value. + example: abc123 in: path - name: itemId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted + DeleteConversationResponse200Example: value: - id: fleet-server-host-id-1 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + namespace: default + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host + description: Bad Request response. + summary: Delete a conversation tags: - - Fleet Server hosts + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: >- - Get a Fleet Server host by ID.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation parameters: - - description: The ID of the Fleet Server host + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 in: path - name: itemId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - getFleetServerHostExample: - description: A Fleet Server host + ReadConversationResponse200Example: value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ReadConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host + description: Bad Request response. + summary: Get a conversation tags: - - Fleet Server hosts + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Update a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host + - description: The conversation's `id` value. + example: abc123 in: path - name: itemId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host + UpdateConversationRequest: value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - proxy_id + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + required: true responses: '200': content: application/json: examples: - putFleetServerHostExample: - description: The updated Fleet Server host + UpdateConversationResponse200Example: value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + namespace: default + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + UpdateConversationResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: 'Missing required field: title' statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: 'Missing required field: title' type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host + description: Bad Request response. + summary: Update a conversation tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - description: >- - Check the health status of a Fleet Server instance by its host ID. - Returns the server status and name if available.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase responses: '200': content: application/json: examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy - value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: >- - Fleet Server host is not reachable (request timed out or - aborted) + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. value: - host_id: fleet-server-host-id-1 - status: OFFLINE + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. '400': content: application/json: examples: - badRequestExample: - description: >- - The host ID exists but has no associated host URLs - configured + GetKnowledgeBaseResponse400Example: value: error: Bad Request - message: >- - The requested host id fleet-server-host-id-1 does not have - associated host urls. + message: Invalid resource ID provided. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base. Use this endpoint when no specific resource identifier is needed. + operationId: PostKnowledgeBase + parameters: + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - error: Not Found - message: >- - The requested host id fleet-server-host-id-1 does not - exist. - statusCode: 404 + success: true schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase tags: - - Fleet internals - /api/fleet/kubernetes: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/{resource}: get: - description: >- - Get the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: Fleet Server host URL to include in the manifest - in: query - name: fleetServer - required: false - schema: - type: string - - description: Enrollment token to include in the manifest - in: query - name: enrolToken - required: false + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true schema: type: string responses: @@ -30105,706 +47925,1016 @@ paths: content: application/json: examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - item: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + ReadKnowledgeBaseResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid resource ID provided. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase for a resource tags: - - Elastic Agent policies - /api/fleet/kubernetes/download: - get: - description: >- - Download the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase parameters: - - description: If true, returns the manifest as a downloadable file - in: query - name: download - required: false + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 in: query - name: fleetServer + name: modelId required: false schema: type: string - - description: Enrollment token to include in the manifest + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true in: query - name: enrolToken + name: ignoreSecurityLabs required: false schema: - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - type: string - description: >- - Successful response — returns the Kubernetes manifest as a YAML file - download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + success: true schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - notFoundExample: - description: No manifest was found - value: - error: Not Found - message: Agent manifest not found - statusCode: 404 + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase for a resource tags: - - Elastic Agent policies - /api/fleet/logstash_api_keys: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries: post: - description: >- - Generate an API key for Logstash to use with a Fleet - output.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: post-fleet-logstash-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + examples: + CreateKnowledgeBaseEntryRequest: + value: + kbResource: user + name: How to reset a password + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + required: true responses: '200': content: application/json: examples: - postLogstashApiKeyExample: - description: The generated Logstash API key + CreateKnowledgeBaseEntryResponse200Example: value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + CreateKnowledgeBaseEntryResponse400Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Invalid input + message: The 'name' field is required. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Create a Knowledge Base Entry tags: - - Fleet outputs - /api/fleet/message_signing_service/rotate_key_pair: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: - description: >- - Rotate the key pair used by Fleet to sign messages sent to Elastic - Agents. This operation is irreversible and requires all agents in the - Fleet to be re-enrolled after rotation. You must explicitly acknowledge - the risk by passing `acknowledge=true` as a query - parameter.

[Required authorization] Route required privileges: - fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: >- - Set to true to confirm you understand the risks of rotating the key - pair - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionRequest: + value: + create: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + delete: + ids: + - '789' + update: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + schema: + type: object + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array responses: '200': content: application/json: examples: - rotateKeyPairSuccessExample: - description: >- - The key pair was rotated. All agents must be re-enrolled to - receive the new signing key. + PerformKnowledgeBaseEntryBulkActionResponse200Example: value: - message: Key pair rotated successfully. + attributes: + results: + created: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '456' + kbResource: user + name: New Entry + namespace: default + source: manual + text: This is the content of the new entry. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + deleted: + - '789' + skipped: [] + updated: + - createdAt: '2024-01-14T09:00:00.000Z' + createdBy: user@example.com + global: false + id: '123' + kbResource: user + name: Updated Entry + namespace: default + source: manual + text: Updated content. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + summary: + failed: 0 + skipped: 0 + succeeded: 3 + total: 3 + knowledgeBaseEntriesCount: 3 + message: Bulk action completed successfully. + statusCode: 200 + success: true schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request '400': content: application/json: examples: - acknowledgeRequiredExample: - description: >- - Request was rejected because the acknowledge query parameter - was not set to true + PerformKnowledgeBaseEntryBulkActionResponse400Example: value: error: Bad Request - message: >- - Warning: this API will cause a key pair to rotate and - should not be necessary in normal operation. If you - proceed, you may need to reinstall Agents in your network. - You must acknowledge the risks of rotating the key pair - with acknowledge=true in the request parameters. For more - information, reach out to your administrator. + message: Invalid request body. statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - serviceUnavailableExample: - description: The message signing service is not available - value: - error: Internal Server Error - message: >- - Failed to rotate key pair. Message signing service is - unavailable! - statusCode: 500 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Applies a bulk action to multiple Knowledge Base Entries tags: - - Message Signing Service - /api/fleet/outputs: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: get: - description: >- - List all Fleet outputs.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries + parameters: + - description: A list of fields to include in the response. If not provided, all fields will be included. + in: query + name: fields + required: false + schema: + example: + - name + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: asc + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 10 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - getOutputsExample: - description: List of Fleet outputs + FindKnowledgeBaseEntriesResponse200Example: value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com page: 1 perPage: 20 - total: 1 + total: 100 schema: - additionalProperties: false type: object properties: - items: + data: + description: The list of Knowledge Base Entries for the current page. items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_logstash - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: - type: number + description: The current page number. + example: 1 + type: integer perPage: - type: number + description: The number of Knowledge Base Entries returned per page. + example: 20 + type: integer total: - type: number + description: The total number of Knowledge Base Entries available. + example: 100 + type: integer required: - - items - - total - page - perPage - description: Successful response + - total + - data + description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindKnowledgeBaseEntriesResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: 'Invalid query parameter: sort_order' statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: A short description of the error. + example: Bad Request type: string message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' type: string statusCode: + description: The HTTP status code of the error. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs + description: Bad Request response. + summary: Finds Knowledge Base Entries that match the given query. tags: - - Fleet outputs - post: - description: >- - Create a new Fleet output.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id required: true schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postOutputRequestExample: - description: Create a new Elasticsearch output - value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - postOutputExample: - description: The created Fleet output + DeleteKnowledgeBaseEntryResponse200Example: value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch + id: '12345' + message: Knowledge Base Entry successfully deleted. schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteKnowledgeBaseEntryResponse400Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Deletes a single Knowledge Base Entry using the `id` field tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: - delete: - description: >- - Delete output by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' + in: path + name: id required: true schema: - example: 'true' - type: string - - description: The ID of the output + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + ReadKnowledgeBaseEntryResponse200Example: + value: + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. + '400': + content: + application/json: + examples: + ReadKnowledgeBaseEntryResponse400Example: + value: + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Read a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateKnowledgeBaseEntryRequest: + value: + kbResource: user + name: How to reset a password (updated) + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + required: true responses: '200': content: application/json: examples: - deleteOutputExample: - description: The output was successfully deleted + UpdateKnowledgeBaseEntryResponse200Example: value: - id: output-id-1 + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password (updated) + namespace: default + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + updatedAt: '2024-01-15T10:05:00.000Z' + updatedBy: user@example.com schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + UpdateKnowledgeBaseEntryResponse400Example: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Invalid input + message: The 'text' field cannot be empty. schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + examples: + PerformPromptsBulkActionRequest: + value: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array + responses: + '200': content: application/json: examples: - notFoundExample: - description: No output was found with the given ID + success: value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + '400': + content: + application/json: + examples: + PerformPromptsBulkActionResponse400Example: + value: + error: Bad Request + message: Invalid prompt ID or missing required fields. + statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: A short error message. + example: Bad Request type: string message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. type: string statusCode: + description: The HTTP status code for the error. + example: 400 type: number - required: - - message - - attributes - description: Not Found - summary: Delete output + description: Bad Request response. + summary: Apply a bulk action to prompts tags: - - Fleet outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"delete":{"query":"name: test","ids":[]}}' + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security_ai_assistant/prompts/_find: get: - description: >- - Get output by ID.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: The ID of the output - in: path - name: outputId - required: true + - description: List of specific fields to include in each returned prompt. + in: query + name: fields + required: false + schema: + example: + - id + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false + schema: + example: error handling + type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false schema: - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - getOutputExample: - description: A Fleet output + FindPromptsResponse200Example: value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 schema: - additionalProperties: false + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 type: object properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindPromptsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid sort order value provided. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Short error message. + example: Bad Request type: string message: + description: Detailed description of the error. + example: Invalid sort order value provided. type: string statusCode: + description: HTTP status code for the error. + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts tags: - - Fleet outputs + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store: put: - description: >- - Update output by ID.

[Required authorization] Route required - privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store parameters: - description: A required header to protect against CSRF attacks in: header @@ -30813,319 +48943,2806 @@ paths: schema: example: 'true' type: string - - description: The ID of the output - in: path - name: outputId - required: true - schema: - type: string requestBody: content: application/json: examples: - putOutputRequestExample: - description: Update a Fleet output + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + items: + type: string + type: array + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + enum: + - defer + - drop + type: string + maxTimeWindowSize: + pattern: '[smdh]$' + type: string + required: + - logExtraction responses: '200': content: application/json: examples: - putOutputExample: - description: The updated Fleet output + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response + ok: true + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + description: Bad request. '404': content: application/json: examples: notFoundExample: - description: No output was found with the given ID + description: The Entity Store has not been installed yet. + summary: Entity Store not installed value: error: Not Found - message: Output output-id-1 not found + message: Entity store is not installed statusCode: 404 - description: Not Found - summary: Update output + description: Entity Store not found. + summary: Update the Entity Store tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities: get: - description: >- - Get the latest health status of an output by ID.

[Required - authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: The ID of the output - in: path - name: outputId - required: true + - description: A Kibana Query Language (KQL) filter for the search-after mode. + in: query + name: filter + required: false schema: type: string - responses: - '200': - content: - application/json: - examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health - tags: - - Fleet outputs - /api/fleet/package_policies: - get: - description: List all package policies. - operationId: get-fleet-package-policies - parameters: - - description: Page number + - description: Number of entities to return in search-after mode. in: query - name: page + name: size required: false schema: - type: number - - description: Number of results per page + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. in: query - name: perPage + name: searchAfter required: false schema: - type: number - - description: Field to sort results by + type: string + - description: Fields to include in the response source. in: query - name: sortField + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field required: false schema: type: string - - description: Sort order, ascending or descending + - description: Sort order in page mode. in: query - name: sortOrder + name: sort_order required: false schema: enum: - - desc - asc + - desc type: string - - description: When true, only show policies with available upgrades + - description: Page number to return (1-indexed) in page mode. in: query - name: showUpgradeable + name: page required: false schema: - type: boolean - - description: A KQL query string to filter results + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. in: query - name: kuery + name: per_page required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. in: query - name: format + name: filterQuery required: false schema: - enum: - - simplified - - legacy type: string - - description: When true, include the agent count per package policy + - description: Entity types to include in the results. in: query - name: withAgentCount + name: entity_types required: false schema: - type: boolean + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': + content: + application/json: + examples: + emptyResultExample: + description: No entities matched the query. + summary: Empty result + value: + page: 1 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux + total: 1 + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. + '400': + content: + application/json: + examples: + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter + value: + error: Bad Request + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ + statusCode: 400 + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes + value: + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier + value: + entityId: host:web-server-prod-01 + schema: + additionalProperties: false + type: object + properties: + entityId: + description: The identifier of the entity to delete. + type: string + required: + - entityId + responses: + '200': + content: + application/json: + examples: + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + description: Indicates the entity was successfully deleted. + '404': + content: + application/json: + examples: + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found + value: + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/{entityType}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + requestBody: + content: + application/json: + examples: + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity + value: + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + schema: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - getPackagePoliciesExample: - description: List of package policies + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: error: Bad Request - message: An error message describing what went wrong + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies + description: Bad request. + '409': + content: + application/json: + examples: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists + value: + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity tags: - - Fleet package policies - post: - description: Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype parameters: - description: A required header to protect against CSRF attacks in: header @@ -31134,130 +51751,2386 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: The entity type to update. + in: path + name: entityType + required: true schema: enum: - - simplified - - legacy + - user + - host + - service + - generic type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst schema: anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - description: >- - You should use inputs as an object and not use the deprecated - inputs array. + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - postPackagePolicyExample: - description: The created package policy + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_response - description: Successful response + ok: true + description: Indicates the entity was successfully updated. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: error: Bad Request - message: An error message describing what went wrong + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': + description: Bad request. + '404': content: application/json: examples: - conflictExample: - description: A package policy with the same name already exists + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - description: Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/entities/bulk: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk parameters: - description: A required header to protect against CSRF attacks in: header @@ -31266,437 +54139,2408 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' + - description: When true, allows updating protected fields. in: query - name: format + name: force required: false schema: - enum: - - simplified - - legacy - type: string + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities value: - ids: - - package-policy-id-1 - - package-policy-id-2 + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user schema: additionalProperties: false type: object properties: - ids: - description: list of package policy ids + entities: + description: The entities to update. items: - type: string - maxItems: 1000 + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type type: array - ignoreMissing: - type: boolean required: - - ids - responses: - '200': - content: - application/json: - examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: One or more package policies were not found - value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies - tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: >- - Delete a package policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted - value: - id: package-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy - tags: - - Fleet package policies - get: - description: Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - responses: - '200': - content: - application/json: - examples: - getPackagePolicyExample: - description: A package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No package policy was found with the given ID - value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy - tags: - - Fleet package policies - put: - description: Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - requestBody: - content: - application/json: - examples: - putPackagePolicyRequestExample: - description: Update a package policy - value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item - description: Successful response - '400': + - entities + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated + value: + errors: [] + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - forbiddenExample: - description: The update is not authorized for this package + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Forbidden - summary: Update a package policy + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + summary: Bulk update entities tags: - - Fleet package policies - /api/fleet/package_policies/delete: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/install: post: - description: >- - Delete multiple package policies by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-delete + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install parameters: - description: A required header to protect against CSRF attacks in: header @@ -31709,150 +56553,261 @@ paths: content: application/json: examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + frequency: 5m + lookbackPeriod: 12h schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + default: [] + items: + type: string + type: array + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + default: 1m + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 50000 + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + default: 100000 + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + default: drop + enum: + - defer + - drop + type: string + maxTimeWindowSize: + default: 15m + pattern: '[smdh]$' + type: string responses: '200': content: application/json: examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response - '400': + ok: true + description: Indicates all requested entity types are already installed. + '201': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies + ok: true + description: Indicates the Entity Store was successfully installed. + '403': + content: + application/json: + examples: + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges + value: + error: Forbidden + message: User 'analyst' has insufficient privileges + statusCode: 403 + description: Insufficient privileges. + summary: Install the Entity Store tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: - post: - description: >- - Upgrade a package policy to a newer package version.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-upgrade + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/group: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/resolution/group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The entity identifier to look up the resolution group for. + in: query + name: entity_id required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version - value: - packagePolicyIds: - - package-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request responses: '200': content: application/json: examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation - value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities + value: + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated value: error: Bad Request - message: An error message describing what went wrong + message: Resolution search truncated statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: The specified entity does not exist or has no resolution group. + summary: Entity not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entity not found. + summary: Get resolution group tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/link: post: - description: >- - Preview the changes that would be applied by upgrading a package policy - to a newer package version.

[Required authorization] Route - required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/link
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Link one or more entities to a target entity, creating a resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link parameters: - description: A required header to protect against CSRF attacks in: header @@ -31865,312 +56820,108 @@ paths: content: application/json: examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target value: - packagePolicyIds: - - package-policy-id-1 + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. + type: string + required: + - target_id + - entity_ids responses: '200': content: application/json: examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types value: error: Bad Request - message: An error message describing what went wrong + message: Cannot link entities of different types statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - description: >- - List all Fleet proxies.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetProxiesExample: - description: List of Fleet proxies + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. + '404': content: application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + examples: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Link entities tags: - - Fleet proxies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/resolution/unlink: post: - description: >- - Create a new Fleet proxy.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-proxies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove one or more entities from their resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink parameters: - description: A required header to protect against CSRF attacks in: header @@ -32183,136 +56934,82 @@ paths: content: application/json: examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group value: - name: My proxy - url: http://proxy.example.com:3128 + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array required: - - url - - name + - entity_ids responses: '200': content: application/json: examples: - postFleetProxyExample: - description: The created Fleet proxy + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a proxy + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: - delete: - description: >- - Delete a proxy by ID

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink + { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start parameters: - description: A required header to protect against CSRF attacks in: header @@ -32321,187 +57018,534 @@ paths: schema: example: 'true' type: string - - description: The ID of the proxy - in: path - name: itemId - required: true + requestBody: + content: + application/json: + examples: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines + value: + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': + content: + application/json: + examples: + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started + value: + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false schema: - type: string + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false responses: '200': content: application/json: examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed value: - id: proxy-id-1 - schema: - additionalProperties: false - type: object - properties: - id: + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running + value: + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/stop: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines + value: + entityTypes: + - user + - host + - service + - generic + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic type: string - required: - - id - description: Successful response - '400': + type: array + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + type: array + responses: + '200': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store tags: - - Fleet proxies + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role: get: - description: >- - Get a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid + description: Retrieve all Kibana roles. + operationId: get-security-role parameters: - - description: The ID of the proxy - in: path - name: itemId - required: true + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false schema: - type: string + type: boolean responses: '200': content: application/json: examples: - getFleetProxyExample: - description: A Fleet proxy + getAllRolesResponse: value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + description: Indicates a successful call. + summary: Get all roles + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/_query: + post: + description: Query Kibana roles with optional filters, paging, and sorting. + operationId: post-security-role-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + queryRolesRequest: + value: + from: 0 + query: kibana + size: 25 + sort: + direction: asc + field: name + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + queryRolesResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + count: 1 + roles: + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/role/{name}: + delete: + description: Delete a Kibana role by its name. + operationId: delete-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The role name. + in: path + name: name + required: true + schema: + minLength: 1 + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a role + tags: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: Retrieve a Kibana role by its name. + operationId: get-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true + schema: + minLength: 1 + type: string + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + getRoleResponse: value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a proxy + _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + description: Indicates a successful call. + summary: Get a role tags: - - Fleet proxies + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Update a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header @@ -32510,154 +57554,57 @@ paths: schema: example: 'true' type: string - - description: The ID of the proxy + - description: The role name. in: path - name: itemId + name: name required: true schema: + maxLength: 1024 + minLength: 1 type: string + - description: When true, a role is not overwritten if it already exists. + in: query + name: createOnly + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy + createOrUpdateRoleRequest: value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default schema: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - certificate_authorities - - certificate - - certificate_key + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' responses: - '200': - content: - application/json: - examples: - putFleetProxyExample: - description: The updated Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No proxy was found with the given ID - value: - error: Not Found - message: Proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a proxy + '204': + description: Indicates a successful call. + summary: Create or update a role tags: - - Fleet proxies - /api/fleet/service_tokens: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/security/roles: post: - description: >- - Create a Fleet Server service token. The token is used to enroll Fleet - Server instances with Kibana.

[Required authorization] Route - required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens + description: Create or update multiple Kibana roles in a single request. + operationId: post-security-roles parameters: - description: A required header to protect against CSRF attacks in: header @@ -32670,231 +57617,86 @@ paths: content: application/json: examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server + bulkCreateOrUpdateRoles: value: - remote: true + roles: + my_kibana_role: + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default schema: - additionalProperties: false - nullable: true - type: object - properties: - remote: - default: false - type: boolean + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload' responses: '200': content: application/json: examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token - value: - name: elastic/fleet-server/token-1234567890 - value: >- - AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string - value: - type: string - required: - - name - - value - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + bulkCreateOrUpdateRolesResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created: + - my_kibana_role + noop: [] + updated: [] schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' + description: Indicates a successful call. + summary: Create or update roles tags: - - Fleet service tokens - /api/fleet/settings: + - roles + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space: get: - description: >- - Get the global Fleet settings.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space + parameters: + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. + in: query + name: purpose + required: false + schema: + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. + in: query + name: include_authorized_purposes + required: false + schema: + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - getSettingsExample: - description: The current Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces tags: - - Fleet internals - put: - description: >- - Update the global Fleet settings.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-settings + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: Create a new Kibana space. + operationId: post-spaces-space parameters: - description: A required header to protect against CSRF attacks in: header @@ -32906,202 +57708,206 @@ paths: requestBody: content: application/json: - examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations - value: - prerelease_integrations_enabled: true schema: additionalProperties: false type: object properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true + _reserved: type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string - kibana_urls: - deprecated: true + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] items: - format: uri + description: The list of features that are turned off in the space. type: string - maxItems: 10 + maxItems: 100 type: array - prerelease_integrations_enabled: - type: boolean - responses: - '200': - content: - application/json: - examples: - putSettingsExample: - description: The updated Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' + responses: + '200': content: application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string - errorType: + description: + description: A description for the space. type: string - message: + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request + - id + - name + examples: + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' + description: Indicates a successful call. + summary: Create a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/spaces/space/{id}: + delete: + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '404': + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id + parameters: + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFoundExample: - description: Fleet settings have not been initialized + getSpaceResponse: + description: A response that contains the full configuration for a single Kibana space. + summary: Get details about a marketing space value: - error: Not Found - message: Settings not found - statusCode: 404 + color: '#aabbcc' + description: This is the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: additionalProperties: false type: object properties: - message: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. type: string required: - - message - description: Not Found - summary: Update settings + - id + - name + description: Indicates a successful call. + summary: Get a space tags: - - Fleet internals - /api/fleet/setup: - post: - description: >- - Initialize Fleet and create the necessary Elasticsearch resources for - Fleet to operate. Safe to call multiple times (idempotent). Returns the - initialization status and any non-fatal errors encountered during - setup.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-setup + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: Update an existing Kibana space. + operationId: put-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -33110,152 +57916,882 @@ paths: schema: example: 'true' type: string + - description: The space identifier. You are unable to change the ID with the update operation. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' responses: '200': content: application/json: examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: >- - Fleet initialized but encountered non-fatal errors during - setup + updateSpaceResponse: + description: A response that contains the updated configuration of the Kibana space. + summary: Update the marketing space value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError + color: '#aabbcc' + description: An updated description for the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. type: object properties: - isInitialized: + _reserved: type: boolean - nonFatalErrors: + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 + description: The list of features that are turned off in the space. + type: string + maxItems: 100 type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed - '400': + - id + - name + description: Indicates a successful call. + summary: Update a space + tags: + - spaces + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/status: + get: + description: Returns Kibana's overall operational status and a per-service breakdown for Elasticsearch, Saved Objects, and registered plugins. The endpoint is intended for liveness and readiness checks (for example, by Kubernetes probes) and for operators monitoring a Kibana deployment. Unauthenticated callers receive a redacted response that exposes only the overall status level. + operationId: get-status + parameters: + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + statusAvailableResponse: + description: A successful response when Kibana and its core services are operating normally. + summary: Kibana is available value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 4 + totalIdleSockets: 2 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: available + summary: Elasticsearch is available + savedObjects: + level: available + summary: SavedObjects service has completed migrations and is available + overall: + level: available + summary: All services are available + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + statusRedactedResponse: + description: A redacted response returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + summary: Kibana is available (redacted) + value: + status: + overall: + level: available schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': content: application/json: examples: - internalErrorResponseExample: - description: Example of an internal server error response + statusUnavailableResponse: + description: A response when one or more core services are unavailable. + summary: Kibana is unavailable value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 0 + totalIdleSockets: 0 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: unavailable + summary: Unable to connect to Elasticsearch + savedObjects: + level: unavailable + summary: SavedObjects service depends on Elasticsearch + overall: + level: unavailable + summary: Some services are unavailable + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 schema: - additionalProperties: false - description: Internal Server Error - type: object - properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of its essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status tags: - - Fleet internals - /api/fleet/space_settings: + - system + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams: get: - description: Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams parameters: [] + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space + listStreams: + value: + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + description: A list of all streams. + summary: Get stream list + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were disabled successfully. + summary: Disable streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were enabled successfully. + summary: Enable streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were resynced successfully. + summary: Resync streams + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: The stream was deleted successfully. + summary: Delete a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + content: + application/json: + examples: + getWiredStream: value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + description: Stream definition and associated metadata. + summary: Get a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + createQueryStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' + responses: + '200': + description: The stream was created or updated successfully. + summary: Create or update a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_fork: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the parent stream to fork from. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - stream + - where + responses: + '200': + description: The stream was forked successfully. + summary: Fork a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_ingest: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + content: + application/json: + examples: + getWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + description: Ingest settings for the stream. + summary: Get ingest stream settings + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: >- - Create or update Fleet settings for the current Kibana - space.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: put-fleet-space-settings + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest parameters: - description: A required header to protect against CSRF attacks in: header @@ -33264,19046 +58800,46608 @@ paths: schema: example: 'true' type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space + upsertWiredIngest: value: - allowed_namespace_prefixes: - - team-a - - team-b + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code schema: additionalProperties: false type: object properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array - responses: - '200': - content: - application/json: - examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available - /api/fleet/uninstall_tokens: - get: - description: >- - List the metadata for the latest uninstall tokens per agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: get-fleet-uninstall-tokens - parameters: - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - maxLength: 50 - type: string - - description: Partial match filtering for uninstall token values - in: query - name: search - required: false - schema: - maxLength: 50 - type: string - - description: The number of items to return - in: query - name: perPage - required: false - schema: - minimum: 5 - type: number - - description: Page number - in: query - name: page - required: false - schema: - minimum: 1 - type: number - responses: - '200': - content: - application/json: - examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies - value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy - page: 1 - perPage: 20 - total: 2 - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false + ingest: + anyOf: + - additionalProperties: false type: object properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing required: - - id - - policy_id - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided - value: - error: Bad Request - message: >- - Query parameters `policyId` and `search` cannot be used at - the same time. - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest + responses: + '200': + description: The ingest settings were updated successfully. + summary: Update ingest stream settings tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/_query: get: - description: >- - Get one decrypted uninstall token by its ID.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query parameters: - - description: The ID of the uninstall token + - description: The name of the query stream. in: path - name: uninstallTokenId + name: name required: true schema: type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy - value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token + description: Query settings for the stream. + summary: Get query stream settings tags: - - Fleet uninstall tokens - /api/lists: - delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query parameters: - - description: Value list identifier to delete, including all of its list items. - in: query - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. - in: query - name: deleteReferences - required: false - schema: - default: false - example: false - type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false + example: 'true' + type: string + - description: The name of the query stream. + in: path + name: name + required: true schema: - default: false - example: false - type: boolean - responses: - '200': - content: - application/json: - examples: - ipList: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + type: string + requestBody: + content: + application/json: + examples: + upsertQueryStream: + value: + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level + schema: + additionalProperties: false + type: object + properties: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql + required: + - query + responses: + '200': + description: The query stream settings were updated successfully. + summary: Upsert query stream settings tags: - - Security Lists API - get: - description: Get the details of a value list using the list ID. - operationId: ReadList + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export parameters: - - description: Value list identifier (`id`) returned when the list was created. - in: query - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details - tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + example: 'true' + type: string + - description: The name of the stream to export content from. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - patchName: + exportContent: value: - id: ip_list - name: Bad ips list - UPDATED + description: Nginx stream content pack + include: + objects: + all: {} + name: nginx-pack + version: 1.0.0 schema: - example: - id: ip_list - name: Bad ips list - UPDATED + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + type: string + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' name: - $ref: '#/components/schemas/Security_Lists_API_ListName' + type: string version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + type: string required: - - id - description: Value list's properties - required: true + - name + - description + - version + - include + responses: + '200': + description: Content pack archive for the stream. + summary: Export stream content + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to import content into. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + importContent: + value: + content: + include: '{"objects":{"all":{}}}' + schema: + additionalProperties: false + type: object + properties: + content: {} + include: + type: string + required: + - include + - content + responses: + '200': + description: Content was imported into the stream successfully. + summary: Import content into a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ip: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + listQueries: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + queries: + - description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + severity_score: 75 + title: Error count by host + type: match + - description: Requests with response time above 2 seconds + esql: + query: FROM logs.nginx | WHERE http.response_time > 2000 + id: high-latency-requests + severity_score: 50 + title: High latency requests + type: match + description: List of queries linked to the stream. + summary: Get stream queries tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/_bulk: post: - description: Create a new value list. - operationId: CreateList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: + bulkQueries: value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword + operations: + - index: + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + title: Error count by host + - delete: + id: old-query-id schema: + additionalProperties: false type: object properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete + type: array required: - - name - - description - - type - description: Value list's properties - required: true + - operations responses: '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - alreadyExists: - value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + description: Bulk operation completed successfully. + summary: Bulk update queries tags: - - Security Lists API + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query to remove. + in: path + name: queryId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: The query was removed successfully. + summary: Remove a query from a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: examples: - replaceList: + upsertQuery: value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + title: Error count by host schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' + default: '' + type: string + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string required: - - id - - name - - description - description: Value list's properties - required: true + - title + - esql + responses: + '200': + description: The query was added or updated successfully. + summary: Upsert a query to a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. + in: query + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + pattern: ^(\d+)([smhd])$ + type: string + - description: Query string to filter significant events on metadata fields + in: query + name: query + required: false + schema: + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' + in: query + name: searchMode + required: false + schema: + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ip: - value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + significantEvents: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + aggregated_occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + significant_events: + - change_points: + type: + spike: + change_point: 1 + p_value: 0.002 + description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + rule_backed: false + severity_score: 75 + stream_name: logs.nginx + title: Error count by host + type: match + description: Significant events for the stream. + summary: Read the significant events tags: - - Security Lists API - /api/lists/_find: - get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate parameters: - - description: The page number to return. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: page + name: connectorId required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: per_page - required: false + name: from + required: true schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + type: string + - description: End of the time range as an ISO 8601 date string. in: query - name: sort_field + name: to + required: true + schema: + type: string + - description: Number of sample documents to use for generation from the current data of stream + in: query + name: sampleDocsSize required: false schema: - example: name - format: nonempty - minLength: 1 + type: number + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Generated significant event query definitions. + summary: Generate significant events + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' type: string - - description: Determines the sort order, which can be `desc` or `asc` + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. in: query - name: sort_order + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + pattern: ^(\d+)([smhd])$ + type: string + requestBody: + content: + application/json: + examples: + previewSignificantEvents: + value: + query: + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + schema: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: + '200': + description: Significant event preview results. + summary: Preview significant events + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: Search query to filter attachments by title + in: query + name: query required: false schema: - enum: - - desc - - asc - example: asc type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + - description: Filter by attachment types (single value or array) in: query - name: cursor + name: attachmentTypes required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) in: query - name: filter + name: tags required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - ipList: - value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d - data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request query]: page: Expected number, received nan' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: + listAttachmentsResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments tags: - - Security Lists API - /api/lists/index: - delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex - responses: - '200': - content: - application/json: - examples: - acknowledged: - value: - acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + bulkAttachmentsExample: + value: + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule + schema: + additionalProperties: false + type: object + properties: + operations: + items: + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete + type: array + required: + - operations + responses: + '200': content: application/json: examples: - notFound: + bulkAttachmentsResponse: value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unlinkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - serverError: + unlinkAttachmentResponse: value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + acknowledged: true + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream tags: - - Security Lists API - get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + linkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - bothExist: + linkAttachmentResponse: value: - list_index: true - list_item_index: true - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream + tags: + - streams + x-state: Experimental + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': content: application/json: examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless' schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless' + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + examples: + deleteByIds: + summary: Delete timelines by saved object id + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 + schema: + type: object + properties: + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + maxItems: 100 + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + success: + summary: Success + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + additionalProperties: true + type: object + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': content: application/json: examples: - forbidden: + timelineDetail: + summary: Timeline detail value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + examples: + patchTitle: + summary: Update title + value: + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': content: application/json: examples: - notFound: + patched: + summary: Updated timeline value: - message: Value list backing indices were not found for this space - status_code: 404 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - serverError: + error: + summary: Error body value: - message: Internal Server Error - status_code: 500 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + type: object + properties: + body: + description: The error message. + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space - - are now created as part of supported workflows; calling this explicitly - is rarely required. + description: |- + **Spaces method and path for this operation:** - **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming - - indices exist with `GET /api/lists/index`. +
post /s/{space_id}/api/timeline
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true responses: '200': content: application/json: examples: - acknowledged: - value: - acknowledged: true - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + created: + summary: Created timeline value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - alreadyExists: + error: + summary: Error body value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 + body: update timeline error + statusCode: 405 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': + type: object + properties: + body: + description: The error message + example: update timeline error + type: string + statusCode: + example: 405 + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_copy: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + examples: + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. + type: string + required: + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. + required: true + responses: + '200': content: application/json: examples: - serverError: + copied: + summary: Newly saved timeline value: - message: Internal Server Error - status_code: 500 + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Copies timeline or timeline template tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_draft: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + - description: Which draft to load (`default` investigation timeline or `template` timeline template). in: query - name: value - required: false - schema: - example: 255.255.255.255 - type: string - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false - schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: examples: - ip: + draftPayload: + summary: Draft timeline payload value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - badRequest: + forbidden: + summary: Permission denied value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + message: Forbidden + status_code: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - unauthorized: + conflict: + summary: Draft conflict value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + type: object + properties: + message: + type: string + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + examples: + defaultDraft: + summary: Create a default draft timeline + value: + timelineType: default + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. + required: true + responses: + '200': content: application/json: examples: - forbidden: + draftResponse: + summary: Draft after reset or creation value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': content: application/json: examples: - notFound: + forbidden: + summary: Permission denied value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 + message: Forbidden + status_code: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - serverError: + conflict: + summary: Draft conflict value: - message: Internal Server Error - status_code: 500 + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - Security Lists API - get: - description: Get the details of a value list item. - operationId: ReadListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + - description: The name of the file to export in: query - name: value - required: false + name: file_name + required: true schema: - example: 127.0.0.2 type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true responses: '200': content: - application/json: + application/ndjson: examples: - ip: - value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. '400': content: - application/json: + application/ndjson: examples: badRequest: + summary: Export error value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + body: Export limit exceeded + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': content: application/json: examples: - unauthorized: + favoriteResponse: + summary: Favorite metadata updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. '403': content: application/json: examples: forbidden: + summary: Forbidden value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] + body: Forbidden statusCode: 403 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - changeValue: + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. + file: {} + isImmutable: + description: Whether the Timeline should be immutable enum: - 'true' - 'false' - - wait_for type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - id - description: Value list item's properties + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - ipItem: + importSummary: + summary: Import summary value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. '400': content: application/json: examples: badRequest: + summary: Invalid import value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + body: Invalid file extension + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + type: object + properties: + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. '404': content: application/json: examples: notFound: + summary: Saved objects client missing value: - message: 'list item id: \"foo\" not found' - status_code: 404 + body: Unable to find saved object client + statusCode: 404 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + type: object + properties: + body: + description: The error message + example: Unable to find saved object client + type: string + statusCode: + example: 404 + type: number + description: Not found response. + '409': content: application/json: examples: - serverError: + conflict: + summary: Import conflict value: - message: Internal Server Error - status_code: 500 + body: Could not import timelines + statusCode: 409 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + type: object + properties: + body: + description: The error message + example: Could not import timelines + type: string + statusCode: + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/_prepackaged: post: - description: > - Create a value list item and associate it with the specified value list. - + description: |- + **Spaces method and path for this operation:** - All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. +
post /s/{space_id}/api/timeline/_prepackaged
- > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Before creating a list item, you must create a list. - operationId: CreateListItem + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: + emptyArrays: + summary: Installer payload shape value: - list_id: keyword_list - value: zeek + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: type: object properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + prepackagedTimelines: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array required: - - list_id - - value - description: Value list item's properties + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: + installResult: + summary: Install result counts value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '500': content: application/json: examples: - badRequest: + serverError: + summary: Server error value: - error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration - statusCode: 400 + body: Internal error + statusCode: 500 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + badRequest: + summary: Bad request + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + additionalProperties: true + type: object + description: Bad Request response. '404': content: application/json: examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 + notFound: + summary: Not found + value: {} schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timelines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: If `true`, only Timelines that the current user has marked as favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': content: application/json: examples: - alreadyExists: + timelineList: + summary: Example list response value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': + type: object + properties: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + type: array + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: + badRequest: + summary: Error response body value: - message: Internal Server Error - status_code: 500 + body: get timeline error + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - Security Lists API + - Security Timeline API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/visualizations: + get: + tags: + - Visualizations + summary: Get visualizations + operationId: get-visualizations-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + post: + tags: + - Visualizations + summary: Create a visualization + operationId: create-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/visualizations/{id}: + get: + tags: + - Visualizations + summary: Get a visualization + operationId: get-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + tags: + - Visualizations + summary: Update a visualization + operationId: update-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + delete: + tags: + - Visualizations + summary: Delete a visualization + operationId: delete-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/workflows: + delete: + description: |- + **Spaces method and path for this operation:** - > info +
delete /s/{space_id}/api/workflows
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - fullReplace: + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows value: - id: ip_item - value: 255.255.255.255 + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: - example: - id: ip_item - value: 255.255.255.255 + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + ids: + description: Array of workflow IDs to delete. + items: + description: Workflow ID to delete. + type: string + maxItems: 1000 + type: array required: - - id - - value - description: Value list item's properties - required: true + - ids responses: '200': content: application/json: examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by managed status. Defaults to "unmanaged". + in: query + name: managed + required: false + schema: + enum: + - all + - managed + - unmanaged + type: string + responses: + '200': content: application/json: examples: - notFound: + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once + value: + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" + schema: + additionalProperties: false + type: object + properties: + workflows: + items: + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 + type: array + required: + - workflows + responses: + '200': content: application/json: examples: - serverError: + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Export list item values from the specified value list. - operationId: ExportListItems + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/aggs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/aggs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs parameters: - - description: Value list's `id` to export. + - description: Field or fields to aggregate on. in: query - name: list_id + name: fields required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + minItems: 1 + type: array responses: '200': - content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': content: application/json: examples: - unauthorized: + getAggsResponseExample: + description: Example response with tag and createdBy aggregations value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] + responses: + '200': content: application/json: examples: - forbidden: + getConnectorsResponseExample: + description: Example response with available connector types and their instances value: - error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + getExecutionResponseExample: + description: Example response returning a workflow execution with step details + value: + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/children: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions tags: - - Security Lists API - /api/lists/items/_find: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/logs: get: - description: Get all value list items in the specified list. - operationId: FindListItems + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs parameters: - - description: Parent value list's `id` to page through items for. - in: query - name: list_id + - description: Workflow execution ID + in: path + name: executionId required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. + type: string + - description: Filter logs by a specific step execution ID. in: query - name: page + name: stepExecutionId required: false schema: - example: 1 - type: integer - - description: The number of list items to return per page. + type: string + - description: Number of log entries per page. in: query - name: per_page + name: size required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. in: query - name: sort_field + name: page required: false schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + default: 1 + minimum: 1 + type: number + - description: Field to sort by. in: query - name: sort_order + name: sortField required: false schema: - enum: - - desc - - asc - example: asc type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + - description: Sort order. in: query - name: filter + name: sortOrder required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - ip: + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/resume: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution + value: + input: + approved: true + comment: Approved by analyst + schema: + additionalProperties: false + type: object + properties: + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object + required: + - input + responses: + '200': content: application/json: examples: - forbidden: + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid + parameters: + - description: Workflow execution ID. + in: path + name: executionId + required: true + schema: + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + getStepExecutionResponseExample: + description: Example response returning a single step execution + value: + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution tags: - - Security Lists API - /api/lists/items/_import: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/export: post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/workflows/export
- You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing to an existing list. - in: query - name: list_id - required: false + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + exportWorkflowsRequestExample: + description: Example request to export workflows + value: + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + schema: + additionalProperties: false + type: object + properties: + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + required: + - ids + responses: + '200': + content: + application/json: + examples: + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest + value: + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/mget: + post: + description: |- + **Spaces method and path for this operation:** - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false +
post /s/{space_id}/api/workflows/mget
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - 'true' - - 'false' - - wait_for - example: true + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - ipLinesFile: + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - file: list_values.txt + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: + additionalProperties: false type: object properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array + required: + - ids responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - conflict: - value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs tags: - - Security Lists API - /api/lists/privileges: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/schema: get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` + description: |- + **Spaces method and path for this operation:** - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list +
get /s/{space_id}/api/workflows/schema
- APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema + parameters: + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. + in: query + name: loose + required: true + schema: + type: boolean responses: '200': content: application/json: examples: - privileges: + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] + responses: + '200': content: application/json: examples: - badRequest: + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/step/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/step/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + testStepRequestExample: + description: Example request to test a single workflow step + value: + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml + responses: + '200': content: application/json: examples: - unauthorized: + testStepResponseExample: + description: Example response returning the step test execution ID value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID + value: + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. + type: string + workflowYaml: + description: YAML definition to test. + type: string + required: + - inputs + responses: + '200': content: application/json: examples: - forbidden: + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition + value: + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + responses: + '200': content: application/json: examples: - serverError: + createWorkflowResponseExample: + description: Example response returning the created workflow value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow tags: - - Security Lists API - /api/ml/saved_objects/sync: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow + { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + getWorkflowResponseExample: + description: Example response returning a single workflow + value: + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: - post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - updateADJobSpacesRequest: + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: + items: + type: string + type: array + yaml: + type: string responses: '200': content: application/json: examples: - successADResponse: + updateWorkflowResponseExample: + description: Example response returning the updated workflow value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: - value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/clone: post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces - requestBody: - content: - application/json: - examples: - updateTrainedModelsSpacesRequest: - value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - successTMResponse: + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. - + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{id}/run: + post: + description: |- + **Spaces method and path for this operation:** - The response has HTTP 200 with an empty body on success. +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - deleteOne: - summary: Delete a single note by id + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e + inputs: + message: hello from the API schema: - oneOf: - - nullable: true + additionalProperties: false + type: object + properties: + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the workflow execution. type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true + metadata: + additionalProperties: + nullable: true + description: Optional metadata for the execution. type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + required: + - inputs responses: '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + content: + application/json: + examples: + runWorkflowResponseExample: + description: Example response returning the execution ID + value: + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: > - Returns Security Timeline notes as saved objects. - - - **Query modes (mutually exclusive branches on the server):** - + description: |- + **Spaces method and path for this operation:** - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. - - - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. - - - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by execution status. in: query - name: documentIds + name: statuses + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + items: + enum: + - pending + - waiting + - waiting_for_input + - waiting_for_child + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 10 + type: array + - description: Filter by execution type. in: query - name: savedObjectIds + name: executionTypes + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. in: query - name: page + name: executedBy + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: Filter by evaluated concurrency group key. + in: query + name: concurrencyGroupKey + required: false schema: - nullable: true type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' + - description: Whether to exclude step-level execution data. in: query - name: perPage + name: omitStepRuns + required: false + schema: + type: boolean + - description: Datemath lower bound for filtering executions by finishedAt (inclusive when parsed). + in: query + name: finishedAfter + required: false schema: - nullable: true type: string - - description: Search string for saved-objects find (list mode only). + - description: Datemath upper bound for filtering executions by finishedAt (inclusive when parsed with roundUp). in: query - name: search + name: finishedBefore + required: false schema: - nullable: true type: string - - description: Field to sort by for saved-objects find (list mode only). + - description: Field to collapse execution results by. + in: query + name: collapse + required: false + schema: + enum: + - concurrencyGroupKey + - status + - executedBy + - triggeredBy + type: string + - description: Field to sort executions by. in: query name: sortField + required: false schema: - nullable: true + enum: + - createdAt + - finishedAt type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc + - description: Sort order. in: query name: sortOrder + required: false schema: - nullable: true + enum: + - asc + - desc type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). + - description: Page number. in: query - name: filter + name: page + required: false schema: - nullable: true - type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + minimum: 1 + type: number + - description: Number of results per page. in: query - name: createdByFilter + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering executions by startedAt (inclusive when parsed). + in: query + name: startedAfter + required: false schema: - nullable: true type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. + - description: Datemath upper bound for filtering executions by startedAt (inclusive when parsed with roundUp). in: query - name: associatedFilter + name: startedBefore + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json: - examples: - notesPage: - summary: Paged notes for a timeline - value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 - schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes - tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. - - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute - requestBody: - content: - application/json: - examples: - addNote: - summary: Add a note on an event - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true - type: string - required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. - required: true + type: string responses: '200': content: application/json: examples: - persisted: - summary: Persisted note wrapper + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20&startedAfter=now-1d&startedBefore=now + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. - + description: |- + **Spaces method and path for this operation:** - It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete - requestBody: - content: - application/json: - examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample - schema: - type: object - properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. - type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. - type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message - type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. - type: boolean - title: - description: A title for the conversation. - type: string - required: - - messages - - connectorId - - persist - responses: - '200': - content: - application/json: - examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample - schema: - type: object - description: Successful response - summary: Generate a chat completion + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + responses: + '200': + description: Indicates a successful response + summary: Cancel all active workflow executions tags: - - observability_ai_assistant + - workflows x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - - { - - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: + get: + description: |- + **Spaces method and path for this operation:** - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
- "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - }' - x-state: Technical Preview - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps parameters: - - description: The number of results to return per page. + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by step ID. in: query - name: pageSize + name: stepId required: false schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. + type: string + - description: Include step input data. in: query - name: nextPage + name: includeInput required: false schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. + type: boolean + - description: Include step output data. in: query - name: kuery + name: includeOutput required: false schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. + type: boolean + - description: Page number for pagination. in: query - name: userIds + name: page required: false schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. + minimum: 1 + type: number + - description: Number of results per page. in: query - name: sourceFilters + name: size required: false schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering step executions by startedAt (inclusive when parsed). in: query - name: startDate + name: startedAfter required: false schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' type: string - - description: The end of the time range filter (ISO 8601). + - description: Datemath upper bound for filtering step executions by startedAt (inclusive when parsed with roundUp). in: query - name: endDate + name: startedBefore required: false schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse - description: Indicates a successful call. - summary: Get unified query history + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos: get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: findSlosOp parameters: - - description: A KQL search string to filter live queries. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' in: query - name: kuery - required: false + name: kqlQuery schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. + type: string + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 + example: 1 + in: query + name: size + schema: + default: 1 + type: integer + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. + in: query + name: searchAfter + schema: + items: + type: string + type: array + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 in: query name: page - required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 in: query - name: pageSize - required: false + name: perPage schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status in: query - name: sort - required: false + name: sortBy schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc in: query - name: sortOrder - required: false + name: sortDirection schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + default: asc + enum: + - asc + - desc + type: string + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings + in: query + name: hideStale + schema: + type: boolean responses: '200': content: application/json: examples: - liveQueriesList: - summary: A list of recent live queries + findSloResponse: + summary: A paginated list of SLOs value: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - user_id: elastic - total: 1 + page: 1 + perPage: 25 + results: + - budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 + total: 42 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse - description: Indicates a successful call. - summary: Get live queries + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''invalid'' supplied to: sortBy' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - singleQueryAllAgents: - summary: Run a single query on all agents - value: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; - targetedQuery: - summary: Run a query against specific agents + createSloKqlExample: + summary: Create an SLO with a KQL indicator value: - agent_ids: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - query: select * from processes; + budgetingMethod: occurrences + description: Availability of my web service measured by successful HTTP responses + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: examples: - liveQueryCreated: - summary: Live query created + createSloResponse: + summary: Create SLO response value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + id: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse - description: Indicates a successful call. - summary: Create a live query - tags: - - Security Osquery API - /api/osquery/live_queries/{id}: - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - responses: - '200': + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': content: application/json: examples: - liveQueryDetails: - summary: Live query details with execution status + badRequestExample: + summary: Bad request value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 1 - failed: 0 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - status: completed - successful: 1 - status: completed - user_id: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse - description: Indicates a successful call. - summary: Get live query details - tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults - parameters: - - description: The ID of the live query. - in: path - name: id - required: true - schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - - description: The ID of the query action. - in: path - name: actionId - required: true - schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - liveQueryResults: - summary: Result rows from a live query execution + forbiddenExample: + summary: Forbidden value: - data: - edges: - - _id: doc1 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '12345' - - _id: doc2 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '67890' - total: 2 + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse - description: Indicates a successful call. - summary: Get live query results - tags: - - Security Osquery API - /api/osquery/packs: - get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '409': content: application/json: examples: - packsList: - summary: A list of query packs + conflictExample: + summary: Conflict value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - queries: - - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + error: Conflict + message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + statusCode: 409 schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: Create a query pack. - operationId: OsqueryCreatePacks + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - createPack: - summary: Create a pack with a single query + bulkDeleteRequest: + summary: Bulk delete two SLOs value: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + $ref: '#/components/schemas/SLOs_bulk_delete_request' required: true responses: '200': content: application/json: examples: - packCreated: - summary: Pack created + bulkDeleteResponse: + summary: Bulk delete response with task ID value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' - description: Indicates a successful call. - summary: Create a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}: - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_bulk_delete_response' + description: Successful response + '400': content: application/json: examples: - packDeleted: - summary: Pack deleted (empty response body) - value: {} + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list' + statusCode: 400 schema: - type: object - properties: {} - description: Indicates a successful call. - summary: Delete a pack + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp parameters: - - description: The pack ID. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation in: path - name: id + name: taskId required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string responses: '200': content: application/json: examples: - packDetails: - summary: Pack details + bulkDeleteStatusComplete: + summary: Completed bulk deletion value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - id: d077e940-1515-11ee-9c50-9d096392f520 + success: true + bulkDeleteStatusPartialFailure: + summary: Completed with partial failure + value: + isDone: true + results: + - id: 8853df00-ae2e-11ed-90af-09bb6422b258 + success: true + - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found + id: d077e940-1515-11ee-9c50-9d096392f520 + success: false schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' - description: Indicates a successful call. - summary: Get pack details + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: taskId' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Retrieve the status of the bulk deletion tags: - - Security Osquery API - put: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: + post: description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteRollupDataOp parameters: - - description: The pack ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - renamePack: - summary: Rename a pack and update its description + purgeByAgeExample: + summary: Purge rollup data older than 7 days value: - description: Updated pack description - enabled: true - name: my_pack_renamed + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + purgePolicy: + age: 7d + purgeType: fixed-age + purgeByTimestampExample: + summary: Purge rollup data before a specific date + value: + list: + - 8853df00-ae2e-11ed-90af-09bb6422b258 + - d077e940-1515-11ee-9c50-9d096392f520 + purgePolicy: + purgeType: fixed-time + timestamp: '2024-12-31T00:00:00.000Z' schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: examples: - packUpdated: - summary: Pack updated + bulkPurgeResponse: + summary: Bulk purge response with task ID value: - data: - description: Updated pack description - enabled: true - name: my_pack_renamed - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - version: 2 + taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks - parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + '400': content: application/json: examples: - copyPackExample: - summary: Example response for copying a pack + badRequestExample: + summary: Bad request value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: Indicates a successful call. - summary: Copy a pack - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - savedQueriesList: - summary: A list of saved queries + unauthorizedExample: + summary: Unauthorized value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Osquery API + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/_delete_instances: post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: examples: - createSavedQuery: - summary: Create a saved query + deleteInstancesExample: + summary: Delete specific SLO instances value: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 + list: + - instanceId: host-abc123 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 + - instanceId: host-def456 + sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - savedQueryCreated: - summary: Saved query created + badRequestExample: + summary: Bad request value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: list/0/sloId' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse - description: Indicates a successful call. - summary: Create a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - savedQueryDeleted: - summary: Saved query deleted (empty response body) - value: {} + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: Indicates a successful call. - summary: Delete a saved query - tags: - - Security Osquery API - get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - savedQueryDetails: - summary: Saved query details + forbiddenExample: + summary: Forbidden value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse - description: Indicates a successful call. - summary: Get saved query details + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Batch delete rollup and summary data tags: - - Security Osquery API - put: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}: + delete: description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp parameters: - - description: The saved query ID. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json: - examples: - updateSavedQuery: - summary: Update a saved query - value: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - timeout: 60 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - savedQueryUpdated: - summary: Saved query updated + badRequestExample: + summary: Bad request value: - data: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 60 - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse - description: Indicates a successful call. - summary: Update a saved query - tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - description: The ID of the saved query to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - copySavedQueryExample: - summary: Example response for copying a saved query + unauthorizedExample: + summary: Unauthorized value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query - tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - scheduledActionResultsExample: - summary: Example scheduled action results response + forbiddenExample: + summary: Forbidden value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getSloOp parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde in: query - name: startDate - required: false + name: instanceId schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' type: string responses: '200': content: application/json: examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response + getSloResponse: + summary: Get SLO response value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + instanceId: '*' + name: My Service Availability + objective: + target: 0.99 + revision: 1 + settings: + frequency: 5m + syncDelay: 5m + summary: + errorBudget: + consumed: 0.17 + initial: 0.01 + isEstimated: false + remaining: 0.83 + sliValue: 0.9983 + status: HEALTHY + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-01-12T10:03:19.000Z' + version: 2 schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request + value: + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_read] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + put: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: examples: - pinEvent: - summary: Pin an event + updateSloNameExample: + summary: Update the SLO name and tags value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + name: Updated Service Availability + tags: + - production + - updated + updateSloObjectiveExample: + summary: Update the SLO objective + value: + objective: + target: 0.995 schema: - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true - type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. + $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: examples: - pinnedSaved: - summary: Pinned event saved object + updateSloResponse: + summary: Update SLO response value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: Updated Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - updated + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json: + examples: + badRequestExample: + summary: Bad request value: - unpinned: true + error: Bad Request + message: 'Invalid value ''foo'' supplied to: indicator/type' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - description: Indicates a successful call. - summary: Pin/unpin an event - tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response + unauthorizedExample: + summary: Unauthorized value: - cleanup_successful: true + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - taskManagerUnavailable: - summary: Task manager is unavailable + forbiddenExample: + summary: Forbidden value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: examples: - cleanupFailed: - summary: Cleanup failed + notFoundExample: + summary: Not found value: - cleanup_successful: false - errors: - - error: Risk engine is disabled or deleted already. - seq: 1 + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject - requestBody: - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object - value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d - schema: - type: object - properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: - items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter - type: array - page_size: - description: > - Number of entities to score per page. Higher values reduce - total scoring time by reducing the number of alert-index - scans, but cannot exceed the ES|QL result limit (10,000 by - default). - maximum: 10000 - minimum: 100 - type: integer - range: - type: object - properties: - end: - type: string - start: - type: string - required: true + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response + resetSloResponse: + summary: Reset SLO response value: - risk_engine_saved_object_configured: true + budgetingMethod: occurrences + createdAt: '2025-01-12T10:03:19.000Z' + description: Availability of my web service + enabled: true + groupBy: '*' + id: 8853df00-ae2e-11ed-90af-09bb6422b258 + indicator: + params: + filter: 'field.environment : "production" and service.name : "my-service"' + good: 'request.status_code : "2xx"' + index: logs-* + timestampField: '@timestamp' + total: 'request.status_code : *' + type: sli.kql.custom + name: My Service Availability + objective: + target: 0.99 + revision: 2 + settings: + frequency: 5m + syncDelay: 5m + tags: + - production + - web-service + timeWindow: + duration: 30d + type: rolling + updatedAt: '2025-03-26T14:30:00.000Z' + version: 2 schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request '400': content: application/json: examples: - taskManagerUnavailable: - summary: Task manager is unavailable + badRequestExample: + summary: Bad request value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - configureError: - summary: Configure saved object failed + unauthorizedExample: + summary: Unauthorized value: - errors: - - error: Internal server error - seq: 1 - risk_engine_saved_object_configured: false + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/disable: post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json: - examples: - emptyRequest: - summary: No request body - value: {} - schema: - type: object + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' responses: - '200': + '204': + description: Successful request + '400': content: application/json: examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response + badRequestExample: + summary: Bad request value: - success: true + error: Bad Request + message: 'Invalid value ''foo'' supplied to: id' + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': content: application/json: examples: - taskManagerUnavailable: - summary: Task manager is unavailable + unauthorizedExample: + summary: Unauthorized value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': content: application/json: examples: - scheduleNowError: - summary: Schedule now failed + forbiddenExample: + summary: Forbidden value: - full_error: '{}' - message: Internal server error + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine - tags: - - Security Entity Analytics API - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionRequest: - value: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 - type: object - properties: - create: - description: Array of anonymization fields to create. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: Array of anonymization fields to update. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': content: application/json: examples: - PerformAnonymizationFieldsBulkActionResponse200Example: + notFoundExample: + summary: Not found value: - anonymization_fields_count: 4 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 0 - skipped: 1 - succeeded: 3 - total: 4 - message: Bulk action completed successfully - status_code: 200 - success: true + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request '400': content: application/json: examples: - PerformAnonymizationFieldsBulkActionResponse400Example: + badRequestExample: + summary: Bad request value: error: Bad Request - message: Invalid request body + message: 'Invalid value ''foo'' supplied to: id' statusCode: 400 schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. - type: string - statusCode: - description: Status code of the response. - type: number - description: Bad Request response. - summary: Apply a bulk action to anonymization fields + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + examples: + unauthorizedExample: + summary: Unauthorized + value: + error: Unauthorized + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' + statusCode: 401 + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenExample: + summary: Forbidden + value: + error: Forbidden + message: 'security_exception: action [slo_write] is unauthorized for user' + statusCode: 403 + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundExample: + summary: Not found + value: + error: Not Found + message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + statusCode: 404 + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' - /api/security_ai_assistant/anonymization_fields/_find: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /s/{spaceId}/internal/observability/slos/_definitions: get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query - name: fields - required: false + name: includeOutdatedOnly schema: - items: + type: boolean + - description: Indicates if the API returns SLO health data with definitions + example: true + in: query + name: includeHealth + schema: + type: boolean + - description: Filters the SLOs by tag + in: query + name: tags + schema: + type: string + - description: Filters the SLOs by name + example: my service availability + in: query + name: search + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + type: number + - description: Number of SLOs returned by page + example: 100 + in: query + name: perPage + schema: + default: 100 + maximum: 1000 + type: integer + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Forbidden response + summary: Get the SLO definitions + tags: + - slo + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name +components: + examples: + APM_UI_agent_configuration_environments_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. + value: + environments: + - alreadyConfigured: true + name: production + - alreadyConfigured: false + name: development + - alreadyConfigured: false + name: ALL_OPTION_VALUE + APM_UI_agent_configuration_intake_object_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. + value: + result: deleted + APM_UI_agent_configuration_intake_object_delete_request1: + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. + value: + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_get_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. + value: + - '@timestamp': 1581934104843 + agent_name: go + applied_by_agent: false + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '200' + transaction_sample_rate: '1' + - '@timestamp': 1581934111727 + agent_name: go + applied_by_agent: false + etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 + service: + name: opbeans-go + settings: + capture_body: 'off' + transaction_max_spans: '300' + transaction_sample_rate: '1' + - '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_put_200_response1: + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. + value: {} + APM_UI_agent_configuration_intake_object_put_request1: + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. + value: + agent_name: nodejs + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_configuration_intake_object_search_200_response1: + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. + value: + _id: CIaqXXABmQCdPphWj8EJ + _index: .apm-agent-configuration + _score: 2 + _source: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: false + etag: 5080ed25785b7b19f32713681e79f46996801a5b + service: + name: frontend + settings: + transaction_sample_rate: '1' + APM_UI_agent_configuration_intake_object_search_request1: + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. + value: + etag: 1e58c178efeebae15c25c539da740d21dee422fc + service: + environment: production + name: frontend + APM_UI_agent_configuration_intake_object_view_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. + value: + '@timestamp': 1582031336265 + agent_name: nodejs + applied_by_agent: true + etag: 5080ed25785b7b19f32713681e79f46996801a5b + id: CIaqXXABmQCdPphWj8EJ + service: + environment: production + name: frontend + settings: + capture_body: 'off' + transaction_max_spans: '500' + transaction_sample_rate: '0.4' + APM_UI_agent_keys_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. + value: + agentKey: + api_key: PjGloCGOTzaZr8ilUPvkjA + encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== + id: 3DCLmn0B3ZMhLUa7WBG9 + name: apm-key + APM_UI_agent_keys_object_post_request1: + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. + value: + name: apm-key + privileges: + - event:write + - config_agent:read + APM_UI_annotation_object_post_200_response1: + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. + value: + _id: Lc9I93EBh6DbmkeV7nFX + _index: observability-annotations + _primary_term: 1 + _seq_no: 12 + _source: + '@timestamp': '2020-05-08T10:31:30.452Z' + annotation: + type: deployment + event: + created: '2020-05-09T02:34:43.937Z' + message: Deployment 1.2 + service: + name: opbeans-java + version: '1.2' + tags: + - apm + - elastic.co + - customer + _version: 1 + found: true + APM_UI_annotation_object_post_request1: + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. + value: + '@timestamp': '2024-01-15T12:00:00.000Z' + message: Deployment 1.2.0 + service: + environment: production + version: 1.2.0 + tags: + - apm + - deployment + APM_UI_annotation_search_get_200_response1: + description: An example of a successful response from `GET /api/apm/services/{serviceName}/annotation/search`, which returns the annotations associated with a service over the given time range. + value: + annotations: + - '@timestamp': 1735689600000 + id: opbeans-node@2.0.0 + text: opbeans-node@2.0.0 + type: version + - '@timestamp': 1736294400000 + id: opbeans-node@2.1.0 + text: opbeans-node@2.1.0 + type: version + APM_UI_error_400_response: + description: An example of a 400 Bad Request response, returned when the request payload or query parameters fail validation. + value: + error: Bad Request + message: '[request body]: expected value of type [string] but got [undefined]' + statusCode: 400 + APM_UI_error_401_response: + description: An example of a 401 Unauthorized response, returned when the request is missing valid authentication credentials. + value: + error: Unauthorized + message: '[security_exception]: missing authentication credentials for REST request' + statusCode: 401 + APM_UI_error_403_response: + description: An example of a 403 Forbidden response, returned when the authenticated user lacks the required APM and User Experience privileges. + value: + error: Forbidden + message: Insufficient privileges to perform this action. The APM and User Experience feature requires `all` privileges. + statusCode: 403 + APM_UI_error_404_response: + description: An example of a 404 Not Found response, returned when the requested resource does not exist or the feature is not available on the current deployment. + value: + error: Not Found + message: Not Found + statusCode: 404 + APM_UI_error_500_response: + description: An example of a 500 Internal Server Error response, returned when an unexpected error occurs while processing the request. + value: + error: Internal Server Error + message: An internal server error occurred. Check the Kibana server logs for details. + statusCode: 500 + APM_UI_error_501_response: + description: An example of a 501 Not Implemented response, returned when the source map feature is not available on the current deployment. + value: + error: Not Implemented + message: Not Implemented + statusCode: 501 + APM_UI_fleet_apm_server_schema_200_response1: + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. + value: {} + APM_UI_service_agent_name_get_200_response1: + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/agent_name`, which returns the detected APM agent name for a service. + value: + agentName: nodejs + APM_UI_source_maps_delete_200_response1: + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + value: {} + APM_UI_source_maps_get_200_response1: + description: A successful response from `GET /api/apm/sourcemaps`. + value: + artifacts: + - body: + bundleFilepath: /test/e2e/general-usecase/bundle.js + serviceName: foo + serviceVersion: 1.0.0 + sourceMap: + file: static/js/main.chunk.js + mappings: mapping + sourceRoot: '' + sources: + - fleet-source-map-client/src/index.css + - fleet-source-map-client/src/App.js + - webpack:///./src/index.css?bb0a + - fleet-source-map-client/src/index.js + - fleet-source-map-client/src/reportWebVitals.js + sourcesContent: + - content + version: 3 + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_200_response1: + description: A successful response from `POST /api/apm/sourcemaps`. + value: + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + compressionAlgorithm: zlib + created: '2021-07-09T20:47:44.812Z' + decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + decodedSize: 441 + encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 + encodedSize: 237 + encryptionAlgorithm: none + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + identifier: foo-1.0.0 + packageName: apm + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + type: sourcemap + APM_UI_source_maps_upload_request1: + description: | + An example of a multipart/form-data request body for `POST /api/apm/sourcemaps`. + Each field is a separate form part; `sourcemap` is the source map file content (typically uploaded as a file). + value: + bundle_filepath: /test/e2e/general-usecase/bundle.js.map + service_name: opbeans-node + service_version: 1.0.0 + sourcemap: '{"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log(''hello'');"]}' + Data_views_create_data_view_request: + description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field. + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_data_view_response: + description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version. + summary: The create data view API returns a JSON object that contains details about the new data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: {} + fields: + runtime_shape_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + name: runtime_shape_name + readFromDocValues: false + runtimeField: + script: + source: emit(doc['shape_name'].value) + type: keyword + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: b561acfb-0181-455e-84a3-ce8980b2272f + name: My Logstash data view + namespaces: + - default + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + sourceFilters: [] + title: logstash-* + typeMeta: {} + version: WzQ5LDJd + Data_views_create_runtime_field_request: + description: Create a long-type runtime field that emits a value derived from the foo source field. + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_create_runtime_field_response: + description: The response includes the newly created runtime field as an array and the full updated data view object. + summary: The API returns created runtime field object array and updated data view object. + value: + data_view: + ...: null + fields: + - ... + Data_views_error_400_response: + description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values. + summary: A bad request response. + value: + error: Bad Request + message: '[request body.data_view.title]: expected value of type [string] but got [undefined]' + statusCode: 400 + Data_views_error_404_response: + description: The requested data view or runtime field was not found in the current Kibana space. + summary: A not found response. + value: + error: Not Found + message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + statusCode: 404 + Data_views_get_data_view_response: + description: A complete data view object including all fields, runtime fields, and metadata. + summary: The get data view API returns a JSON object that contains information about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + description: A list of available data views including their identifiers, names, and index patterns. + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + description: The identifier of the default data view for the current Kibana space. + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + description: The runtime field definition along with the parent data view. + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false - schema: + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + description: Preview the saved objects that would be affected by swapping references from one data view to another. + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_preview_swap_data_view_response: + description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint. + summary: A preview of saved objects that would be affected by a data view swap. + value: + result: + - id: 8963ca30-bca7-11e8-aa00-0123456789ab + type: visualization + - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + type: dashboard + Data_views_set_default_data_view_request: + description: Set the default data view, using the force flag to overwrite an existing default. + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_set_default_data_view_response: + description: The acknowledged flag confirms that the default data view for the current Kibana space was updated. + summary: The default data view was set successfully. + value: + acknowledged: true + Data_views_swap_data_view_request: + description: Swap all saved object references from one data view to another and delete the source data view afterward. + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_swap_data_view_response: + description: The list of saved objects whose references were updated, along with the delete status of the source. + summary: The swap references API returns a list of the affected saved objects. + value: + deleteStatus: + deletePerformed: true + remainingRefs: 0 + result: + - id: '123' + type: visualization + Data_views_update_data_view_request: + description: Update the title, time field, and other properties of an existing data view. + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + description: Update the popularity count, custom label, and custom description for specific fields in a data view. + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_field_metadata_response: + description: The acknowledged flag confirms that the field metadata changes were applied to the data view. + summary: Field metadata was updated successfully. + value: + acknowledged: true + Data_views_update_runtime_field_request: + description: Update the script of an existing runtime field. + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSync401Example: + summary: Two anomaly detection jobs required synchronization in this example. + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" + statusCode: 401 + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Observability_AI_Assistant_API_ChatCompleteRequestExample: + summary: Example of completing a chat interaction + value: | + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + } + Observability_AI_Assistant_API_ChatCompleteResponseExample: + summary: Get a chat completion from the Observability AI Assistant + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} + + data: [DONE] + Security_Detections_API_SetAlertAssigneesBodyAdd: + value: + assignees: + add: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + remove: [] + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertAssigneesBodyRemove: + value: + assignees: + add: [] + remove: + - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 + ids: + - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 + Security_Detections_API_SetAlertTagsBodyAdd: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: + - Duplicate + tags_to_remove: [] + Security_Detections_API_SetAlertTagsBodyRemove: + value: + ids: + - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + tags: + tags_to_add: [] + tags_to_remove: + - Duplicate + Task_manager_health_Serverless_APIs_health_200response_serverless: + description: A successful response from `GET api/task_manager/_health`. + value: |- + { + "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", + "timestamp": "2025-03-21T21:49:50.409Z", + "status": "OK", + "last_update": "2025-03-21T21:48:53.996Z", + "stats": { + "configuration": { + "timestamp": "2025-03-21T21:47:51.663Z", + "value": { + "request_capacity": 1000, + "monitored_aggregated_stats_refresh_rate": 60000, + "monitored_stats_running_average_window": 50, + "monitored_task_execution_thresholds": { + "custom": {}, + "default": { + "error_threshold": 90, + "warn_threshold": 80 + } + }, + "claim_strategy": "mget", + "poll_interval": 500, + "capacity": { + "config": 10, + "as_workers": 10, + "as_cost": 20 + } + }, + "status": "OK" + }, + "workload": { + "timestamp": "2025-03-21T21:48:53.996Z", + "value": { + "count": 21, + "cost": 42, + "task_types": { + "Fleet-Metrics-Task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Logger": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "Fleet-Usage-Sender": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "ML:saved-objects-sync": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions:connector_usage_reporting": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "actions_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_health_check": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerting_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "alerts_invalidate_api_keys": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "cases-telemetry-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "dashboard_telemetry": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:automatic-agent-upgrade-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:check-deleted-files-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:delete-unenrolled-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:sync-integrations-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:unenroll-inactive-agents-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "fleet:upgrade-agentless-deployments-task": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "session_cleanup": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:delete_inactive_background_task_nodes": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + }, + "task_manager:mark_removed_tasks_as_unrecognized": { + "count": 1, + "cost": 2, + "status": { + "idle": 1 + } + } + }, + "non_recurring": 1, + "non_recurring_cost": 2, + "schedule": [ + [ + "1m", + 2 + ], + [ + "5m", + 2 + ], + [ + "10m", + 1 + ], + [ + "15m", + 1 + ], + [ + "30m", + 1 + ], + [ + "1h", + 5 + ], + [ + "3600s", + 1 + ], + [ + "60m", + 1 + ], + [ + "720m", + 1 + ], + [ + "1d", + 4 + ], + [ + "1440m", + 1 + ] + ], + "overdue": 0, + "overdue_cost": 0, + "overdue_non_recurring": 0, + "estimated_schedule_density": [ + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ], + "capacity_requirements": { + "per_minute": 2, + "per_hour": 43, + "per_day": 7 + } + }, + "status": "OK" + } + } + } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + APM_UI_kbn_xsrf: + description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + schemas: + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read type: string - - description: Field to sort by - example: created_at - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page - in: query - name: all_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - FindAnonymizationFieldsResponse200Example: - value: - aggregations: - field_status: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - FindAnonymizationFieldsResponse400Example: - value: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Get anonymization fields - tags: - - Security AI Assistant API - - AnonymizationFields API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/chat/complete: - post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete - parameters: - - description: If true, the response will not include content references. - example: false - in: query - name: content_references_disabled - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - ChatCompleteRequest: - value: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream: - examples: - ChatCompleteResponse200Example: - value: (streaming binary response) - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': - content: - application/json: - examples: - ChatCompleteResponse400Example: - value: - error: Bad Request - message: Invalid request payload. - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Bad Request response. - summary: Create a model response - tags: - - Security AI Assistant API - - Chat Complete API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' - /api/security_ai_assistant/current_user/conversations: - delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations - requestBody: - content: - application/json: - examples: - DeleteAllConversationsRequest: - value: - excludedIds: - - abc123 - - def456 - schema: - type: object - properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 - items: - type: string - type: array - required: false - responses: - '200': - content: - application/json: - examples: - DeleteAllConversationsResponse200Example: - value: - failures: [] - success: true - totalDeleted: 10 - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': - content: - application/json: - examples: - DeleteAllConversationsResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete conversations - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"excludedIds":["abc123"]}' - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation - requestBody: - content: - application/json: - examples: - CreateConversationRequest: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true - responses: - '200': - content: - application/json: - examples: - CreateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. - '400': - content: - application/json: - examples: - CreateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required parameter: title' - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Create a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations - parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. - in: query - name: filter - required: false - schema: - example: Security Issue + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: The number of conversations to return per page. Default is 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. - in: query - name: is_owner - required: false - schema: - default: false - example: true - type: boolean - responses: - '200': - content: - application/json: - examples: - FindConversationsResponse200Example: - value: - data: - - category: assistant - createdAt: '2023-10-31T12:00:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: conv-abc123 - messages: [] - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:05:00Z' - users: - - id: user1 - name: John Doe - page: 1 - perPage: 20 - total: 5 - schema: - type: object - properties: - data: - description: A list of conversations. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. - '400': - content: - application/json: - examples: - FindConversationsResponse400Example: - value: - error: Bad Request - message: Invalid filter parameter. - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid filter query parameter - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get conversations - tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/current_user/conversations/{id}: - delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - DeleteConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - namespace: default - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. - '400': - content: - application/json: - examples: - DeleteConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation - parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - ReadConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. - '400': - content: - application/json: - examples: - ReadConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get a conversation - tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - examples: - UpdateConversationRequest: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps - required: true - responses: - '200': - content: - application/json: - examples: - UpdateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - namespace: default - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. - '400': - content: - application/json: - examples: - UpdateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required field: title' - statusCode: 400 - schema: - type: object + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: + type: object + properties: + title: + type: string + type: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Update a conversation - tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - GetKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ - --header "Authorization: $API_KEY" - post: - description: >- - Create a knowledge base. Use this endpoint when no specific resource - identifier is needed. - operationId: PostKnowledgeBase - parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: + body: + type: object + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/{resource}: - get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Defaults to `false`. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces type: string - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ - --header "Authorization: $API_KEY" - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase - parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 - in: path - name: resource - required: true - schema: + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the `?full=true` parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object + Kibana_HTTP_APIs_aiops_change_point_chart: + additionalProperties: false + description: Change point detection chart embeddable schema + properties: + aggregation_function: + default: avg + description: The aggregation function used to calculate the metric values. + enum: + - avg + - sum + - min + - max + type: string + data_view_id: + description: The data view ID used to run change point detection. + minLength: 1 + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + max_series_to_plot: + default: 6 + description: The maximum number of change points to visualize. Defaults to 6. + maximum: 50 + minimum: 1 + type: number + metric_field: + description: The metric field used by the aggregation function. + minLength: 1 + type: string + partitions: + description: Optional split field values to include in the panel. + items: + minLength: 1 type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries: - post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry - requestBody: - content: - application/json: - examples: - CreateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - required: true - responses: - '200': - content: - application/json: - examples: - CreateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries - '400': - content: - application/json: - examples: - CreateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'name' field is required. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Create a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: - post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction - requestBody: - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionRequest: - value: - create: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - delete: - ids: - - '789' - update: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document - schema: + maxItems: 10000 + type: array + split_field: + description: The optional field used to split change point results. + minLength: 1 + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + view_type: + default: charts + description: The type of change point detection view to display. + enum: + - charts + - table + type: string + required: + - data_view_id + - metric_field + title: aiops_change_point_chart + type: object + Kibana_HTTP_APIs_alerts_filter_query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter that can be applied to a specific application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + title: alerts_filter_query + type: object + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - create: - description: List of Knowledge Base Entries to create. - example: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false type: object properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology + language: type: string - update: - description: List of Knowledge Base Entries to update. - example: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse200Example: - value: - attributes: - results: - created: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '456' - kbResource: user - name: New Entry - namespace: default - source: manual - text: This is the content of the new entry. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - deleted: - - '789' - skipped: [] - updated: - - createdAt: '2024-01-14T09:00:00.000Z' - createdBy: user@example.com - global: false - id: '123' - kbResource: user - name: Updated Entry - namespace: default - source: manual - text: Updated content. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - summary: - failed: 0 - skipped: 0 - succeeded: 3 - total: 3 - knowledgeBaseEntriesCount: 3 - message: Bulk action completed successfully. - statusCode: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request - '400': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Applies a bulk action to multiple Knowledge Base Entries - tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries - parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - name - - created_at - items: + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false - schema: - example: error handling + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse200Example: - value: - data: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and - click 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - page: 1 - perPage: 20 - total: 100 - schema: + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-service-map-embeddable: + additionalProperties: false + description: APM service map embeddable schema + properties: + description: + type: string + environment: + default: ENVIRONMENT_ALL + type: string + hide_border: + type: boolean + hide_title: + type: boolean + kuery: + type: string + service_group_id: + type: string + service_name: + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + title: apm-service-map-embeddable + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer + id: + type: string required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse400Example: - value: - error: Bad Request - message: 'Invalid query parameter: sort_order' - statusCode: 400 - schema: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' + id: type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Bad Request response. - summary: Finds Knowledge Base Entries that match the given query. - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse200Example: - value: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Deletes a single Knowledge Base Entry using the `id` field - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry - parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json: - examples: - ReadKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Read a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json: - examples: - UpdateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password (updated) - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps - required: true - responses: - '200': - content: - application/json: - examples: - UpdateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password (updated) - namespace: default - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - updatedAt: '2024-01-15T10:05:00.000Z' - updatedBy: user@example.com - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. - '400': - content: - application/json: - examples: - UpdateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'text' field cannot be empty. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Update a Knowledge Base Entry - tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json: - examples: - PerformPromptsBulkActionRequest: - value: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - create: - description: List of prompts to be created. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - description: Criteria for deleting prompts in bulk. + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false type: object properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' + language: type: string - update: - description: List of prompts to be updated. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - success: - value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': - content: - application/json: - examples: - PerformPromptsBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid prompt ID or missing required fields. - statusCode: 400 - schema: + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_autoColor: + additionalProperties: false + description: Coloring determined at runtime based on chart defaults + properties: + type: + enum: + - auto + type: string + required: + - type + title: Auto Color + type: object + Kibana_HTTP_APIs_backfill_error_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + title: backfill_error_response + type: object + Kibana_HTTP_APIs_backfill_response: + additionalProperties: false + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + title: backfill_response + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false type: object properties: - error: - description: A short error message. - example: Bad Request + name: type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. + prerelease: + type: boolean + version: type: string - statusCode: - description: The HTTP status code for the error. - example: 400 - type: number - description: Bad Request response. - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"delete":{"query":"name: test","ids":[]}}' - /api/security_ai_assistant/prompts/_find: - get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json: - examples: - FindPromptsResponse200Example: - value: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': - content: - application/json: - examples: - FindPromptsResponse400Example: - value: - error: Bad Request - message: Invalid sort order value provided. - statusCode: 400 - schema: + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object + Kibana_HTTP_APIs_byteFormat: + additionalProperties: false + description: Data size format in bits or bytes, with optional decimal places and suffix. + properties: + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Data size unit: `bits` or `bytes`.' + enum: + - bits + - bytes + type: string + required: + - type + title: Byte Format + type: object + Kibana_HTTP_APIs_categoricalColorMapping: + additionalProperties: false + description: Palette color assignment for specific categorical values. Unmapped values receive the unassigned color. + properties: + mapping: + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 1000 + type: array + required: + - values + - color + maxItems: 1000 + type: array + mode: + enum: + - categorical + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + - mapping + title: Categorical Color Mapping + type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: type: object properties: - error: - description: Short error message. - example: Bad Request + query: type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: + type: object + properties: + name: type: string - statusCode: - description: HTTP status code for the error. - example: 400 - type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts - tags: - - Security AI Assistant API - - Prompts API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health - responses: - '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_Serverless_APIs_health_200response_serverless - schema: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_health_response_serverless - description: Indicates a successful call - summary: Get the task manager health - tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: + required: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_collapseBy: + description: Aggregation function used to collapse a breakdown dimension into a single value. + enum: + - avg + - sum + - max + - min + title: collapseBy + type: string + Kibana_HTTP_APIs_color_code: + additionalProperties: false + description: A color specified as a hex or CSS color code string. + properties: + type: + enum: + - color_code + type: string + value: + description: The static color value to use. + type: string + required: + - type + - value + title: Color Code + type: object + Kibana_HTTP_APIs_colorByValue: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValuePercentage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValue' + description: Dynamic color mapping by numeric range, with support for absolute and percentage-based ranges. + title: Color By Value + Kibana_HTTP_APIs_colorByValueAbsolute: + additionalProperties: false + description: Color by absolute value configuration + properties: + range: + enum: + - absolute + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Absolute) + type: object + Kibana_HTTP_APIs_colorByValuePercentage: + additionalProperties: false + description: Color by percentage value configuration + properties: + range: + enum: + - percentage + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Percentage) + type: object + Kibana_HTTP_APIs_colorFromPalette: + additionalProperties: false + description: Color at a fixed index position in a named palette. + properties: + index: + description: The index of the color in the palette. + type: number + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + type: + enum: + - from_palette + type: string + required: + - type + - index + title: Color From Palette + type: object + Kibana_HTTP_APIs_colorMapping: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_categoricalColorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gradientColorMapping' + description: Color mapping for dimension values, either categorical (for specific values) or as a gradient. + title: Color Mapping + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false type: object properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: items: - type: string - maxItems: 100 + type: object + properties: + id: + type: string + required: + - id type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines + routing: items: - type: string - maxItems: 100 + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination type: array required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true - responses: - '200': - content: - application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline - parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. - in: query - name: template_timeline_id - schema: - type: string - - description: The `savedObjectId` of the Timeline to retrieve. - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - timelineDetail: - summary: Timeline detail - value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline - requestBody: - content: - application/json: - examples: - patchTitle: - summary: Update title - value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd - schema: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical type: string required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true - responses: - '200': - content: - application/json: - examples: - patched: - summary: Updated timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline - tags: - - Security Timeline API - - access:securitySolution - post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines - requestBody: - content: - application/json: - examples: - createDefault: - summary: Create a default timeline - value: - timeline: - status: active - timelineType: default - title: Malware containment - schema: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false type: object properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + detail: + description: Human readable detail of the service status. type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + documentationUrl: + description: A URL to further documentation regarding this service. type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. type: string required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json: - examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_counterRateOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_countMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object + Kibana_HTTP_APIs_cumulativeSumOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_customFormat: + additionalProperties: false + description: Custom format using a Kibana field format pattern string. + properties: + pattern: + description: Kibana field format pattern string. + type: string + type: + enum: + - custom + type: string + required: + - type + - pattern + title: Custom Format + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false type: object properties: - body: - description: The error message - example: update timeline error + id: type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: - post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json: - examples: - copyWithTitle: - summary: Copy with a new title - value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. + blob: + maxLength: 10000 type: string required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true - responses: - '200': - content: - application/json: - examples: - copied: - summary: Newly saved timeline - value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: - get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines - parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json: - examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details - tags: - - Security Timeline API - - access:securitySolution - post: - description: > - Create a clean draft Timeline or Timeline template for the current user. - - > info - - > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false type: object properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + index: + type: string required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_datatableDensity: + additionalProperties: false + description: Density configuration for the datatable. + properties: + height: + additionalProperties: false + type: object + properties: + header: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + max_lines: + default: 3 + maximum: 5 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines before the header is truncated. + value: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + lines: + default: 1 + maximum: 20 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines to display per table body cell. + mode: + description: Display density mode. + enum: + - compact + - default + - expanded + type: string + title: datatableDensity + type: object + Kibana_HTTP_APIs_datatableESQL: + additionalProperties: false + description: Datatable state configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - message: + dashboard_id: type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: + label: type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: - post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - exportIds: - summary: Export by timeline ids - value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - schema: - type: object - properties: - ids: - items: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true - responses: - '200': - content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: - examples: - badRequest: - summary: Export error - value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: + type: + enum: + - dashboard_drilldown type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute - requestBody: - content: - application/json: - examples: - favoriteDefault: - summary: Favorite a default timeline - value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true - responses: - '200': - content: - application/json: - examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden - value: - body: Forbidden - statusCode: 403 - schema: + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - body: + label: type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: - post: - description: Import Timelines. - operationId: ImportTimelines - requestBody: - content: - application/json: - examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) - value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' - schema: - type: object - properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The Timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json: - examples: - importSummary: - summary: Import summary - value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Invalid import - value: - body: Invalid file extension - statusCode: 400 - schema: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - body: - description: The error message - example: Invalid file extension - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Saved objects client missing - value: - body: Unable to find saved object client - statusCode: 404 - schema: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQLMetric' + maxItems: 1000 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + additionalProperties: false + type: object + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for ESQL datatable rows. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + title: Datatable (ES|QL) + type: object + Kibana_HTTP_APIs_datatableESQLMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + title: Datatable Metric (ES|QL) + type: object + Kibana_HTTP_APIs_datatableMetricCounterRate: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_datatableMetricCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricCumulativeSum: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_datatableMetricDifferences: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_datatableMetricFormula: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_datatableMetricLastValue: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_datatableMetricMovingAverage: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentile: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentileRanks: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_datatableMetricStatsMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricSumMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricUniqueCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableNoESQL: + additionalProperties: false + description: Datatable state configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - body: - description: The error message - example: Unable to find saved object client + dashboard_id: type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': - content: - application/json: - examples: - conflict: - summary: Import conflict - value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines + label: type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: - post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json: - examples: - emptyArrays: - summary: Installer payload shape - value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true - responses: - '200': - content: - application/json: - examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error - value: - body: Internal error - statusCode: 500 - schema: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - body: + label: type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines - tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: - get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timelines: - get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - description: How many results should returned at once - in: query - name: page_size - schema: - nullable: true - type: string - - description: How many pages should be skipped - in: query - name: page_index - schema: - nullable: true - type: string - - description: Allows to search for timelines by their title - in: query - name: search - schema: - nullable: true - type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json: - examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body - value: - body: get timeline error - statusCode: 400 - schema: + - url + - label + - trigger + - type + title: url_drilldown type: object - properties: - body: - description: The error message. - example: get timeline error + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricFormula' + maxItems: 1000 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowFilters' + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + - metrics + title: Datatable (DSL) + type: object + Kibana_HTTP_APIs_datatableRowDateHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowFilters: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_datatableRowHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowRanges: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_datatableRowTerms: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_datatableStyling: + additionalProperties: false + description: Visual chart styling options + properties: + density: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableDensity' + paging: + description: Rows per page. When set, pagination is enabled with the specified number of rows. + enum: + - 10 + - 20 + - 30 + - 50 + - 100 + type: integer + row_numbers: + additionalProperties: false + description: Configuration for row numbers + type: object + properties: + visible: + description: When `true`, displays row numbers. + type: boolean + required: + - visible + sort_by: + anyOf: + - additionalProperties: false + description: Sort by a metric or row column + type: object + properties: + column_type: + description: Type of column to sort by. + enum: + - metric + - row + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: Index of the column or row to sort by (0-based). + minimum: 0 + type: number + required: + - column_type + - index + - direction + - additionalProperties: false + description: Sort by a pivoted metric column (created when metrics are pivoted by split_metrics_by) + type: object + properties: + column_type: + enum: + - pivoted_metric + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: 0-based index into the "metrics" array for the metric to sort; use "values" to identify the pivoted column + minimum: 0 + type: number + values: + description: Array of pivot values, one for each split_metrics_by column in order + items: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates - tags: - - Security Timeline API - - access:securitySolution - /s/{spaceId}/api/observability/slos: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: + maxItems: 20 + minItems: 1 + type: array + required: + - column_type + - index + - values + - direction + description: Sorting configuration. Only one column can be sorted at a time. Use "column_type" to specify the column type. + title: Datatable styling + type: object + Kibana_HTTP_APIs_dateHistogramOperation: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 - example: 1 - in: query - name: size - schema: - default: 1 - type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. - in: query - name: searchAfter - schema: - items: - type: string - type: array - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + Kibana_HTTP_APIs_differencesOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - findSloResponse: - summary: A paginated list of SLOs - value: - page: 1 - perPage: 25 - results: - - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name - : "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - total: 42 - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''invalid'' supplied to: sortBy' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - createSloKqlExample: - summary: Create an SLO with a KQL indicator - value: - budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - createSloResponse: - summary: Create SLO response - value: - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '409': - content: - application/json: - examples: - conflictExample: - summary: Conflict - value: - error: Conflict - message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - statusCode: 409 - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete: - post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. - operationId: bulkDeleteOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - bulkDeleteRequest: - summary: Bulk delete two SLOs - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkDeleteResponse: - summary: Bulk delete response with task ID - value: - taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: - get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. - operationId: bulkDeleteStatusOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: The task id of the bulk delete operation - in: path - name: taskId - required: true - schema: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: type: string - responses: - '200': - content: - application/json: - examples: - bulkDeleteStatusComplete: - summary: Completed bulk deletion - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - id: d077e940-1515-11ee-9c50-9d096392f520 - success: true - bulkDeleteStatusPartialFailure: - summary: Completed with partial failure - value: - isDone: true - results: - - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - success: true - - error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found - id: d077e940-1515-11ee-9c50-9d096392f520 - success: false - schema: - $ref: '#/components/schemas/SLOs_bulk_delete_status_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: taskId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Retrieve the status of the bulk deletion - tags: - - slo - /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: - post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. - operationId: deleteRollupDataOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - purgeByAgeExample: - summary: Purge rollup data older than 7 days - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - purgePolicy: - age: 7d - purgeType: fixed-age - purgeByTimestampExample: - summary: Purge rollup data before a specific date - value: - list: - - 8853df00-ae2e-11ed-90af-09bb6422b258 - - d077e940-1515-11ee-9c50-9d096392f520 - purgePolicy: - purgeType: fixed-time - timestamp: '2024-12-31T00:00:00.000Z' - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' - required: true - responses: - '200': - content: - application/json: - examples: - bulkPurgeResponse: - summary: Bulk purge response with task ID - value: - taskId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json: - examples: - deleteInstancesExample: - summary: Delete specific SLO instances - value: - list: - - instanceId: host-abc123 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - - instanceId: host-def456 - sloId: 8853df00-ae2e-11ed-90af-09bb6422b258 - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: list/0/sloId' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Batch delete rollup and summary data - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: type: string - responses: - '200': - content: - application/json: - examples: - getSloResponse: - summary: Get SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - instanceId: '*' - name: My Service Availability - objective: - target: 0.99 - revision: 1 - settings: - frequency: 5m - syncDelay: 5m - summary: - errorBudget: - consumed: 0.17 - initial: 0.01 - isEstimated: false - remaining: 0.83 - sliValue: 0.9983 - status: HEALTHY - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-01-12T10:03:19.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json: - examples: - updateSloNameExample: - summary: Update the SLO name and tags - value: - name: Updated Service Availability - tags: - - production - - updated - updateSloObjectiveExample: - summary: Update the SLO objective - value: - objective: - target: 0.995 - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json: - examples: - updateSloResponse: - summary: Update SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: Updated Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - updated - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: indicator/type' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - content: - application/json: - examples: - resetSloResponse: - summary: Reset SLO response - value: - budgetingMethod: occurrences - createdAt: '2025-01-12T10:03:19.000Z' - description: Availability of my web service - enabled: true - groupBy: '*' - id: 8853df00-ae2e-11ed-90af-09bb6422b258 - indicator: - params: - filter: >- - field.environment : "production" and service.name : - "my-service" - good: 'request.status_code : "2xx"' - index: logs-* - timestampField: '@timestamp' - total: 'request.status_code : *' - type: sli.kql.custom - name: My Service Availability - objective: - target: 0.99 - revision: 2 - settings: - frequency: 5m - syncDelay: 5m - tags: - - production - - web-service - timeWindow: - duration: 30d - type: rolling - updatedAt: '2025-03-26T14:30:00.000Z' - version: 2 - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/disable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json: - examples: - badRequestExample: - summary: Bad request - value: - error: Bad Request - message: 'Invalid value ''foo'' supplied to: id' - statusCode: 400 - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - examples: - unauthorizedExample: - summary: Unauthorized - value: - error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] - statusCode: 401 - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenExample: - summary: Forbidden - value: - error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user - statusCode: 403 - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundExample: - summary: Not found - value: - error: Not Found - message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - statusCode: 404 - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo - /s/{spaceId}/internal/observability/slos/_definitions: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getDefinitionsOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions - in: query - name: includeOutdatedOnly - schema: - type: boolean - - description: Indicates if the API returns SLO health data with definitions - example: true - in: query - name: includeHealth - schema: - type: boolean - - description: Filters the SLOs by tag - in: query - name: tags - schema: + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + title: dry_run_package_policy + type: object + Kibana_HTTP_APIs_durationFormat: + additionalProperties: false + description: Duration format between time units. + properties: + from: + description: Source time unit for conversion, for example `milliseconds`, `seconds`, `minutes`, `hours`, or `days`. + type: string + suffix: + description: Suffix appended to the formatted value. + type: string + to: + description: Display time unit after conversion, for example `seconds`, `minutes`, `hours`, or `days`. + type: string + type: + enum: + - duration + type: string + required: + - type + - from + - to + title: Duration Format + type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_esqlDataSource: + additionalProperties: false + description: Uses an ES|QL query as the data source. The query is executed at render time; resulting columns are available as fields. + properties: + query: + description: 'An ES|QL query that drives the data source. The query must produce a tabular result set; column names are used as field references. Example: "FROM logs-* | STATS count = COUNT(*) BY host.name".' + type: string + type: + enum: + - esql + type: string + required: + - type + - query + title: ES|QL Data Source + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_fieldMetricOperations: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_sumMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + title: Field Metric Operations + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_filterSimple: + additionalProperties: false + description: A KQL or Lucene query that filters panel data. Applied on top of any dashboard-level filters. + properties: + expression: + description: A query expression in KQL or Lucene syntax + type: string + language: + default: kql + description: 'Query language: `kql` (Kibana Query Language) or `lucene`. Defaults to `kql`.' + enum: + - kql + - lucene + type: string + required: + - expression + title: Filter + type: object + Kibana_HTTP_APIs_filtersOperation: + additionalProperties: false + properties: + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_filterWithLabel: + additionalProperties: false + description: A KQL or Lucene filter with an optional display label. + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + label: + description: Label for the filter + type: string + required: + - filter + title: Filter with Label + type: object + Kibana_HTTP_APIs_find_backfill_response: + additionalProperties: false + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + title: find_backfill_response + type: object + Kibana_HTTP_APIs_find_maintenance_windows_response: + additionalProperties: false + properties: + maintenanceWindows: + description: The list of maintenance windows. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number + total: + description: The total number of maintenance windows that match the query. + type: number + required: + - page + - per_page + - total + - maintenanceWindows + title: find_maintenance_windows_response + type: object + Kibana_HTTP_APIs_formatType: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_numericFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_byteFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_durationFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_customFormat' + description: Number display format for the dimension value. + title: Format Type + Kibana_HTTP_APIs_formulaOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object + Kibana_HTTP_APIs_gaugeESQL: + additionalProperties: false + description: Gauge configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + label: + description: Label for the operation + type: string + max: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + min: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (ES|QL) + type: object + Kibana_HTTP_APIs_gaugeMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_gaugeMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_gaugeMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_get_agent_policy_outputs_response: + additionalProperties: false + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + title: get_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_agent_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + required: + - inputs + title: get_inputs_response + type: object + Kibana_HTTP_APIs_get_installed_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number + required: + - items + - total + title: get_installed_packages_response + type: object + Kibana_HTTP_APIs_get_k8s_manifest_response: + additionalProperties: false + properties: + item: + type: string + required: + - item + title: get_k8s_manifest_response + type: object + Kibana_HTTP_APIs_get_limited_packages_response: + additionalProperties: false + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + title: get_limited_packages_response + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: + nullable: true + type: string + required: + - id + title: get_verification_key_id_response + type: object + Kibana_HTTP_APIs_gradientColorMapping: + additionalProperties: false + description: Gradient color mapping across categorical values. + properties: + gradient: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + maxItems: 3 + type: array + mapping: + items: + additionalProperties: false + type: object + properties: + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 100 + type: array + required: + - values + maxItems: 100 + type: array + mode: + enum: + - gradient + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + sort: + description: Sort direction + enum: + - asc + - desc + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + title: Gradient Color Mapping + type: object + Kibana_HTTP_APIs_heatmapAxes: + additionalProperties: false + description: Axis configuration for X and Y axes + properties: + x: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapXAxis' + 'y': + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapYAxis' + title: Axes + type: object + Kibana_HTTP_APIs_heatmapCells: + additionalProperties: false + description: Cells configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show cell labels + type: boolean + title: Cells + type: object + Kibana_HTTP_APIs_heatmapESQL: + additionalProperties: false + description: Heatmap configuration using an ES|QL query. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_heatmapLegend: + additionalProperties: false + description: Legend configuration + properties: + position: + enum: + - top + - bottom + - left + - right + type: string + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_heatmapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_heatmapMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_heatmapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_heatmapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_heatmapMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_heatmapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapNoESQL: + additionalProperties: false + description: Heatmap configuration using a data view. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + 'y': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (DSL) + type: object + Kibana_HTTP_APIs_heatmapStyling: + additionalProperties: false + description: Visual chart styling options + properties: + cells: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapCells' + title: Heatmap styling + type: object + Kibana_HTTP_APIs_heatmapXAxis: + additionalProperties: false + description: X axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + visible: + description: Show axis labels + type: boolean + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - scale + title: X Axis + type: object + Kibana_HTTP_APIs_heatmapYAxis: + additionalProperties: false + description: Y axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show axis labels + type: boolean + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + title: Y Axis + type: object + Kibana_HTTP_APIs_histogramOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided, assets are installed in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: + additionalProperties: false + description: A filter that evaluates a single field condition such as equality, range, or existence. + properties: + condition: + description: A filter condition with strict operator/value type matching. + discriminator: + mapping: + exists: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + is: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + is_one_of: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + range: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + propertyName: operator + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - condition + type: string + required: + - type + - condition + title: condition + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema: + additionalProperties: false + description: A filter expressed as a raw [Elasticsearch Query DSL](https://www.elastic.co/docs/reference/query-languages/querydsl) object, used for queries that cannot be represented by condition or group filters. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch Query DSL object passed directly to the query. + type: object + field: + description: Field name for scripted filters where the field cannot be extracted from the DSL query. + type: string + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + params: + description: Filter parameters metadata. May contain display values, formats, and parameters for scripted filters. + nullable: true + type: + enum: + - dsl + type: string + required: + - type + - dsl + - params + title: dsl + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema: + additionalProperties: false + description: A filter that combines multiple conditions or nested groups using a logical `and` or `or` operator. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + group: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - group + type: string + required: + - type + - group + title: group + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema: + additionalProperties: false + description: A filter that applies an Elasticsearch geo query, used for geographic boundary and shape matching. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch geo query DSL object. + type: object + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - spatial + type: string + required: + - type + - dsl + title: spatial + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists: + additionalProperties: false + description: Matches documents where `field` exists and contains a non-null value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - exists + type: string + required: + - field + - operator + title: exists + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is: + additionalProperties: false + description: Matches documents where `field` equals a single specified value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is + type: string + value: + anyOf: + - title: value + type: string + - title: value + type: number + - title: value + type: boolean + description: Single value to compare against the field. + required: + - field + - operator + - value + title: is + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of: + additionalProperties: false + description: Matches documents where `field` equals any value in a provided list. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is_one_of + type: string + value: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - items: + type: number + maxItems: 10000 + type: array + - items: + type: boolean + maxItems: 10000 + type: array + description: Homogeneous array of values to match against the field. + required: + - field + - operator + - value + title: is_one_of + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range: + additionalProperties: false + description: Matches documents where `field` falls within a specified numeric or date range. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - range + type: string + value: + additionalProperties: false + description: Boundary values for a range comparison. + type: object + properties: + format: + description: Elasticsearch [date format](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/mapping-date-format) string applied when parsing date boundary values. For example, `strict_date_optional_time` or `epoch_millis`. + type: string + gt: + anyOf: + - type: number + - type: string + description: Greater than. + gte: + anyOf: + - type: number + - type: string + description: Greater than or equal to. + lt: + anyOf: + - type: number + - type: string + description: Less than. + lte: + anyOf: + - type: number + - type: string + description: Less than or equal to. + required: + - field + - operator + - value + title: range + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter: + additionalProperties: false + description: Logical group that combines one or more conditions or nested groups. + properties: + conditions: + description: Ordered list of conditions or nested groups combined by the group `operator`. + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + description: A filter condition with strict operator/value type matching. + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + type: array + operator: + description: Logical operator applied across all entries in `conditions`. Use `and` to require all conditions, or `or` to require at least one. + enum: + - and + - or + type: string + required: + - operator + - conditions + title: kbn-as-code-filters-schema_groupFilter + type: object + Kibana_HTTP_APIs_kbn-as-code-meta: + additionalProperties: false + properties: + created_at: + description: Timestamp when the object was created (ISO 8601). + type: string + created_by: + description: User profile ID of the user who created the object. + type: string + managed: + description: When `true`, the object is managed by Kibana and cannot be edited by users. + type: boolean + owner: + description: Identifier of the plugin or team that owns this object. + type: string + updated_at: + description: Timestamp when the object was last updated (ISO 8601). + type: string + updated_by: + description: User profile ID of the user who last updated the object. + type: string + version: + description: Internal version identifier for optimistic concurrency control. + type: string + title: kbn-as-code-meta + type: object + Kibana_HTTP_APIs_kbn-as-code-query: + additionalProperties: false + description: A search query consisting of an expression and its language. Supports KQL and Lucene syntax. + properties: + expression: + description: A query expression in KQL or Lucene syntax. + type: string + language: + description: Query language. Use `kql` for Kibana Query Language (KQL) or `lucene` for Lucene query syntax. + enum: + - kql + - lucene + type: string + required: + - expression + - language + title: Query + type: object + Kibana_HTTP_APIs_kbn-composite-runtime-field-schema: + additionalProperties: false + properties: + fields: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + type: object + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + enum: + - composite + type: string + required: + - type + - fields + title: Composite runtime field + type: object + Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema: + additionalProperties: false + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + title: kbn-content-management-utils-referenceSchema + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control: + additionalProperties: false + description: An ES|QL variable control whose selected value is injected into ES|QL visualizations using the `?variable_name` syntax. Options can come from a fixed list or an ES|QL query. Define the options source in `config`. + properties: + config: + discriminator: + mapping: + STATIC_VALUES: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + VALUES_FROM_QUERY: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + propertyName: control_type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - esql_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: esql_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control: + additionalProperties: false + description: A dropdown control that filters data by selecting field values from a data view. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - options_list_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: options_list_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control: + additionalProperties: false + description: A slider control that filters data by selecting a numeric range for the configured field. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - range_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: range_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control: + additionalProperties: false + description: A control panel that filters a time field to a selected sub-range of the global time range. Define the start and end positions in `config` as fractions of the global range (0 to 1). + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - time_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: time_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values: + additionalProperties: false + description: An ES|QL variable control with a fixed list of selectable options defined directly in `available_options`. + properties: + available_options: + description: A fixed list of option strings displayed in the control. + items: + type: string + maxItems: 1000 + type: array + control_type: + enum: + - STATIC_VALUES + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - available_options + title: STATIC_VALUES + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query: + additionalProperties: false + description: An ES|QL variable control whose selectable options are dynamically retrieved by running an ES|QL query. + properties: + control_type: + enum: + - VALUES_FROM_QUERY + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + esql_query: + description: An ES|QL query whose results populate the list of available options in the control popover. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - esql_query + title: VALUES_FROM_QUERY + type: object + Kibana_HTTP_APIs_kbn-dashboard-access-control: + additionalProperties: false + description: Access control settings for the dashboard. + properties: + access_mode: + description: Controls edit access to the dashboard. Set to `write_restricted` to prevent edits by users without explicit write permission. Defaults to `default` (all viewers can edit). + enum: + - write_restricted + - default + type: string + title: Access control + type: object + Kibana_HTTP_APIs_kbn-dashboard-data: + additionalProperties: false + properties: + access_control: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-access-control' + description: + description: A short description of the dashboard. + type: string + filters: + description: Filters applied across all panels, including pinned panels. + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + options: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-options' + panels: + default: [] + description: Panels and sections in the dashboard. Each entry is either a panel (with a `type` and `config`) or a collapsible section (with a `title`, `collapsed` state, and nested `panels`). + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-section' + maxItems: 100 + type: array + pinned_panels: + default: [] + description: An array of control panels and their state in the control group. + items: + discriminator: + mapping: + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + maxItems: 100 + type: array + project_routing: + description: Controls [cross-project search](https://www.elastic.co/docs/explore-analyze/cross-project-search/cross-project-search-project-routing) behavior for this dashboard (Serverless only). Set to `_alias:_origin` to scope data to the current project, or `_alias:*` to search across all projects. When omitted, the space default applies. + type: string + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + refresh_interval: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema' + tags: + description: Tag IDs to associate with this dashboard. + items: + type: string + maxItems: 100 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + description: A human-readable title for the dashboard. + minLength: 1 + type: string + required: + - title + title: kbn-dashboard-data + type: object + Kibana_HTTP_APIs_kbn-dashboard-dropped-panel-warning: + additionalProperties: false + description: A panel that was excluded from the response because its type is not supported by the API. + properties: + message: + description: Human-readable explanation of why the panel was dropped. + type: string + panel_config: + additionalProperties: true + description: The original configuration of the dropped panel. + type: object + properties: {} + panel_references: + description: Saved object references used by the dropped panel. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + maxItems: 100 + type: array + panel_type: + description: The type identifier of the dropped panel. + type: string + type: + enum: + - dropped_panel + type: string + required: + - type + - message + - panel_type + - panel_config + title: Dropped panel + type: object + Kibana_HTTP_APIs_kbn-dashboard-options: + additionalProperties: false + default: + auto_apply_filters: true + hide_panel_borders: false + hide_panel_titles: false + sync_colors: false + sync_cursor: true + sync_tooltips: false + use_margins: true + description: Display and behavior settings for the dashboard. + properties: + auto_apply_filters: + default: true + description: When `true`, control filter changes are applied automatically. When `false`, control filter changes are applied manually through the dashboard's search update button. Defaults to `true`. + type: boolean + hide_panel_borders: + default: false + description: When `true`, panel borders are hidden. Defaults to `false`. + type: boolean + hide_panel_titles: + default: false + description: When `true`, panel titles are hidden. Defaults to `false`. + type: boolean + sync_colors: + default: false + description: When `true`, colors are synchronized across panels that share a data source. Defaults to `false`. + type: boolean + sync_cursor: + default: true + description: When `true`, the cursor position is synchronized across panels. Defaults to `true`. + type: boolean + sync_tooltips: + default: false + description: When `true`, tooltips are synchronized across panels. Defaults to `false`. + type: boolean + use_margins: + default: true + description: When `true`, panels are separated by a margin. Defaults to `true`. + type: boolean + title: Options + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-grid: + additionalProperties: false + description: The position and size of the panel on the dashboard grid. + properties: + h: + default: 15 + description: The height of the panel in grid units. Minimum `1`. Defaults to `15`. + minimum: 1 + type: number + w: + default: 24 + description: The width of the panel in grid units. Minimum `1`, maximum `48`. Defaults to `24`. + maximum: 48 + minimum: 1 + type: number + x: + description: The x coordinate of the panel in grid units. + type: number + 'y': + description: The y coordinate of the panel in grid units. + type: number + required: + - x + - 'y' + title: Panel grid + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_aiops_change_point_chart' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - aiops_change_point_chart + type: string + required: + - grid + - type + - config + title: Change point detection chart + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-service-map-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - apm_service_map + type: string + required: + - grid + - type + - config + title: APM Service map + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + tabs: + description: Inline tab configuration. Used when no `ref_id` is set. Currently supports one tab. + items: + anyOf: + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + discriminator: + mapping: + data_view_reference: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + data_view_spec: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + filters: + default: [] + description: List of filters to apply to the data in the tab. + items: + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + discriminator: + mapping: + condition: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + dsl: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + group: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + spatial: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + maxItems: 100 + type: array + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + rows_per_page: + description: The number of rows to display per page in the data table. If omitted, defaults to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: The number of documents to sample for the data table. If omitted, defaults to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + view_mode: + default: documents + description: Discover view mode. Choose "documents" (search hits), "patterns" (pattern analysis), or "aggregated" (field statistics). + enum: + - documents + - patterns + - aggregated + type: string + required: + - data_source + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + required: + - data_source + maxItems: 1 + minItems: 1 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - tabs + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + overrides: + additionalProperties: false + default: {} + type: object + properties: + column_order: + description: When set, overrides column order for the data table relative to the referenced saved object (`ref_id`) or the inline tab in `tabs`. If omitted, the source configuration is used. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation overrides (e.g. widths) keyed by field name. When set, merges with the source configuration for the referenced session or inline tab. + type: object + density: + description: 'Data grid row spacing: `compact`, `expanded`, or `normal`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Header row height: number (1–5) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Data row height: number (1–20) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:rowHeightOption".' + rows_per_page: + description: Number of rows per page. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: Number of documents to sample. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + description: Sort configuration (field and direction) for the data table. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used. + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + ref_id: + type: string + selected_tab_id: + description: Tab to select from the referenced saved object. If omitted, defaults to the first tab. + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - discover_session + type: string + required: + - grid + - type + - config + title: Discover session + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control: + additionalProperties: false + properties: + config: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - esql_control + type: string + required: + - grid + - type + - config + title: ES|QL variable control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-image: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Image embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_click_image + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_image + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + image_config: + additionalProperties: false + type: object + properties: + alt_text: + type: string + background_color: + type: string + object_fit: + default: contain + description: How the image should be sized within its container + enum: + - fill + - contain + - cover + - none + type: string + src: + anyOf: + - additionalProperties: false + properties: + file_id: + type: string + type: + enum: + - file + type: string + required: + - type + - file_id + title: file + type: object + - additionalProperties: false + properties: + type: + enum: + - url + type: string + url: + description: URL of the image + type: string + required: + - type + - url + title: url + type: object + description: Image source + required: + - src + title: + type: string + required: + - image_config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - image + type: string + required: + - grid + - type + - config + title: Image + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-links: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + layout: + description: Denote whether to display the links in a horizontal or vertical layout + enum: + - horizontal + - vertical + type: string + links: + description: The list of links to display + items: + discriminator: + mapping: + dashboardLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + externalLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + maxItems: 100 + type: array + title: + type: string + required: + - links + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the Links library item + title: Reference ID + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Links embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - links + type: string + required: + - grid + - type + - config + title: Links + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + content: + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + settings: + additionalProperties: false + type: object + properties: + open_links_in_new_tab: + default: true + type: boolean + title: + type: string + required: + - content + - settings + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the markdown library item. + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Markdown panel config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - markdown + type: string + required: + - grid + - type + - config + title: Markdown + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - options_list_control + type: string + required: + - grid + - type + - config + title: Options list control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - range_slider_control + type: string + required: + - grid + - type + - config + title: Range slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-alerts-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_alerts + type: string + required: + - grid + - type + - config + title: SLO alerts + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-burn-rate-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_burn_rate + type: string + required: + - grid + - type + - config + title: SLO burn rate + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-error-budget-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_error_budget + type: string + required: + - grid + - type + - config + title: SLO error budget + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview: + additionalProperties: false + properties: + config: + description: SLO Overview embeddable schema + discriminator: + mapping: + groups: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + single: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + propertyName: overview_mode + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_overview + type: string + required: + - grid + - type + - config + title: SLO overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics monitors embeddable schema + type: object + properties: + description: + type: string + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + view: + description: View mode for the monitors embeddable (defaults to cardView) + enum: + - cardView + - compactView + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_monitors + type: string + required: + - grid + - type + - config + title: Synthetics monitors + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics stats overview embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_stats_overview + type: string + required: + - grid + - type + - config + title: Synthetics stats overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - time_slider_control + type: string + required: + - grid + - type + - config + title: Time slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis: + additionalProperties: false + properties: + config: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleESQL' + description: Panel configuration stored inline + title: By value + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + type: string + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Lens embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - vis + type: string + required: + - grid + - type + - config + title: Visualization + type: object + Kibana_HTTP_APIs_kbn-dashboard-section: + additionalProperties: false + description: A collapsible group of panels. + properties: + collapsed: + default: false + description: When `true`, the section is collapsed and its panels are not rendered until expanded. Useful for improving initial load time on large dashboards. Defaults to `false`. + type: boolean + grid: + additionalProperties: false + type: object + properties: + 'y': + description: The y coordinate of the section in grid units. + type: number + required: + - 'y' + id: + description: The unique ID of the section. + type: string + panels: + default: [] + description: The panels that belong to the section. + items: + discriminator: + mapping: + aiops_change_point_chart: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + apm_service_map: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + discover_session: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + image: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + links: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + markdown: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + slo_alerts: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + slo_burn_rate: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + slo_error_budget: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + slo_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + synthetics_monitors: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + synthetics_stats_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + vis: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + maxItems: 100 + type: array + title: + description: The title of the section. + type: string + required: + - title + - grid + title: Section + type: object + Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema: + additionalProperties: false + description: Specifies the auto-refresh interval for the object. + properties: + pause: + description: When `true`, auto-refresh is paused. + type: boolean + value: + description: The refresh interval in milliseconds. + type: number + required: + - pause + - value + title: Refresh interval + type: object + Kibana_HTTP_APIs_kbn-data-view-field-setting: + additionalProperties: false + description: Display overrides for a field. These settings can define a custom label, description, and format. + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + title: Field settings + type: object + Kibana_HTTP_APIs_kbn-data-view-reference-schema: + additionalProperties: false + properties: + ref_id: + description: 'The id of the Kibana data view to use as the data source. Example: "my-data-view".' + type: string + type: + enum: + - data_view_reference + type: string + required: + - type + - ref_id + title: Data view reference + type: object + Kibana_HTTP_APIs_kbn-data-view-spec-schema: + additionalProperties: false + properties: + field_settings: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-settings-entry' + type: object + index_pattern: + description: 'The index pattern (Elasticsearch index expression) to use as the data source. Example: "my-index-*".' + title: Index pattern + type: string + time_field: + description: 'The name of the time field in the index. Used for time-based filtering. Example: "@timestamp".' + title: Time field + type: string + type: + enum: + - data_view_spec + type: string + required: + - type + - index_pattern + title: Data view inline spec + type: object + Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema: + additionalProperties: false + description: Specifies the time range for a query. + properties: + from: + description: The start of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now-7d`) or ISO 8601 timestamps. + type: string + mode: + description: The time range mode. Use `absolute` for fixed start and end timestamps. Use `relative` for [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions that are re-evaluated at query time (for example, `now-7d`). + enum: + - absolute + - relative + type: string + to: + description: The end of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now`) or ISO 8601 timestamps. + type: string + required: + - from + - to + title: Time range + type: object + Kibana_HTTP_APIs_kbn-field-format: + additionalProperties: false + description: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. + properties: + params: + nullable: true + type: + type: string + required: + - type + - params + title: Format + type: object + Kibana_HTTP_APIs_kbn-field-settings-entry: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-composite-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + description: Display overrides for an indexed field, or a runtime field definition when `type` is set to a runtime field kind. + title: Field settings or runtime field + Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink: + additionalProperties: false + properties: + destination: + description: Linked dashboard saved object id + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + type: object + properties: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + type: + enum: + - dashboardLink + type: string + required: + - type + - destination + title: kbn-link-panel-type-dashboardLink + type: object + Kibana_HTTP_APIs_kbn-link-type-externalLink: + additionalProperties: false + properties: + destination: + description: The external URL to link to + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + encode_url: true + open_in_new_tab: true + type: object + properties: + encode_url: + default: true + description: Whether to escape the URL with percent encoding + type: boolean + open_in_new_tab: + default: true + description: Whether to open this link in a new tab when clicked + type: boolean + type: + enum: + - externalLink + type: string + required: + - type + - destination + title: kbn-link-type-externalLink + type: object + Kibana_HTTP_APIs_kbn-runtime-field-schema: + additionalProperties: false + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-type' + required: + - type + title: Runtime field + type: object + Kibana_HTTP_APIs_kbn-runtime-field-type: + description: The type of the runtime field (e.g., "keyword", "long", "date"). + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + title: Type + type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object + Kibana_HTTP_APIs_lastValueOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyColorByValue: + additionalProperties: false + deprecated: true + description: Legacy color by value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + description: Determines whether the range is interpreted as absolute or as a percentage of the data. + enum: + - absolute + - percentage + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value + type: object + Kibana_HTTP_APIs_legacyColorByValueAbsolute: + additionalProperties: false + deprecated: true + description: Legacy color by absolute value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + enum: + - absolute + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value (absolute) + type: object + Kibana_HTTP_APIs_legacyMetricCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_legacyMetricLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyMetricNoESQL: + additionalProperties: false + description: Legacy Metric configuration using a data view. Superseded by the Metric chart type. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - legacy_metric + type: string + required: + - type + - data_source + - metric + title: Legacy Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_legacyMetricPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_legacyMetricPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_legacyMetricStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricSumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_legendSize: + description: Legend size. + enum: + - auto + - s + - m + - l + - xl + title: Legend Size + type: string + Kibana_HTTP_APIs_lensApiConfigNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + title: Visualizations (DSL) + Kibana_HTTP_APIs_lensPanelFilters: + description: Filters applied to the panel + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 100 + title: lensPanelFilters + type: array + Kibana_HTTP_APIs_lensResponseItem: + additionalProperties: false + properties: + data: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensApiConfigNoESQL' + id: + type: string + meta: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-meta' + required: + - id + - data + - meta + title: Visualization Response + type: object + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_maintenance_window_response: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_response' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + title: maintenance_window_response + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_recurring_request: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + title: maintenance_window_schedule_recurring_request + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_recurring_response: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + title: maintenance_window_schedule_recurring_response + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_request: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_recurring_request' + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: maintenance_window_schedule_request + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_response: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_recurring_response' + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: maintenance_window_schedule_response + type: object + Kibana_HTTP_APIs_maintenance_window_scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + title: maintenance_window_scope + type: object + Kibana_HTTP_APIs_metricBarBackgroundChart: + additionalProperties: false + description: Bar chart shown as background context behind the primary metric value. + properties: + max_value: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_differencesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_movingAverageOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_cumulativeSumOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_counterRateOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + description: Metric dimension configuration, supporting field-based aggregations (count, sum, average, median, standard deviation, unique count, last value), percentile operations, time-series operations (differences, moving average, cumulative sum, counter rate), and mathematical formulas. + title: Metric Operation + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Bar Background Chart + type: object + Kibana_HTTP_APIs_metricBreakdownDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_metricBreakdownHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_metricBreakdownTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_metricCompareToBaseline: + additionalProperties: false + properties: + baseline: + default: 0 + description: Baseline value. + type: number + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - baseline + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Baseline + type: object + Kibana_HTTP_APIs_metricCompareToPrimary: + additionalProperties: false + properties: + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - primary + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Primary + type: object + Kibana_HTTP_APIs_metricComplementaryBar: + additionalProperties: false + properties: + max_value: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Complementary Bar + type: object + Kibana_HTTP_APIs_metricComplementaryViz: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBarBackgroundChart' + - additionalProperties: false + type: object + properties: + type: + enum: + - trend + type: string + required: + - type + description: Secondary visualization displayed behind the primary metric value, either a bar chart (with optional max value) or a trend line. + title: Complementary Visualization + Kibana_HTTP_APIs_metricESQL: + additionalProperties: false + description: Metric chart configuration for ES|QL queries + properties: + breakdown_by: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + column: + description: Column to use + type: string + columns: + default: 3 + description: Number of columns. + type: number + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - additionalProperties: false + type: object + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryBar' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + type: + enum: + - primary + type: string + required: + - column + - type + - additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + column: + description: Column to use + type: string + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + type: + enum: + - secondary + type: string + required: + - column + - type + maxItems: 2 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (ES|QL) + type: object + Kibana_HTTP_APIs_metricIconConfig: + additionalProperties: false + description: Icon configuration for the metric chart + properties: + alignment: + description: 'Icon alignment. Accepted values: `left`, `right`. Defaults to `right`.' + enum: + - left + - right + type: string + name: + description: Icon name + enum: + - alert + - asterisk + - bell + - bolt + - bug + - compute + - editor_comment + - flag + - globe + - heart + - map_marker + - pin + - sort_down + - sort_up + - star_empty + - tag + - temperature + type: string + required: + - name + title: Icon Configuration + type: object + Kibana_HTTP_APIs_metricNoESQL: + additionalProperties: false + description: Metric chart configuration for standard queries + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryFormula' + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryFormula' + maxItems: 2 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_metricPrimaryCounterRate: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCumulativeSum: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricPrimaryDifferences: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricPrimaryFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - primary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricPrimaryLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricPrimaryMovingAverage: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricPrimaryStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimarySumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_metricSecondaryCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricSecondaryDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricSecondaryFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - secondary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricSecondaryLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricSecondaryMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricSecondaryStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondarySumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metricStyling: + additionalProperties: false + description: Visual chart styling options + properties: + icon: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricIconConfig' + primary: + additionalProperties: false + type: object + properties: + labels: + additionalProperties: false + description: Labels (title and subtitle) configuration + type: object + properties: + alignment: + description: 'Horizontal alignment for the title and subtitle text. Accepted values: `left`, `center`, `right`. Defaults to `left`.' + enum: + - left + - center + - right + type: string + position: + description: Position of the primary metric value (top, middle, or bottom). + enum: + - top + - middle + - bottom + type: string + value: + additionalProperties: false + description: Primary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for the primary metric value. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + sizing: + description: Controls how the primary value text is sized within the panel. 'auto' selects a font size from predefined breakpoints based on panel height, then shrinks if the text overflows horizontally. 'fill' scales the text to be as large as possible, filling all available space. + enum: + - auto + - fill + type: string + secondary: + additionalProperties: false + type: object + properties: + label: + additionalProperties: false + type: object + properties: + placement: + description: Label placement relative to the secondary metric value (before or after). + enum: + - before + - after + type: string + visible: + description: When `true`, displays the label. + type: boolean + value: + additionalProperties: false + description: Secondary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for secondary values. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + title: metricStyling + type: object + Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: Filters the SLOs by name - example: my service availability - in: query - name: search - schema: + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - type: number - - description: Number of SLOs returned by page - example: 100 - in: query - name: perPage - schema: - default: 100 - maximum: 1000 - type: integer - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_definitions_response' - description: Successful request - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Forbidden response - summary: Get the SLO definitions - tags: - - slo -components: - examples: - APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. - value: - environments: - - alreadyConfigured: true - name: production - - alreadyConfigured: false - name: development - - alreadyConfigured: false - name: ALL_OPTION_VALUE - APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. - value: - result: deleted - APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. - value: - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. - value: - - '@timestamp': 1581934104843 - agent_name: go - applied_by_agent: false - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '200' - transaction_sample_rate: '1' - - '@timestamp': 1581934111727 - agent_name: go - applied_by_agent: false - etag: 3eed916d3db434d9fb7f039daa681c7a04539a64 - service: - name: opbeans-go - settings: - capture_body: 'off' - transaction_max_spans: '300' - transaction_sample_rate: '1' - - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. - value: {} - APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. - value: - agent_name: nodejs - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. - value: - _id: CIaqXXABmQCdPphWj8EJ - _index: .apm-agent-configuration - _score: 2 - _source: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: false - etag: 5080ed25785b7b19f32713681e79f46996801a5b - service: - name: frontend - settings: - transaction_sample_rate: '1' - APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. - value: - etag: 1e58c178efeebae15c25c539da740d21dee422fc - service: - environment: production - name: frontend - APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. - value: - '@timestamp': 1582031336265 - agent_name: nodejs - applied_by_agent: true - etag: 5080ed25785b7b19f32713681e79f46996801a5b - id: CIaqXXABmQCdPphWj8EJ - service: - environment: production - name: frontend - settings: - capture_body: 'off' - transaction_max_spans: '500' - transaction_sample_rate: '0.4' - APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. - value: - agentKey: - api_key: PjGloCGOTzaZr8ilUPvkjA - encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ== - id: 3DCLmn0B3ZMhLUa7WBG9 - name: apm-key - APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. - value: - name: apm-key - privileges: - - event:write - - config_agent:read - APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. - value: - _id: Lc9I93EBh6DbmkeV7nFX - _index: observability-annotations - _primary_term: 1 - _seq_no: 12 - _source: - '@timestamp': '2020-05-08T10:31:30.452Z' - annotation: - type: deployment - event: - created: '2020-05-09T02:34:43.937Z' - message: Deployment 1.2 - service: - name: opbeans-java - version: '1.2' - tags: - - apm - - elastic.co - - customer - _version: 1 - found: true - APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. - value: - '@timestamp': '2024-01-15T12:00:00.000Z' - message: Deployment 1.2.0 - service: - environment: production - version: 1.2.0 + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - - apm - - deployment - APM_UI_annotation_search_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/services/{serviceName}/annotation/search`, which returns the - annotations associated with a service over the given time range. - value: - annotations: - - '@timestamp': 1735689600000 - id: opbeans-node@2.0.0 - text: opbeans-node@2.0.0 - type: version - - '@timestamp': 1736294400000 - id: opbeans-node@2.1.0 - text: opbeans-node@2.1.0 - type: version - APM_UI_error_400_response: - description: >- - An example of a 400 Bad Request response, returned when the request - payload or query parameters fail validation. - value: - error: Bad Request - message: '[request body]: expected value of type [string] but got [undefined]' - statusCode: 400 - APM_UI_error_401_response: - description: >- - An example of a 401 Unauthorized response, returned when the request is - missing valid authentication credentials. - value: - error: Unauthorized - message: >- - [security_exception]: missing authentication credentials for REST - request - statusCode: 401 - APM_UI_error_403_response: - description: >- - An example of a 403 Forbidden response, returned when the authenticated - user lacks the required APM and User Experience privileges. - value: - error: Forbidden - message: >- - Insufficient privileges to perform this action. The APM and User - Experience feature requires `all` privileges. - statusCode: 403 - APM_UI_error_404_response: - description: >- - An example of a 404 Not Found response, returned when the requested - resource does not exist or the feature is not available on the current - deployment. - value: - error: Not Found - message: Not Found - statusCode: 404 - APM_UI_error_500_response: - description: >- - An example of a 500 Internal Server Error response, returned when an - unexpected error occurs while processing the request. - value: - error: Internal Server Error - message: >- - An internal server error occurred. Check the Kibana server logs for - details. - statusCode: 500 - APM_UI_error_501_response: - description: >- - An example of a 501 Not Implemented response, returned when the source - map feature is not available on the current deployment. - value: - error: Not Implemented - message: Not Implemented - statusCode: 501 - APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. - value: {} - APM_UI_service_agent_name_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/agent_name`, which returns the - detected APM agent name for a service. - value: - agentName: nodejs - APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. - value: {} - APM_UI_source_maps_get_200_response1: - description: A successful response from `GET /api/apm/sourcemaps`. - value: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active artifacts: - - body: - bundleFilepath: /test/e2e/general-usecase/bundle.js - serviceName: foo - serviceVersion: 1.0.0 - sourceMap: - file: static/js/main.chunk.js - mappings: mapping - sourceRoot: '' - sources: - - fleet-source-map-client/src/index.css - - fleet-source-map-client/src/App.js - - webpack:///./src/index.css?bb0a - - fleet-source-map-client/src/index.js - - fleet-source-map-client/src/reportWebVitals.js - sourcesContent: - - content - version: 3 - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_200_response1: - description: A successful response from `POST /api/apm/sourcemaps`. - value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI - compressionAlgorithm: zlib - created: '2021-07-09T20:47:44.812Z' - decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - decodedSize: 441 - encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 - encodedSize: 237 - encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - identifier: foo-1.0.0 - packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 - type: sourcemap - APM_UI_source_maps_upload_request1: - description: > - An example of a multipart/form-data request body for `POST - /api/apm/sourcemaps`. - - Each field is a separate form part; `sourcemap` is the source map file - content (typically uploaded as a file). - value: - bundle_filepath: /test/e2e/general-usecase/bundle.js.map - service_name: opbeans-node - service_version: 1.0.0 - sourcemap: >- - {"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log('hello');"]} - Data_views_create_data_view_request: - description: >- - Create a data view for logstash indices that includes a runtime field - which extracts the shape name from a source field. - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_data_view_response: - description: >- - The response includes the full data view specification, including - auto-generated fields such as the unique identifier and version. - summary: >- - The create data view API returns a JSON object that contains details - about the new data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: {} - fields: - runtime_shape_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - name: runtime_shape_name - readFromDocValues: false - runtimeField: - script: - source: emit(doc['shape_name'].value) - type: keyword - scripted: false - searchable: true - shortDotsEnable: false + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: type: string - id: b561acfb-0181-455e-84a3-ce8980b2272f - name: My Logstash data view - namespaces: - - default - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - sourceFilters: [] - title: logstash-* - typeMeta: {} - version: WzQ5LDJd - Data_views_create_runtime_field_request: - description: >- - Create a long-type runtime field that emits a value derived from the foo - source field. - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_create_runtime_field_response: - description: >- - The response includes the newly created runtime field as an array and - the full updated data view object. - summary: >- - The API returns created runtime field object array and updated data view - object. - value: - data_view: - ...: null - fields: - - ... - Data_views_error_400_response: - description: >- - The request was rejected because the payload or query parameters are - missing required fields or contain invalid values. - summary: A bad request response. - value: - error: Bad Request - message: >- - [request body.data_view.title]: expected value of type [string] but - got [undefined] - statusCode: 400 - Data_views_error_404_response: - description: >- - The requested data view or runtime field was not found in the current - Kibana space. - summary: A not found response. - value: - error: Not Found - message: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not - found - statusCode: 404 - Data_views_get_data_view_response: - description: >- - A complete data view object including all fields, runtime fields, and - metadata. - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - taxless_total_price: - id: number - params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false + limit: + type: string + threshold: type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name + threshold: + type: number + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name + filterQuery: type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + threshold: + type: number + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name + filterQuery: type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + limit: type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + threshold: type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQuery: type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + filterQueryText: type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + indexPattern: type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point + limit: + type: string + threshold: + type: number + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_mosaicESQL: + additionalProperties: false + description: Mosaic chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + additionalProperties: false + description: Metric configuration for ES|QL mode, combining generic options, primary metric options, and column selection + type: object + properties: + column: + description: Column to use type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (ES|QL) + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicLegend: + additionalProperties: false + description: Legend configuration for mosaic chart appearance and behavior + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_mosaicMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_mosaicMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_mosaicMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_mosaicMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_mosaicMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentile: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_mosaicMetricPercentileRanks: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_mosaicMetricStatsMetric: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricSumMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicNoESQL: + additionalProperties: false + description: Mosaic chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters' + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (DSL) + type: object + Kibana_HTTP_APIs_mosaicStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Mosaic styling + type: object + Kibana_HTTP_APIs_movingAverageOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_multi_field_key: + additionalProperties: false + properties: + keys: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - multi_field_key + type: string + required: + - type + - keys + title: Multi Field Key + type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + title: new_agent_policy + type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + title: new_enrollment_api_key + type: object + Kibana_HTTP_APIs_new_maintenance_window: + additionalProperties: false + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_request' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + required: + - title + - schedule + title: new_maintenance_window + type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_elasticsearch + type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: false + type: object + properties: + group_events: type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: new_output_kafka + type: object + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: new_output_logstash + type: object + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_new_rule: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + title: new_rule + type: object + Kibana_HTTP_APIs_new_rule_action: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + title: new_rule_action + type: object + Kibana_HTTP_APIs_new_rule_action_alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - days + - hours + - timezone + title: new_rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_new_rule_action_frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when `notify_when` is set to `onThrottleInterval`. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + title: new_rule_action_frequency + type: object + Kibana_HTTP_APIs_noColor: + additionalProperties: false + description: Explicitly disables coloring + properties: + type: + enum: + - none + type: string + required: + - type + title: No Color + type: object + Kibana_HTTP_APIs_numericFormat: + additionalProperties: false + description: Number or percentage format with optional decimal places, suffix, and compact notation. + properties: + compact: + default: false + description: When `true`, uses compact notation (for example, 1.2k instead of 1,200). Defaults to `false`. + type: boolean + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Value format type: `number` for plain numbers, `percent` for percentages.' + enum: + - number + - percent + type: string + required: + - type + title: Numeric Format + type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. + properties: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query + required: + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold + type: object + Kibana_HTTP_APIs_operationTimeScaleSetting: + description: Time scale + enum: + - s + - m + - h + - d + title: Operation Time Scale Setting + type: string + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_elasticsearch + type: object + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: true + type: object + properties: + group_events: type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true + type: object + properties: + group_events: type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + title: output_kafka + type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + title: output_logstash + type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true + type: object + properties: + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true + properties: + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper + type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + title: output_ssl + type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + title: package_icon + type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true + properties: + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + id: + type: string + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + type: object + properties: + github: type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + enum: + - elastic + - partner + - community type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + - enum: + - input type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - description: >- - A list of available data views including their identifiers, names, and - index patterns. - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - description: The identifier of the default data view for the current Kibana space. - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - description: The runtime field definition along with the parent data view. - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + - enum: + - content type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + title: package_policy_package + type: object + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response + type: object + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false + properties: + body: + additionalProperties: false + type: object + properties: + message: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword + required: + - message + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + title: package_policy_status_response + type: object + Kibana_HTTP_APIs_percentileOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_percentileRanksOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieESQL: + additionalProperties: false + description: Pie chart configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + additionalProperties: false + description: ES|QL column reference for primary metric + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie + type: string + required: + - type + - data_source + - metrics + title: Pie Chart (ES|QL) + type: object + Kibana_HTTP_APIs_pieGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_pieGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + - enum: + - auto type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_pieGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_pieLegend: + additionalProperties: false + description: Legend configuration for pie chart + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_pieMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_pieMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_pieMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_pieMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_pieMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_pieMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_pieMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_pieMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_pieNoESQL: + additionalProperties: false + description: Pie chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie + type: string + required: + - type + - data_source + - metrics + title: Pie Chart (DSL) + type: object + Kibana_HTTP_APIs_pieStyling: + additionalProperties: false + description: Visual chart styling options + properties: + donut_hole: + description: 'Donut hole size. Accepted values: `none` (full pie), `s`, `m`, `l`.' + enum: + - none + - s + - m + - l + type: string + labels: + additionalProperties: false + description: Label configuration for pie chart slice labels inside or outside the pie + type: object + properties: + position: + description: 'Slice label position: `inside` or `outside`.' + enum: + - inside + - outside + type: string + visible: + description: When `true`, displays slice labels. + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Pie chart styling + type: object + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + view: + type: string + required: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - query type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - description + - type + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_range_key: + additionalProperties: false + properties: + from: + anyOf: + - type: string + - type: number + ranges: + items: + additionalProperties: false + type: object + properties: + from: + anyOf: + - type: string + - type: number + label: + type: string + to: + anyOf: + - type: string + - type: number + required: + - from + - to + - label + maxItems: 100 + type: array + to: + anyOf: + - type: string + - type: number + type: + enum: + - range_key + type: string + required: + - type + - from + - to + - ranges + title: Range Key + type: object + Kibana_HTTP_APIs_rangesOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + title: reauthorize_transform_request + type: object + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + type: object + Kibana_HTTP_APIs_regionMapESQL: + additionalProperties: false + description: Region Map configuration using an ES|QL query, mapping metric values to geographic regions by color. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + column: + description: Column to use type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + additionalProperties: false + type: object + properties: + column: + description: Column to use type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + label: + description: Label for the operation type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - column + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - region_map + type: string + required: + - type + - data_source + - metric + - region + title: Region Map (ES|QL) + type: object + Kibana_HTTP_APIs_regionMapNoESQL: + additionalProperties: false + description: Region Map configuration using a data view, mapping metric values to geographic regions by color. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation or a mathematical formula. + title: Field Metric or Formula Operation + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + region: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionFilters' + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - region_map + type: string + required: + - type + - data_source + - metric + - region + title: Region Map (DSL) + type: object + Kibana_HTTP_APIs_regionMapRegionDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + join: + description: EMS join field type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - boundaries + - join + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_regionMapRegionFilters: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + join: + description: EMS join field type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - boundaries + - join + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_regionMapRegionHistogram: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + join: + description: EMS join field type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - boundaries + - join + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_regionMapRegionRanges: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - description: >- - Preview the saved objects that would be affected by swapping references - from one data view to another. - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_preview_swap_data_view_response: - description: >- - The result array lists every saved object that references the source - data view. No saved objects are modified by the preview endpoint. - summary: A preview of saved objects that would be affected by a data view swap. - value: - result: - - id: 8963ca30-bca7-11e8-aa00-0123456789ab - type: visualization - - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - type: dashboard - Data_views_set_default_data_view_request: - description: >- - Set the default data view, using the force flag to overwrite an existing - default. - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_set_default_data_view_response: - description: >- - The acknowledged flag confirms that the default data view for the - current Kibana space was updated. - summary: The default data view was set successfully. - value: - acknowledged: true - Data_views_swap_data_view_request: - description: >- - Swap all saved object references from one data view to another and - delete the source data view afterward. - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_swap_data_view_response: - description: >- - The list of saved objects whose references were updated, along with the - delete status of the source. - summary: The swap references API returns a list of the affected saved objects. - value: - deleteStatus: - deletePerformed: true - remainingRefs: 0 - result: - - id: '123' - type: visualization - Data_views_update_data_view_request: - description: >- - Update the title, time field, and other properties of an existing data - view. - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - description: >- - Update the popularity count, custom label, and custom description for - specific fields in a data view. - summary: Update metadata for multiple fields. - value: + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_regionMapRegionTerms: + additionalProperties: false + properties: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_field_metadata_response: - description: >- - The acknowledged flag confirms that the field metadata changes were - applied to the data view. - summary: Field metadata was updated successfully. - value: - acknowledged: true - Data_views_update_runtime_field_request: - description: Update the script of an existing runtime field. - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSync401Example: - summary: Two anomaly detection jobs required synchronization in this example. - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]" - statusCode: 401 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Observability_AI_Assistant_API_ChatCompleteRequestExample: - summary: Example of completing a chat interaction - value: | - { - "connectorId": "", - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] - } - Observability_AI_Assistant_API_ChatCompleteResponseExample: - summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - - - data: [DONE] - Security_Detections_API_SetAlertAssigneesBodyAdd: - value: - assignees: - add: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - remove: [] - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertAssigneesBodyRemove: - value: - assignees: - add: [] - remove: - - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 - ids: - - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 - Security_Detections_API_SetAlertTagsBodyAdd: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e - tags: - tags_to_add: - - Duplicate - tags_to_remove: [] - Security_Detections_API_SetAlertTagsBodyRemove: - value: - ids: - - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_review_upgrade_request: + additionalProperties: false + properties: + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string + required: + - action + - target_version + title: review_upgrade_request + type: object + Kibana_HTTP_APIs_review_upgrade_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: review_upgrade_response + type: object + Kibana_HTTP_APIs_rollback_package_response: + additionalProperties: false + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + title: rollback_package_response + type: object + Kibana_HTTP_APIs_rule_flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states within the defined look back window time. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + title: rule_flapping + type: object + Kibana_HTTP_APIs_rule_response: + additionalProperties: false + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when 'notify_when' is set to 'onThrottleInterval'. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remediation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last rule execution. + type: number + last_execution_date: + description: The date and time of the last rule execution. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + id: + description: The identifier for the rule. + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of the last rule run. Value can be succeeded, warning, or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next rule run. + nullable: true + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string tags: - tags_to_add: [] - tags_to_remove: - - Duplicate - Task_manager_health_Serverless_APIs_health_200response_serverless: - description: A successful response from `GET api/task_manager/_health`. - value: |- - { - "id": "b44483e1-3ba2-4f28-93d0-1d96c69c32c1", - "timestamp": "2025-03-21T21:49:50.409Z", - "status": "OK", - "last_update": "2025-03-21T21:48:53.996Z", - "stats": { - "configuration": { - "timestamp": "2025-03-21T21:47:51.663Z", - "value": { - "request_capacity": 1000, - "monitored_aggregated_stats_refresh_rate": 60000, - "monitored_stats_running_average_window": 50, - "monitored_task_execution_thresholds": { - "custom": {}, - "default": { - "error_threshold": 90, - "warn_threshold": 80 - } - }, - "claim_strategy": "mget", - "poll_interval": 500, - "capacity": { - "config": 10, - "as_workers": 10, - "as_cost": 20 - } - }, - "status": "OK" - }, - "workload": { - "timestamp": "2025-03-21T21:48:53.996Z", - "value": { - "count": 21, - "cost": 42, - "task_types": { - "Fleet-Metrics-Task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Logger": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "Fleet-Usage-Sender": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "ML:saved-objects-sync": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions:connector_usage_reporting": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "actions_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_health_check": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerting_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "alerts_invalidate_api_keys": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "cases-telemetry-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "dashboard_telemetry": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:automatic-agent-upgrade-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:check-deleted-files-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:delete-unenrolled-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:sync-integrations-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:unenroll-inactive-agents-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "fleet:upgrade-agentless-deployments-task": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "session_cleanup": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:delete_inactive_background_task_nodes": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - }, - "task_manager:mark_removed_tasks_as_unrecognized": { - "count": 1, - "cost": 2, - "status": { - "idle": 1 - } - } - }, - "non_recurring": 1, - "non_recurring_cost": 2, - "schedule": [ - [ - "1m", - 2 - ], - [ - "5m", - 2 - ], - [ - "10m", - 1 - ], - [ - "15m", - 1 - ], - [ - "30m", - 1 - ], - [ - "1h", - 5 - ], - [ - "3600s", - 1 - ], - [ - "60m", - 1 - ], - [ - "720m", - 1 - ], - [ - "1d", - 4 - ], - [ - "1440m", - 1 - ] - ], - "overdue": 0, - "overdue_cost": 0, - "overdue_non_recurring": 0, - "estimated_schedule_density": [ - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 1, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - ], - "capacity_requirements": { - "per_minute": 2, - "per_hour": 43, - "per_day": 7 - } - }, - "status": "OK" - } - } - } - parameters: - APM_UI_elastic_api_version: - description: The version of the API to use - in: header - name: elastic-api-version - required: true - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - APM_UI_kbn_xsrf: - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - APM_UI_400_response: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + updated_at: + description: The date and time of the latest updates to the rule. + type: string + updated_by: + description: The identifier for the user who was the last to update the rule. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + title: rule_response + type: object + Kibana_HTTP_APIs_schedule_request: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: schedule_request type: object + Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: + additionalProperties: false + description: The response payload for the bulk create-or-update roles API. properties: - error: - description: Error type - example: Not Found + created: + items: + description: The name of a role that was created. + type: string + type: array + errors: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' + type: object + noop: + items: + description: The name of a role that was unchanged by the request. + type: string + type: array + updated: + items: + description: The name of a role that was updated. + type: string + type: array + title: security_bulk_create_or_update_roles_response + type: object + Kibana_HTTP_APIs_security_bulk_roles_error_detail: + additionalProperties: false + description: Error information for a single role in a bulk create-or-update request. + properties: + reason: + description: A human readable error reason. type: string - message: - description: Error message - example: Not Found + type: + description: The error type. type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: + required: + - type + - reason + title: security_bulk_roles_error_detail type: object + Kibana_HTTP_APIs_security_query_roles_body: + additionalProperties: false + description: The request body for querying roles. properties: - error: - description: Error type - example: Unauthorized - type: string - message: - description: Error message + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters' + from: + type: number + query: type: string - statusCode: - description: Error status code - example: 401 + size: type: number - APM_UI_403_response: + sort: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort' + title: security_query_roles_body type: object + Kibana_HTTP_APIs_security_query_roles_filters: + additionalProperties: false + description: The filter criteria for the query. properties: - error: - description: Error type - example: Forbidden + showReservedRoles: + type: boolean + title: security_query_roles_filters + type: object + Kibana_HTTP_APIs_security_query_roles_response: + additionalProperties: false + description: The response payload for a roles query. + properties: + count: + description: The number of roles returned in this response page. + type: number + roles: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + total: + description: The total number of roles that match the query. + type: number + required: + - roles + - count + - total + title: security_query_roles_response + type: object + Kibana_HTTP_APIs_security_query_roles_sort: + additionalProperties: false + description: The sort criteria for the query. + properties: + direction: + enum: + - asc + - desc type: string - message: - description: Error message + field: type: string - statusCode: - description: Error status code - example: 403 - type: number - APM_UI_404_response: + required: + - field + - direction + title: security_query_roles_sort type: object + Kibana_HTTP_APIs_security_role_elasticsearch: + additionalProperties: false + description: The Elasticsearch cluster, index, and remote cluster security privileges for the role. properties: - error: - description: Error type - example: Not Found + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + maxItems: 100 + type: array + indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges' + maxItems: 1000 + type: array + remote_cluster: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges' + maxItems: 100 + type: array + remote_indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges' + maxItems: 1000 + type: array + run_as: + items: + description: A username that members of this role can impersonate. + type: string + maxItems: 100 + type: array + title: security_role_elasticsearch + type: object + Kibana_HTTP_APIs_security_role_indices_privileges: + additionalProperties: false + description: The indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string - message: - description: Error message - example: Not Found + required: + - names + - privileges + title: security_role_indices_privileges + type: object + Kibana_HTTP_APIs_security_role_kibana_application: + additionalProperties: false + description: A raw Elasticsearch application privilege entry tied to Kibana. + properties: + application: type: string - statusCode: - description: Error status code - example: 404 - type: number - APM_UI_500_response: + privileges: + items: + type: string + type: array + resources: + items: + type: string + type: array + required: + - application + - privileges + - resources + title: security_role_kibana_application type: object + Kibana_HTTP_APIs_security_role_kibana_privilege: + additionalProperties: false + description: The Kibana privilege entry for the role. properties: - error: - description: Error type - example: Internal Server Error + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' + required: + - base + title: security_role_kibana_privilege + type: object + Kibana_HTTP_APIs_security_role_kibana_privilege_response: + additionalProperties: false + description: A Kibana privilege entry returned for a role. + properties: + _reserved: + items: + description: A reserved Kibana privilege granted globally. + type: string + type: array + base: + items: + description: A base Kibana privilege. + type: string + type: array + feature: + additionalProperties: + items: + description: A privilege the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. The wildcard `*` indicates all spaces. + type: string + type: array + required: + - spaces + - base + - feature + title: security_role_kibana_privilege_response + type: object + Kibana_HTTP_APIs_security_role_put_payload: + additionalProperties: false + description: The role definition to create or update. + properties: + description: + description: A description for the role. + maxLength: 2048 type: string - message: - description: Error message + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege' + type: array + metadata: + additionalProperties: + nullable: true + type: object + required: + - elasticsearch + title: security_role_put_payload + type: object + Kibana_HTTP_APIs_security_role_remote_cluster_privileges: + additionalProperties: false + description: The remote cluster privileges entry. + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 + type: array + required: + - privileges + - clusters + title: security_role_remote_cluster_privileges + type: object + Kibana_HTTP_APIs_security_role_remote_indices_privileges: + additionalProperties: false + description: The remote indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: + required: + - clusters + - names + - privileges + title: security_role_remote_indices_privileges type: object + Kibana_HTTP_APIs_security_role_response: + additionalProperties: false + description: A Kibana role definition returned by the Roles API. properties: - error: - description: Error type - example: Not Implemented + _transform_error: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' + type: array + _unrecognized_applications: + items: + description: Application names found on the role that are not recognized by Kibana. + type: string + type: array + description: + description: A description for the role. type: string - message: - description: Error message - example: Not Implemented + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' + type: array + metadata: + additionalProperties: + nullable: true + type: object + name: + description: The role name. type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: + transient_metadata: + additionalProperties: + nullable: true + type: object + required: + - name + - elasticsearch + - kibana + title: security_role_response type: object + Kibana_HTTP_APIs_security_role_transform_error: + additionalProperties: false + description: Diagnostic information about a role whose Kibana privileges could not be transformed. properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + reason: + description: The reason the role could not be fully transformed. type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' + state: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' + type: array required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - reason + title: security_role_transform_error type: object + Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload: + additionalProperties: false + description: The request body for bulk creating or updating roles. properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name + roles: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + type: object + required: + - roles + title: security_roles_bulk_create_or_update_payload + type: object + Kibana_HTTP_APIs_simplified_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 100 + nullable: true + type: array + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - applied_by_agent: - description: Applied by agent - example: true + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + type: array + id: + description: Policy unique identifier. type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' - required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + inputs: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + title: simplified_create_package_policy_request type: object + Kibana_HTTP_APIs_slo-alerts-embeddable: + additionalProperties: false + description: SLO Alerts embeddable schema properties: - configurations: - description: Agent configuration + description: + type: string + drilldowns: items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - APM_UI_agent_keys_object: - type: object - properties: - name: - description: The name of the APM agent key. - type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. + hide_border: + type: boolean + hide_title: + type: boolean + slos: + default: [] + description: List of SLOs to display alerts for items: - enum: - - event:write - - config_agent:read - type: string + additionalProperties: false + type: object + properties: + slo_id: + description: SLO ID + type: string + slo_instance_id: + default: '*' + description: SLO instance ID + type: string + required: + - slo_id + maxItems: 100 type: array - required: - - name - - privileges - APM_UI_agent_keys_response: - type: object - properties: - agentKey: - description: Agent key - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: + title: + type: string + title: slo-alerts-embeddable type: object + Kibana_HTTP_APIs_slo-burn-rate-embeddable: + additionalProperties: false + description: SLO Burn Rate embeddable schema properties: - annotations: - description: Annotations + description: + type: string + drilldowns: items: - type: object + additionalProperties: false properties: - '@timestamp': - type: number - id: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - text: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu type: string type: enum: - - version + - url_drilldown type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier + duration: + description: Duration for the burn rate chart in the format [value][unit], e.g. 5m, 3h, or 6d type: string - packageName: - description: Package name + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the burn rate for type: string - relative_url: - description: Relative URL + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string - type: - description: Type + title: type: string - APM_UI_create_annotation_object: + required: + - slo_id + - duration + title: slo-burn-rate-embeddable type: object + Kibana_HTTP_APIs_slo-error-budget-embeddable: + additionalProperties: false + description: SLO Error Budget embeddable schema properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. - type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + description: type: string - service: - description: The service that identifies the configuration to create or update. - type: object - properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. - type: string - required: - - version - tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. + drilldowns: items: - type: string + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the error budget for + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string required: - - '@timestamp' - - service - APM_UI_create_annotation_response: + - slo_id + title: slo-error-budget-embeddable type: object + Kibana_HTTP_APIs_slo-group-overview-embeddable: + additionalProperties: false + description: SLO Group Overview embeddable schema properties: - _id: - description: Identifier - type: string - _index: - description: Index + description: type: string - _source: - description: Response + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + group_filters: + additionalProperties: false + default: + group_by: status type: object properties: - '@timestamp': - type: string - annotation: - type: object - properties: - title: - type: string - type: - type: string - event: - type: object - properties: - created: - type: string - message: + filters: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + group_by: + default: status + enum: + - slo.tags + - status + - slo.indicator.type + - _index type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: + groups: items: type: string + maxItems: 100 type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result - type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. - type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 - type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags + kql_query: + type: string + hide_border: type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_response: - type: object - properties: - _id: - description: Identifier - type: string - _index: - description: Index - type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs - type: string - APM_UI_service_environment_object: - type: object - properties: - alreadyConfigured: - description: Already configured + hide_title: type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE + overview_mode: + enum: + - groups type: string - APM_UI_service_environments_response: + title: + type: string + required: + - overview_mode + title: slo-group-overview-embeddable type: object + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: + additionalProperties: false properties: - environments: - description: Service environment list + actions: + default: [] items: - $ref: '#/components/schemas/APM_UI_service_environment_object' + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod - type: string - name: - description: The name of the service. - example: node - type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object properties: - id: - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: + - active artifacts: - description: Artifacts - items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. - type: string - service_name: - description: The name of the service that the service map should apply to. - type: string - service_version: - description: The version of the service that the service map should apply to. - type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary - type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object + additionalProperties: false + type: object properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - message: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - Not Found - example: Not Found - type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: type: string + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: + - sloId + - windows + title: SLO Burn Rate Rule Params type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. + rule_type_id: + enum: + - slo.rules.burnRate type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - source: - description: Script for the runtime field. + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - type: - description: Mapping type of the runtime field. + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - name + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate type: object + Kibana_HTTP_APIs_slo-single-overview-embeddable: + additionalProperties: false + description: SLO Single Overview embeddable schema properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - type: array - forType: - description: Limit the affected saved objects by type. + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + overview_mode: + enum: + - single type: string - fromId: - description: The saved object reference to change. + remote_name: + description: The name of the remote SLO type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + slo_id: + description: The ID of the SLO type: string - toId: - description: New saved object reference value to replace the old value. + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: type: string required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + - slo_id + - overview_mode + title: slo-single-overview-embeddable type: object + Kibana_HTTP_APIs_staticColor: + additionalProperties: false + description: Fixed color for all values in the dimension. properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object + color: + description: The static color to be used for all values. + type: string + type: + enum: + - static + type: string required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - type + - color + title: Static Color type: object + Kibana_HTTP_APIs_staticOperationDefinition: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - static_value + type: string + value: + default: 100 + description: Static value + type: number + required: + - operation + title: Static Operation Definition + type: object + Kibana_HTTP_APIs_StreamlangConditionBlock: + additionalProperties: false type: object properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: + type: string + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns + type: object + properties: + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: + additionalProperties: + type: string + description: Custom pattern definitions to use in the patterns + type: object + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") + type: string + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + type: object + properties: + action: + enum: + - uppercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' + properties: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Kibana_HTTP_APIs_action_id_response: - additionalProperties: false - properties: - actionId: - type: string - required: - - actionId - title: action_id_response - type: object - Kibana_HTTP_APIs_action_message_response: - additionalProperties: false - properties: - message: - type: string - required: - - message - title: action_message_response - type: object - Kibana_HTTP_APIs_agent_policy_response: - additionalProperties: false - properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false + properties: + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object properties: - enabled: + action: + enum: + - join + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + minLength: 1 + type: string + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - target_csp: + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator + type: object + properties: + action: enum: - - aws - - azure - - gcp + - split + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + preserve_trailing: + description: Preserve empty trailing fields in the split result + type: boolean + separator: + description: Regex separator used to split the field value into an array + minLength: 1 + type: string + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false + - action + - from + - separator + - additionalProperties: false type: object properties: - requests: - additionalProperties: false + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) + type: object + properties: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 + type: string + type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - type + - additionalProperties: false + type: object + properties: + action: + enum: + - concat + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + anyOf: + - type: object + properties: + type: + enum: + - field + type: string + value: + minLength: 1 + type: string + required: + - type + - value + - type: object + properties: + type: + enum: + - literal + type: string + value: + type: string + required: + - type + - value + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false type: object properties: - cpu: + action: + enum: + - network_direction type: string - memory: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 type: string - agents: - type: number - agents_per_version: - items: - additionalProperties: false - type: object - properties: - count: - type: number - version: - type: string - required: - - version - - count - maxItems: 1000 - type: array - created_at: + description: + description: Human-readable notes about this processor step + type: string + destination_ip: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false + type: object + properties: + internal_networks: + items: + type: string + type: array + required: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field + - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors + type: object + properties: + action: + enum: + - json_extract + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + extractions: + description: List of extraction specifications + items: + description: A single extraction specification + type: object + properties: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 + type: string + target_field: + description: Target field to store the extracted value + minLength: 1 + type: string + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean + type: string + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false + type: object + properties: + action: + enum: + - enrich + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + policy_name: + description: A non-empty string. + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - policy_name + - to + - additionalProperties: false + description: Registered domain processor - extracts domain, registered_domain, top_level_domain, subdomain from a FQDN + type: object + properties: + action: + enum: + - registered_domain + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: The string expression containing the FQDN to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when expression field is missing + type: boolean + prefix: + description: The prefix for the output columns. The extracted parts are available as prefix.part_name + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - prefix + - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors + type: object + properties: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails + items: + additionalProperties: {} + type: object + type: array + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_sumMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - data_output_id: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - description: + operation: + enum: + - sum type: string - download_source_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - items: - additionalProperties: false - type: object - properties: - name: - type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value - maxItems: 100 - type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudESQL: + additionalProperties: false + description: Tag Cloud configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - is_verifier: + hide_title: type: boolean - keep_monitoring_alive: + ignore_global_filters: default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: + metric: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - monitoring_http: + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: additionalProperties: false type: object properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 + type: + enum: + - tag_cloud type: string - namespace: - minLength: 1 + required: + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (ES|QL) + type: object + Kibana_HTTP_APIs_tagcloudMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - package_policies: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: >- - This field is present only when retrieving a single agent - policy, or when retrieving a list of agent policies with the - ?full=true parameter - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - revision: - type: number - schema_version: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: + operation: enum: - - active - - inactive - type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: + - counter_rate type: string - updated_by: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - version: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - title: agent_policy_response + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + Kibana_HTTP_APIs_tagcloudMetricCountMetric: additionalProperties: false properties: - forceDelete: + empty_as_null: default: false - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. + description: When `true`, treats empty buckets as null instead of zero. type: boolean - includeHidden: - default: false - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. + field: + description: Field to be used for the metric type: string - tokenIds: - description: List of enrollment token IDs to delete. - items: - type: string - maxItems: 10000 - type: array - title: bulk_delete_enrollment_api_keys_request + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + Kibana_HTTP_APIs_tagcloudMetricCumulativeSum: additionalProperties: false properties: - action: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - count: - type: number - errorCount: - type: number - successCount: - type: number required: - - action - - count - - successCount - - errorCount - title: bulk_delete_enrollment_api_keys_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_bulk_get_agent_policies_response: + Kibana_HTTP_APIs_tagcloudMetricDifferences: additionalProperties: false properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' - maxItems: 10000 - type: array + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - items - title: bulk_get_agent_policies_response + - operation + - of + title: Differences Operation type: object - Kibana_HTTP_APIs_bulk_get_package_policies_response: + Kibana_HTTP_APIs_tagcloudMetricFormula: additionalProperties: false properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string required: - - items - title: bulk_get_package_policies_response + - operation + - formula + title: Formula Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + Kibana_HTTP_APIs_tagcloudMetricLastValue: additionalProperties: false properties: - force: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packages - title: bulk_install_packages_from_registry_request + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + Kibana_HTTP_APIs_tagcloudMetricMovingAverage: additionalProperties: false properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error - maxItems: 10000 - type: array + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - items - title: bulk_install_packages_from_registry_response + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + Kibana_HTTP_APIs_tagcloudMetricPercentile: additionalProperties: false properties: - error: - anyOf: - - type: string - - nullable: true - name: + field: + description: Field to be used for the metric type: string - statusCode: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - name - - statusCode - title: bulk_install_packages_response_item_error + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + Kibana_HTTP_APIs_tagcloudMetricPercentileRanks: additionalProperties: false properties: - name: + field: + description: Field to be used for the metric type: string - result: - additionalProperties: false - type: object - properties: - assets: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - error: - nullable: true - installSource: - type: string - installType: - type: string - status: - enum: - - installed - - already_installed - type: string - required: - - error - - installType - version: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - name - - version - - result - title: bulk_install_packages_response_item_success + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_bulk_namespace_customization_request: + Kibana_HTTP_APIs_tagcloudMetricStatsMetric: additionalProperties: false properties: - disable: - description: >- - Namespaces to disable namespace-level customization for on each - package. - items: - type: string - maxItems: 100 - type: array - enable: - description: >- - Namespaces to enable namespace-level customization for on each - package. - items: - type: string - maxItems: 100 - type: array - packages: - description: Package names to apply the customization changes to. - items: - type: string - maxItems: 1000 - minItems: 1 - type: array + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packages - title: bulk_namespace_customization_request + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_bulk_namespace_customization_response: + Kibana_HTTP_APIs_tagcloudMetricSumMetric: additionalProperties: false properties: - items: - items: - additionalProperties: false - type: object - properties: - error: - type: string - name: - type: string - namespace_customization_enabled_for: - description: >- - The opt-in list on the package. Returned whenever the package - is installed: the new list on success, or the unchanged list - when the request is rejected (for example, because of a - namespace-prefix restriction). - items: - type: string - maxItems: 100 - type: array - success: - type: boolean - required: - - name - - success - maxItems: 1000 - type: array + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - items - title: bulk_namespace_customization_response + - field + - operation + title: Sum Metric Operation type: object - Kibana_HTTP_APIs_bulk_rollback_packages_request: + Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric: additionalProperties: false properties: - packages: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudNoESQL: + additionalProperties: false + description: Tag Cloud configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback - type: string - required: - - name - maxItems: 1000 - minItems: 1 + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - required: - - packages - title: bulk_rollback_packages_request - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_response: - additionalProperties: false - properties: - taskId: + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagFilters' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud type: string required: - - taskId - title: bulk_rollback_packages_response + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (DSL) type: object - Kibana_HTTP_APIs_bulk_uninstall_packages_request: + Kibana_HTTP_APIs_tagcloudStyling: additionalProperties: false + description: Visual chart styling options properties: - force: - default: false - type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - title: bulk_uninstall_packages_request + caption: + additionalProperties: false + description: Caption configuration representing the metric and the tag_by operations labels + type: object + properties: + visible: + default: true + description: When `true`, displays the caption. + type: boolean + font_size: + additionalProperties: false + description: Font size range for tags. + type: object + properties: + max: + default: 72 + description: Maximum font size. + maximum: 120 + type: number + min: + default: 18 + description: Minimum font size. + minimum: 1 + type: number + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + title: Tag cloud styling type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_request: + Kibana_HTTP_APIs_tagcloudTagDateHistogram: additionalProperties: false properties: - force: - default: false + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. type: boolean - packages: - items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - prerelease: + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - upgrade_package_policies: + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean required: - - packages - title: bulk_upgrade_packages_request + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_response: + Kibana_HTTP_APIs_tagcloudTagFilters: additionalProperties: false properties: - taskId: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters type: string required: - - taskId - title: bulk_upgrade_packages_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_category_summary_item: + Kibana_HTTP_APIs_tagcloudTagHistogram: additionalProperties: false properties: - count: - type: number - id: - type: string - parent_id: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - parent_title: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - title: + operation: + enum: + - histogram type: string required: - - id - - title - - count - title: category_summary_item + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_copy_agent_policy_request: + Kibana_HTTP_APIs_tagcloudTagRanges: additionalProperties: false properties: - description: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - name: - minLength: 1 + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - required: - - name - title: copy_agent_policy_request - type: object - Kibana_HTTP_APIs_create_custom_integration_request: - additionalProperties: false - properties: - datasets: + operation: + enum: + - range + type: string + ranges: items: additionalProperties: false type: object properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - name - - type - maxItems: 10 + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - force: - type: boolean - integrationName: - type: string required: - - integrationName - - datasets - title: create_custom_integration_request + - operation + - field + - ranges + title: Ranges Operation type: object - Kibana_HTTP_APIs_create_package_policy_request: + Kibana_HTTP_APIs_tagcloudTagTerms: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true + maxItems: 4 + minItems: 1 type: array - id: - description: Package policy unique identifier - type: string - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 - type: array - is_managed: + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + label: + description: Label for the operation type: string - output_id: - nullable: true + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - overrides: + other_bucket: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - spaceIds: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_termsOperation: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 + minItems: 1 type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - name - - package - - inputs - title: create_package_policy_request + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_create_package_policy_response: + Kibana_HTTP_APIs_termsRankByAlphabetical: additionalProperties: false + description: Terms ranked alphabetically. properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabeticalDirection' + type: + enum: + - alphabetical + type: string required: - - item - title: create_package_policy_response + - type + - direction + title: Terms Rank By Alphabetical type: object - Kibana_HTTP_APIs_delete_agent_policy_request: + Kibana_HTTP_APIs_termsRankByAlphabeticalDirection: + description: Sort direction for alphabetical ranking. + enum: + - asc + - desc + title: termsRankByAlphabeticalDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomCountOperation: additionalProperties: false + description: Terms ranked by count, either of all documents or of a specific field. properties: - agentPolicyId: - description: The ID of the agent policy + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - count + type: string + type: + enum: + - custom + type: string + required: + - type + - direction + - operation + title: Terms Rank By Custom Count Operation + type: object + Kibana_HTTP_APIs_termsRankByCustomDirection: + description: Sort direction for custom ranking. + enum: + - asc + - desc + title: termsRankByCustomDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomOperation: + additionalProperties: false + description: Terms ranked by custom operation. + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + - unique_count + - sum + - last_value + type: string + type: + enum: + - custom type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean required: - - agentPolicyId - title: delete_agent_policy_request + - type + - field + - direction + - operation + title: Terms Rank By Custom Operation type: object - Kibana_HTTP_APIs_delete_agent_policy_response: + Kibana_HTTP_APIs_termsRankByMetric: additionalProperties: false + description: Terms ranked by a linked metric. properties: - id: - type: string - name: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetricDirection' + metric_index: + default: 0 + description: Zero-based index into the metrics array identifying which metric to rank by. + minimum: 0 + type: number + type: + enum: + - metric type: string required: - - id - - name - title: delete_agent_policy_response + - type + - direction + title: Terms Rank By Metric type: object - Kibana_HTTP_APIs_delete_enrollment_api_key_response: + Kibana_HTTP_APIs_termsRankByMetricDirection: + description: Sort direction for metric-based ranking. + enum: + - asc + - desc + title: termsRankByMetricDirection + type: string + Kibana_HTTP_APIs_termsRankByPercentileOperation: additionalProperties: false + description: Terms ranked by a percentile of a numeric field, for example the 95th percentile of response time. properties: - action: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: enum: - - deleted + - percentile + type: string + percentile: + default: 95 + description: The percentile threshold (0–100) at which to compute the field value used for ranking terms. + type: number + type: + enum: + - custom type: string required: - - action - title: delete_enrollment_api_key_response + - type + - field + - direction + - operation + title: Terms Rank By Percentile Operation type: object - Kibana_HTTP_APIs_delete_one_package_policy_response: + Kibana_HTTP_APIs_termsRankByPercentileRankOperation: additionalProperties: false + description: 'Terms ranked by the percentile rank of a single value: the proportion of field values at or below that value.' properties: - id: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: The numeric value for which to compute the percentile rank (the percentage of field values at or below this value). + type: number + type: + enum: + - custom type: string required: - - id - title: delete_one_package_policy_response + - type + - field + - direction + - operation + title: Terms Rank By Percentile Rank Operation type: object - Kibana_HTTP_APIs_delete_package_datastream_assets_response: + Kibana_HTTP_APIs_termsRankByRare: additionalProperties: false + description: Terms ranked by rarity. properties: - success: - type: boolean + max: + description: Maximum number of rare terms to include. + type: number + type: + enum: + - rare + type: string required: - - success - title: delete_package_datastream_assets_response + - type + - max + title: Terms Rank By Rarity type: object - Kibana_HTTP_APIs_delete_package_policies_request: + Kibana_HTTP_APIs_termsRankBySignificant: additionalProperties: false + description: Terms ranked by significance. properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + type: + enum: + - significant + type: string required: - - packagePolicyIds - title: delete_package_policies_request + - type + title: Terms Rank By Significance type: object - Kibana_HTTP_APIs_delete_package_response: + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: additionalProperties: false properties: - items: + actions: + default: [] items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - required: - - items - title: delete_package_response - type: object - Kibana_HTTP_APIs_deprecation_info: - additionalProperties: false - properties: - description: + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - replaced_by: - additionalProperties: - type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. + properties: + excludeTransforms: + default: [] + items: + type: string + nullable: true + type: array + includeTransforms: + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params type: object - since: + rule_type_id: + enum: + - transform_health type: string - required: - - description - title: deprecation_info - type: object - x-oas-optional: true - Kibana_HTTP_APIs_dry_run_package_policies_request: - additionalProperties: false - properties: - packagePolicyIds: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - packageVersion: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string required: - - packagePolicyIds - title: dry_run_package_policies_request + - name + - consumer + - schedule + - rule_type_id + - params + title: Transform health type: object - Kibana_HTTP_APIs_dry_run_package_policy: - additionalProperties: true + Kibana_HTTP_APIs_treemapESQL: + additionalProperties: false + description: Treemap chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: - description: Package policy description type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: additionalProperties: false type: object properties: - key: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - message: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - message - maxItems: 10 + - column + maxItems: 100 + minItems: 1 type: array - force: + hide_border: type: boolean - global_data_tags: + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) items: additionalProperties: false type: object properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: + color: anyOf: - - type: string - - type: number - description: The value of the custom field. + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string required: - - name - - value + - column maxItems: 100 - nullable: true + minItems: 1 type: array - id: + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - inputs: + type: + enum: + - treemap + type: string + required: + - type + - data_source + - metrics + title: Treemap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_treemapGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_treemapGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array - is_managed: + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_treemapGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - missingVars: - items: - type: string - maxItems: 100 - type: array - name: - description: Unique name for the package policy. + label: + description: Label for the operation type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + operation: + enum: + - histogram type: string - output_id: - nullable: true + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_treemapGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + operation: + enum: + - range type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: + ranges: items: additionalProperties: false type: object properties: - id: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - id - maxItems: 1000 + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_treemapGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object - version: - description: Package policy ES version. + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - name - - enabled - - package - - inputs - title: dry_run_package_policy + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_enrollment_api_key: + Kibana_HTTP_APIs_treemapLegend: additionalProperties: false + description: Configuration for the treemap chart legend appearance and behavior properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. + nested: + description: Show nested legend with hierarchical breakdown levels type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - api_key_id: - description: The ID of the API key in the Security API. + title: Legend + type: object + Kibana_HTTP_APIs_treemapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - created_at: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - hidden: + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_treemapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - id: + field: + description: Field to be used for the metric type: string - name: - description: The name of the enrollment API key. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - id - - api_key_id - - api_key - - active - - created_at - title: enrollment_api_key + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_enrollment_api_key_response: + Kibana_HTTP_APIs_treemapMetricCumulativeSum: additionalProperties: false properties: - action: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - created + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' required: - - item - - action - title: enrollment_api_key_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_es_asset_reference: + Kibana_HTTP_APIs_treemapMetricDifferences: additionalProperties: false properties: - deferred: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_treemapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_treemapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - id: + operation: + enum: + - last_value type: string - type: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_treemapMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view + - moving_average type: string - version: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string + window: + default: 5 + description: Window + type: number required: - - id - - type - title: es_asset_reference + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_full_agent_policy: + Kibana_HTTP_APIs_treemapMetricPercentile: additionalProperties: false properties: - agent: - additionalProperties: false - type: object - properties: - download: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: - type: string - timeout: - type: string - required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - type: object - internal: - nullable: true - limits: - additionalProperties: false - type: object - properties: - go_max_procs: - type: number - logging: - additionalProperties: false - type: object - properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: - type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: - type: boolean - monitoring: - additionalProperties: false - type: object - properties: - _runtime_experimental: - type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - signing_key: - type: string - uninstall_token_hash: - type: string - required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_treemapMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_treemapMetricStatsMetric: + additionalProperties: false + properties: + color: anyOf: - - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - required: - - hosts - - additionalProperties: false - type: object - properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: - type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol - required: - - kibana - id: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - inputs: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_treemapNoESQL: + additionalProperties: false + description: Treemap chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - namespace: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - namespace - id: - type: string - meta: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - treemap + type: string + required: + - type + - data_source + - metrics + title: Treemap Chart (DSL) + type: object + Kibana_HTTP_APIs_treemapStyling: + additionalProperties: false + description: Visual chart styling options + properties: + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + visible: + description: Show category labels + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Treemap styling + type: object + Kibana_HTTP_APIs_unassignedColorSchema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + description: The color to use for unassigned values. + title: unassignedColorSchema + Kibana_HTTP_APIs_uniqueCountMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_update_maintenance_window: + additionalProperties: false + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_request' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + title: update_maintenance_window + type: object + Kibana_HTTP_APIs_update_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false type: object properties: - dataset: + hash: type: string - type: + id: type: string required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch + type: object + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false + properties: + allow_edit: items: type: string - maxItems: 100 + maxItems: 1000 type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: type: number - secret_references: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: items: additionalProperties: false type: object properties: - id: + key: + type: string + value: type: string required: - - id - maxItems: 10000 + - key + - value + maxItems: 100 type: array - service: + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: additionalProperties: false type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: additionalProperties: false type: object properties: - data: - type: string - signature: - type: string - required: - - data - - signature - required: - - id - - outputs - - inputs - title: full_agent_policy - type: object - Kibana_HTTP_APIs_get_agent_policy_outputs_response: - additionalProperties: false - properties: - item: + group_events: + type: number + sasl: additionalProperties: false + nullable: true type: object properties: - agentPolicyId: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false type: object properties: - id: + hash: type: string - name: + id: type: string required: - id - - name - required: - - output - monitoring: + - type: string + ssl: additionalProperties: false type: object properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string required: - - output - required: - - monitoring - - data - required: - - item - title: get_agent_policy_outputs_response - type: object - Kibana_HTTP_APIs_get_agent_policy_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + nullable: true + type: string + version: + type: string required: - - item - title: get_agent_policy_response + - name + title: update_output_kafka type: object - Kibana_HTTP_APIs_get_bulk_assets_request: + Kibana_HTTP_APIs_update_output_logstash: additionalProperties: false properties: - assetIds: + allow_edit: items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 + type: string + maxItems: 1000 type: array - required: - - assetIds - title: get_bulk_assets_request - type: object - Kibana_HTTP_APIs_get_bulk_assets_response: - additionalProperties: false - properties: - items: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false - type: object - properties: - description: - type: string - service: - type: string - title: - type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 + type: string + maxItems: 10 + minItems: 1 type: array - required: - - items - title: get_bulk_assets_response + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash + type: string + title: update_output_logstash type: object - Kibana_HTTP_APIs_get_categories_response: + Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: - items: + allow_edit: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' - maxItems: 10000 + type: string + maxItems: 1000 type: array - required: - - items - title: get_categories_response - type: object - Kibana_HTTP_APIs_get_data_streams_response: - additionalProperties: false - properties: - items: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 + format: uri + type: string + maxItems: 10 + minItems: 1 type: array - required: - - items - title: get_data_streams_response + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true + type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_remote_elasticsearch type: object - Kibana_HTTP_APIs_get_dependencies_response: + Kibana_HTTP_APIs_update_package_policy_request: additionalProperties: false properties: - items: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + type: boolean + global_data_tags: items: additionalProperties: false type: object properties: name: + description: The name of the custom field. Cannot contain spaces. type: string - title: - type: string - version: - type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. required: - name - - version - - title - maxItems: 1000 + - value + maxItems: 100 + nullable: true type: array - required: - - items - title: get_dependencies_response - type: object - Kibana_HTTP_APIs_get_full_agent_policy_response: - additionalProperties: false - properties: - item: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' - required: - - item - title: get_full_agent_policy_response - type: object - Kibana_HTTP_APIs_get_info_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' - metadata: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' - required: - - item - - metadata - title: get_info_response - type: object - Kibana_HTTP_APIs_get_inputs_response: - additionalProperties: false - properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object inputs: items: additionalProperties: false type: object properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string streams: items: - additionalProperties: true + additionalProperties: false type: object properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object data_stream: - additionalProperties: true + additionalProperties: false type: object properties: dataset: type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array type: type: string required: - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id + - enabled - data_stream - maxItems: 10000 + - compiled_stream + maxItems: 1000 type: array type: type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object required: - - id - type - maxItems: 10000 + - enabled + maxItems: 1000 type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - service: + is_managed: + type: boolean + name: + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: + inputs: additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true + nullable: true type: object - required: - - inputs - title: get_inputs_response - type: object - Kibana_HTTP_APIs_get_installed_packages_response: - additionalProperties: false - properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' - maxItems: 10000 - type: array - searchAfter: - items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 - type: array - total: - type: number - required: - - items - - total - title: get_installed_packages_response - type: object - Kibana_HTTP_APIs_get_k8s_manifest_response: - additionalProperties: false - properties: - item: + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: type: string - required: - - item - title: get_k8s_manifest_response - type: object - Kibana_HTTP_APIs_get_limited_packages_response: - additionalProperties: false - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items - title: get_limited_packages_response - type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: - additionalProperties: false - properties: - ids: - description: list of package policy ids + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: items: + description: IDs of the agent policies that the package policy will be added to. type: string maxItems: 1000 type: array - required: - - ids - title: get_list_agent_policy_outputs_request - type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: - additionalProperties: false - properties: - items: + spaceIds: items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 + type: string + maxItems: 100 type: array - required: - - items - title: get_list_agent_policy_outputs_response - type: object - Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: - additionalProperties: false - properties: - error: - additionalProperties: false + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object - properties: - message: - type: string - required: - - message - results: - items: + vars: + additionalProperties: additionalProperties: false type: object properties: - error: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - name: - type: string - success: + frozen: type: boolean + type: + type: string + value: + nullable: true required: - - name - - success - maxItems: 10000 - type: array - status: + - value + description: Package variable (see integration documentation for more information) + type: object + version: type: string - required: - - status - title: get_one_bulk_operation_packages_response + title: update_package_policy_request type: object - Kibana_HTTP_APIs_get_package_info: - additionalProperties: true + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false properties: - agent: - additionalProperties: false - type: object - properties: - privileges: - additionalProperties: false - type: object - properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true - type: object - categories: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. items: type: string maxItems: 100 type: array - conditions: - additionalProperties: true - type: object - properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string - required: - - deprecated - data_streams: + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_update_rule: + additionalProperties: false + properties: + actions: + default: [] items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - description: - type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: items: - additionalProperties: true + additionalProperties: false type: object properties: - name: + id: type: string required: - - name - maxItems: 100 + - id + maxItems: 10 type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - internal: - type: boolean - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: - type: string - release: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - ga - - beta - - experimental - type: string - screenshots: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - signature_path: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - source: - additionalProperties: true + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false type: object properties: - license: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string required: - - license - status: - type: string - title: - type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: + - interval + tags: + default: [] items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + description: The tags for the rule. + type: string type: array - version: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string required: - - installationInfo - name - - version - - title - - deprecated - - assets - title: get_package_info + - schedule + title: update_rule type: object - Kibana_HTTP_APIs_get_packages_response: + Kibana_HTTP_APIs_update_rule_action: additionalProperties: false + description: An action that runs under defined conditions. properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' - maxItems: 10000 - type: array + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string required: - - items - title: get_packages_response + - id + title: update_rule_action type: object - Kibana_HTTP_APIs_get_stats_response: + Kibana_HTTP_APIs_update_rule_action_alerts_filter: additionalProperties: false properties: - response: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: additionalProperties: false + description: Defines a period that limits whether the action runs. type: object properties: - agent_policy_count: - type: number - package_policy_count: - type: number + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. + type: string required: - - agent_policy_count - - package_policy_count - required: - - response - title: get_stats_response + - days + - hours + - timezone + title: update_rule_action_alerts_filter type: object - Kibana_HTTP_APIs_get_verification_key_id_response: + Kibana_HTTP_APIs_update_rule_action_frequency: additionalProperties: false properties: - id: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when `notify_when` is set to `onThrottleInterval`. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string required: - - id - title: get_verification_key_id_response + - summary + - notify_when + - throttle + title: update_rule_action_frequency type: object - Kibana_HTTP_APIs_install_kibana_assets_request: + Kibana_HTTP_APIs_upgrade_package_policies_request: additionalProperties: false properties: - force: - type: boolean - space_ids: - description: >- - When provided install assets in the specified spaces instead of the - current space. + packagePolicyIds: items: type: string - maxItems: 100 - minItems: 1 + maxItems: 1000 type: array - title: install_kibana_assets_request + required: + - packagePolicyIds + title: upgrade_package_policies_request type: object - Kibana_HTTP_APIs_install_kibana_assets_response: + Kibana_HTTP_APIs_valueDisplay: additionalProperties: false + description: Configure the visibility and the format of the values rendered on each chart partition section properties: - success: + mode: + description: How to format values when visible. + enum: + - absolute + - percentage + type: string + percent_decimals: + description: Decimal places for percentage display (0-10) + maximum: 10 + minimum: 0 + type: number + visible: + description: Show metric values on the chart + type: boolean + title: valueDisplay + type: object + Kibana_HTTP_APIs_vis_api_direction: + description: Sort direction. + enum: + - asc + - desc + title: vis_api_direction + type: string + Kibana_HTTP_APIs_vis_api_domain_custom: + additionalProperties: false + description: Uses explicitly provided domain bounds (min and max). + properties: + max: + description: Max domain value + type: number + min: + description: Min domain value + type: number + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean + type: + enum: + - custom + type: string required: - - success - title: install_kibana_assets_response + - type + - min + - max + title: vis_api_domain_custom type: object - Kibana_HTTP_APIs_install_package_from_registry_request: + Kibana_HTTP_APIs_vis_api_domain_fit: additionalProperties: false + description: Uses tight domain bounds from the observed data minimum to maximum, without baseline expansion. properties: - force: - default: false + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - ignore_constraints: - default: false + type: + enum: + - fit + type: string + required: + - type + title: vis_api_domain_fit + type: object + Kibana_HTTP_APIs_vis_api_domain_full: + additionalProperties: false + description: Uses the full chart domain, including baseline expansion when applicable (for example, includes zero for bar-like series). + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - title: install_package_from_registry_request + type: + enum: + - full + type: string + required: + - type + title: vis_api_domain_full type: object - Kibana_HTTP_APIs_install_package_response: + Kibana_HTTP_APIs_vis_api_orientation: + description: Orientation of the tagcloud. + enum: + - horizontal + - vertical + - angled + title: vis_api_orientation + type: string + Kibana_HTTP_APIs_vis_api_simple_orientation: + default: horizontal + description: Orientation + enum: + - horizontal + - vertical + title: vis_api_simple_orientation + type: string + Kibana_HTTP_APIs_vis_api_xy_axis_config: additionalProperties: false + description: Axis configuration for X, Y, and Y2 axes. The Y axis is on the start (leading) side, the Y2 axis is on the end (trailing) side. properties: - _meta: + x: additionalProperties: false + description: X-axis configuration type: object properties: - install_source: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: X-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear type: string - name: + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + 'y': + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + description: Y-axis domain configuration + discriminator: + mapping: + custom: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + fit: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + full: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean required: - - install_source - - name - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - required: - - items - - _meta - title: install_package_response + - domain + y2: + additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' + type: object + properties: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: Y-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + title: Axis type: object - Kibana_HTTP_APIs_install_rule_assets_request: + Kibana_HTTP_APIs_waffleESQL: additionalProperties: false + description: Waffle chart configuration for ES|QL queries properties: - force: - type: boolean - title: install_rule_assets_request - type: object - Kibana_HTTP_APIs_installation_info: - additionalProperties: true - properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 100 - type: array - type: object - created_at: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - experimental_data_stream_features: + drilldowns: items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - doc_value_only_numeric: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - doc_value_only_other: + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. type: boolean - synthetic_source: + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. type: boolean - tsdb: + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true type: boolean - required: - - data_stream - - features + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - install_format_schema_version: - type: string - install_source: - enum: - - registry - - upload - - bundled - - custom - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - installed_kibana: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of ES|QL breakdown columns (minimum 1) items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 10000 - type: array - installed_kibana_space_id: - type: string - is_rollback_ttl_expired: - type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - additionalProperties: true + additionalProperties: false type: object properties: - created_at: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - created_at - - target_version - - error - maxItems: 10 + - column + maxItems: 100 + minItems: 1 type: array - name: - type: string - namespaces: + references: items: - type: string - maxItems: 100 + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - previous_version: - nullable: true + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - rolled_back: - type: boolean type: + enum: + - waffle type: string - updated_at: + required: + - type + - data_source + - metrics + title: Waffle Chart (ES|QL) + type: object + Kibana_HTTP_APIs_waffleGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - verification_key_id: - nullable: true + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - verification_status: + operation: enum: - - unverified - - verified - - unknown + - date_histogram type: string - version: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - title: installation_info + - operation + - field + title: Date Histogram Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_installed_package: + Kibana_HTTP_APIs_waffleGroupByFilters: additionalProperties: false properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array - description: - type: string - icons: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array - name: - type: string - status: - type: string - title: + label: + description: Label for the operation type: string - version: + operation: + enum: + - filters type: string required: - - name - - version - - status - - dataStreams - title: installed_package + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_kibana_asset_reference: + Kibana_HTTP_APIs_waffleGroupByHistogram: additionalProperties: false properties: - deferred: - type: boolean - id: - type: string - originId: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - type: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag + - auto type: string - - type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string required: - - id - - type - title: kibana_asset_reference + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_new_agent_policy: + Kibana_HTTP_APIs_waffleGroupByRanges: additionalProperties: false properties: - advanced_settings: - additionalProperties: false - type: object - properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: - items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 - type: array - agentless: - additionalProperties: false - type: object - properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: - nullable: true - type: string - description: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - download_source_id: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - fleet_server_host_id: - nullable: true + operation: + enum: + - range type: string - force: - type: boolean - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + ranges: items: additionalProperties: false type: object properties: - name: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: - type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_protected: - type: boolean - is_verifier: - type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_waffleGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: - enum: - - logs - - metrics - - traces + description: Fields to be used for the terms. type: string - maxItems: 3 + maxItems: 4 + minItems: 1 type: array - monitoring_http: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: additionalProperties: false type: object properties: - buffer: - additionalProperties: false - type: object - properties: - enabled: - default: false - type: boolean - enabled: + as_regex: + description: When `true`, treats the values as regular expressions. type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - name: - minLength: 1 + label: + description: Label for the operation type: string - namespace: - minLength: 1 + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true + other_bucket: + additionalProperties: false type: object - package_agent_version_conditions: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true - type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true - type: array - space_ids: + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_waffleLegend: + additionalProperties: false + description: Legend configuration for waffle chart + properties: + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + values: items: + description: 'Legend value display mode: absolute (show raw metric values in legend)' + enum: + - absolute type: string - maxItems: 100 + maxItems: 1 + minItems: 1 type: array - supports_agentless: + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_waffleMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_waffleMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false - deprecated: true - description: >- - Indicates whether the agent policy supports agentless integrations. - Deprecated in favor of the Fleet agentless policies API. - nullable: true + description: When `true`, treats empty buckets as null instead of zero. type: boolean - unenroll_timeout: - minimum: 0 + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_waffleMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_waffleMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_waffleMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_waffleMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window type: number required: - - name - - namespace - title: new_agent_policy + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_new_enrollment_api_key: + Kibana_HTTP_APIs_waffleMetricPercentile: additionalProperties: false properties: - expiration: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - name: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - policy_id - title: new_enrollment_api_key + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_new_output_elasticsearch: + Kibana_HTTP_APIs_waffleMetricPercentileRanks: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - ca_trusted_fingerprint: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - config_yaml: - nullable: true + operation: + enum: + - percentile_rank type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_waffleMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - preset: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - min + - max + - average + - median + - standard_deviation type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - write_to_logs_streams: - nullable: true - type: boolean required: - - name - - type - - hosts - title: new_output_elasticsearch + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_new_output_kafka: + Kibana_HTTP_APIs_waffleMetricSumMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - none - - user_pass - - ssl - - kerberos + - sum type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - ca_trusted_fingerprint: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - client_id: + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - compression: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - gzip - - snappy - - lz4 - - none + - unique_count type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - connection_type: - enum: - - plaintext - - encryption + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - hash: - additionalProperties: false - type: object - properties: - hash: - type: string - random: - type: boolean - headers: + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleNoESQL: + additionalProperties: false + description: Waffle chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - hosts: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - type: string - maxItems: 10 + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByFilters' + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: + hide_border: type: boolean - is_preconfigured: + hide_title: type: boolean - key: - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - otel_exporter_config_yaml: - nullable: true + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - partition: + type: enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true + - waffle type: string - random: + required: + - type + - data_source + - metrics + title: Waffle Chart (DSL) + type: object + Kibana_HTTP_APIs_waffleStyling: + additionalProperties: false + description: Visual chart styling options + properties: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Waffle styling + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: additionalProperties: false type: object properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - group_events: + active: + description: The number of consecutive runs that must meet the rule conditions. type: number - sasl: - additionalProperties: false - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + required: + - active + artifacts: additionalProperties: false type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + blob: + maxLength: 10000 + type: string required: - - key - shipper: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - timeout: - type: number - topic: type: string - type: + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + properties: + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: + nullable: true + type: string + lookbackInterval: + nullable: true + type: string + resultType: + enum: + - record + - bucket + - influencer + type: string + severity: + maximum: 100 + minimum: 0 + type: number + topNBuckets: + minimum: 1 + nullable: true + type: number + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: enum: - - kafka + - xpack.ml.anomaly_detection_alert type: string - username: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - version: - type: string required: - name - - type - - hosts - - auth_type - title: new_output_kafka + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection type: object - Kibana_HTTP_APIs_new_output_logstash: + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: + actions: + default: [] items: - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - otel_disable_beatsauth: - nullable: true + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean - otel_exporter_config_yaml: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - proxy_id: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - secrets: + params: additionalProperties: false - type: object + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. properties: - ssl: + excludeJobs: + additionalProperties: false + nullable: true + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + includeJobs: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false + nullable: true + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: enum: - - logstash + - xpack.ml.anomaly_detection_jobs_health type: string - required: - - name - - type - - hosts - title: new_output_logstash - type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: - additionalProperties: false - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - hosts: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - format: uri - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - type: string name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - secrets: + params: additionalProperties: false - type: object + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + condition: additionalProperties: false type: object properties: - key: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet + type: string + window: anyOf: - additionalProperties: false type: object properties: - hash: - type: string - id: - type: string + time: + additionalProperties: false + type: object + properties: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d + type: string required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + - time + - additionalProperties: false + type: object + properties: + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string + type: array + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: enum: - - remote_elasticsearch + - xpack.synthetics.alerts.monitorStatus type: string - write_to_logs_streams: - nullable: true - type: boolean - required: - - name - - type - - hosts - title: new_output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - hosts: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] items: - format: uri - type: string - maxItems: 10 - minItems: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - id: + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - preset: + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + search: + type: string + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true + - xpack.synthetics.alerts.tls type: string - secrets: - additionalProperties: true + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true - type: - enum: - - elasticsearch type: string - write_to_logs_streams: - nullable: true - type: boolean required: - name - - type - - hosts - title: output_elasticsearch + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false properties: - allow_edit: + actions: + default: [] items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - ca_trusted_fingerprint: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - client_id: - type: string - compression: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - gzip - - snappy - - lz4 - - none - type: string - compression_level: - nullable: true - type: number - config_yaml: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - connection_type: + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. + properties: + monitorId: + type: string + severity: + type: number + stackVersion: + type: string + required: + - monitorId + - severity + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: enum: - - plaintext - - encryption + - xpack.uptime.alerts.durationAnomaly type: string - hash: - additionalProperties: true + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - hash: + interval: + description: The interval is specified in seconds, minutes, hours, or days. type: string - random: - type: boolean - headers: - items: - additionalProperties: true - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 10 - minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - name: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - otel_disable_beatsauth: - nullable: true + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean - otel_exporter_config_yaml: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - partition: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - random: - additionalProperties: true - type: object + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. properties: - group_events: + availability: + additionalProperties: false + type: object + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false + type: object + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: + type: boolean + locations: + items: + type: string + type: array + numTimes: type: number - required_acks: + search: + type: string + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: + type: string + timerange: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: + type: number + timerangeUnit: + type: string + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: true + - xpack.uptime.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - group_events: - type: number - sasl: - additionalProperties: true + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: true + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false type: object properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + blob: + maxLength: 10000 + type: string required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - timeout: - type: number - topic: + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - type: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' enum: - - kafka - type: string - username: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - version: + params: + additionalProperties: false + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate type: string - required: - - name - - type - - hosts - - auth_type - title: output_kafka - type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true - properties: - allow_edit: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 1000 type: array - ca_sha256: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - ca_trusted_fingerprint: - nullable: true + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object + Kibana_HTTP_APIs_xyAnnotationByRefLayer: + additionalProperties: false + description: Reference to a library annotation group + properties: + group_id: + description: ID of the linked annotation group from the library type: string - config_yaml: - nullable: true + type: + enum: + - annotation_group type: string - hosts: + required: + - type + - group_id + title: Annotation Layer (By Reference) + type: object + Kibana_HTTP_APIs_xyAnnotationLayerNoESQL: + additionalProperties: false + description: Layer containing annotations (query-based, points, and ranges) + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + events: + description: Array of annotation configurations items: - type: string - maxItems: 10 + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationQuery' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualEvent' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualRange' + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: + ignore_global_filters: default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + type: + enum: + - annotations type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - type + - data_source + - events + title: Annotation Layer (DSL) + type: object + Kibana_HTTP_APIs_xyAnnotationManualEvent: + additionalProperties: false + description: Manual point annotation at specific timestamp + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - proxy_id: - nullable: true + label: + description: Label text for the annotation type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + text: + additionalProperties: false + description: Annotation text label visibility + type: object + properties: + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + timestamp: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string type: enum: - - logstash + - point type: string + visible: + description: Show the annotation + type: boolean required: - - name - type - - hosts - title: output_logstash + - timestamp + title: xyAnnotationManualEvent type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_xyAnnotationManualRange: + additionalProperties: false + description: Manual range annotation spanning time interval properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for range + enum: + - inside + - outside type: string - ca_trusted_fingerprint: - nullable: true + interval: + additionalProperties: false + description: Time range for annotation + type: object + properties: + from: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + to: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + required: + - from + - to + label: + description: Label text for the annotation type: string - config_yaml: - nullable: true + type: + enum: + - range type: string - hosts: + visible: + description: Show the annotation + type: boolean + required: + - type + - interval + title: xyAnnotationManualRange + type: object + Kibana_HTTP_APIs_xyAnnotationQuery: + additionalProperties: false + description: Annotation from query results matching a filter + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + extra_fields: + description: Additional fields for annotation tooltip items: - format: uri + description: Additional field to include in tooltip type: string - maxItems: 10 - minItems: 1 + maxItems: 100 type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: + icon: + description: Icon to display at the annotation point enum: - - balanced - - custom - - throughput - - scale - - latency + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - proxy_id: - nullable: true + label: + description: Label text for the annotation type: string - secrets: - additionalProperties: true + line: + additionalProperties: false + description: Vertical line configuration for point annotation type: object properties: - service_token: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + text: + additionalProperties: false + description: Annotation text label configuration + type: object + properties: + field: + description: Field name for text label source + type: string + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + time_field: + description: Field containing the timestamp type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean type: enum: - - remote_elasticsearch + - query type: string - write_to_logs_streams: - nullable: true + visible: + description: Show the annotation type: boolean required: - - name - type - - hosts - title: output_remote_elasticsearch + - query + - time_field + title: xyAnnotationQuery type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownDateHistogram: + additionalProperties: false properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - disk_queue_enabled: - default: false - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. type: boolean - disk_queue_encryption_enabled: - nullable: true + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + label: + description: Label for the operation type: string - loadbalance: - nullable: true + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: - nullable: true - type: number - queue_flush_timeout: - nullable: true - type: number required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownFilters: + additionalProperties: false properties: - certificate: - type: string - certificate_authorities: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - type: string - maxItems: 10 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - key: + label: + description: Label for the operation type: string - verification_mode: + operation: enum: - - full - - none - - certificate - - strict + - filters type: string - title: output_ssl + required: + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_package_icon: + Kibana_HTTP_APIs_xyBreakdownHistogram: additionalProperties: false properties: - dark_mode: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - path: - type: string - size: - type: string - src: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - title: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - type: + operation: + enum: + - histogram type: string required: - - src - title: package_icon + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_package_list_item: - additionalProperties: true + Kibana_HTTP_APIs_xyBreakdownRanges: + additionalProperties: false properties: - categories: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - type: string + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - conditions: - additionalProperties: true + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyBreakdownTerms: + additionalProperties: false + properties: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array required: - - deprecated - data_streams: + - values + fields: items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - description: - type: string - discovery: - additionalProperties: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object properties: - datasets: - items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 - type: array - fields: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name + description: Values to include. + type: string maxItems: 100 type: array - download: - type: string - format_version: - type: string - icons: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 - type: array - id: - type: string - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - integration: - type: string - internal: + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - latestVersion: - type: string - name: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - readme: + label: + description: Label for the operation type: string - release: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: enum: - - ga - - beta - - experimental - type: string - signature_path: + - terms type: string - source: - additionalProperties: true + other_bucket: + additionalProperties: false type: object properties: - license: - type: string + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean required: - - license - status: - type: string - title: - type: string - type: + - include_documents_without_field + rank_by: anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - installationInfo - - name - - version - - title - - deprecated - - id - title: package_list_item - type: object - Kibana_HTTP_APIs_package_metadata: - additionalProperties: false - properties: - has_policies: - type: boolean + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - has_policies - title: package_metadata + - operation + - fields + title: Terms Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_package: + Kibana_HTTP_APIs_xyChartESQL: additionalProperties: false + description: XY chart configuration for ES|QL queries properties: - experimental_data_stream_features: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - doc_value_only_numeric: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - doc_value_only_other: + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. type: boolean - synthetic_source: + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. type: boolean - tsdb: + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true type: boolean - required: - - data_stream - - features + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - fips_compatible: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - name: - description: Package name - type: string - requires_root: + hide_title: type: boolean + layers: + description: ES|QL chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string - version: - description: Package version + type: + enum: + - xy type: string required: - - name - - version - title: package_policy_package + - type + - layers + title: XY Chart (ES|QL) type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_response: + Kibana_HTTP_APIs_xyChartNoESQL: additionalProperties: false + description: XY chart configuration for DSL queries properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: - description: Package policy description type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: + drilldowns: items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + dashboard_id: type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: + label: type: string - keep_enabled: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. type: boolean - migrate_from: + trigger: + enum: + - on_apply_filter type: string - name: + type: + enum: + - dashboard_drilldown type: string - policy_template: + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array type: + enum: + - discover_drilldown type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object required: + - label + - trigger - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false + title: discover_drilldown type: object + - additionalProperties: false properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that input. Defaults to `true` - (enabled). + open_in_new_tab: + default: true type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to - know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - name: - description: Unique name for the package policy. + hide_title: + type: boolean + layers: + description: Chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayersNoESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + type: + enum: + - xy type: string - output_id: - nullable: true + required: + - type + - layers + title: XY Chart (DSL) + type: object + Kibana_HTTP_APIs_xyFitting: + additionalProperties: false + description: Missing data interpolation configuration for line and area series + properties: + emphasize: + description: Visually distinguish fitted segments with a dashed line style and reduced area opacity + type: boolean + extend: + description: How to render line and area edges when data does not cover the full X domain + enum: + - none + - zero + - nearest type: string - overrides: + type: + description: Fitting function type for missing data + enum: + - none + - zero + - linear + - carry + - lookahead + - average + - nearest + type: string + required: + - type + title: xyFitting + type: object + Kibana_HTTP_APIs_xyLayerESQL: + additionalProperties: false + description: Data layer for ES|QL queries with column references + properties: + breakdown_by: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true + description: ES|QL column for breakdown type: object properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 type: number - secret_references: + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + description: Array of ES|QL columns for Y-axis metrics items: additionalProperties: false + description: ES|QL column for Y-axis metric type: object properties: - id: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string + - column maxItems: 100 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: + required: + - data_source + - type + - 'y' + title: Layer (ES|QL) + type: object + Kibana_HTTP_APIs_xyLayerNoESQL: + additionalProperties: false + description: Data layer for standard queries with metrics and buckets + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXFilters' + 'y': + description: Array of metrics to display on Y-axis + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYFormula' + maxItems: 100 + type: array + required: + - type + - data_source + - 'y' + title: Layer (DSL) + type: object + Kibana_HTTP_APIs_xyLayersESQL: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + description: XY chart layer types for ES|QL queries + title: xyLayersESQL + Kibana_HTTP_APIs_xyLayersNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationByRefLayer' + description: XY chart layer types for DSL queries + title: xyLayersNoESQL + Kibana_HTTP_APIs_xyLegend: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideHorizontal' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideVertical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendInside' + description: Legend configuration for XY chart + title: Legend + Kibana_HTTP_APIs_xyLegendInside: + additionalProperties: false + description: Inside legend + properties: + columns: + description: Number of legend columns + maximum: 5 + minimum: 1 + type: number + layout: + additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: + enum: + - inside + type: string + position: + description: Legend position inside the chart + enum: + - top_left + - top_right + - bottom_left + - bottom_right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + required: + - placement + title: Inside + type: object + Kibana_HTTP_APIs_xyLegendOutsideHorizontal: + additionalProperties: false + description: Outside legend positioned horizontal (top/bottom) of the chart + properties: + layout: anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + - additionalProperties: false type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. + type: + enum: + - grid + type: string + required: + - type + - additionalProperties: false type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + properties: + type: + enum: + - list + type: string + required: + - type + placement: + enum: + - outside type: string - required: - - name - - enabled - - package - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - title: package_policy_response + position: + enum: + - top + - bottom + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside horizontal type: object - Kibana_HTTP_APIs_package_policy_status_response: + Kibana_HTTP_APIs_xyLegendOutsideVertical: additionalProperties: false + description: Outside legend positioned vertical (left/right) of the chart properties: - body: + layout: additionalProperties: false type: object properties: - message: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid type: string required: - - message - id: + - type + placement: + enum: + - outside type: string - name: + position: + enum: + - left + - right type: string - statusCode: - type: number - success: + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside vertical + type: object + Kibana_HTTP_APIs_xyLegendSeriesHeader: + additionalProperties: false + description: Legend table series header configuration. + properties: + text: + description: Legend table series header text. + type: string + visible: + description: When true, shows the legend table series header. type: boolean - required: - - id - - success - title: package_policy_status_response + title: xyLegendSeriesHeader type: object - Kibana_HTTP_APIs_reauthorize_transform_request: + Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL: additionalProperties: false + description: Reference line layer for standard queries properties: - transforms: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + thresholds: + description: Array of reference line thresholds items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatic' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineFormula' + maxItems: 100 + minItems: 1 type: array + type: + enum: + - reference_lines + type: string required: - - transforms - title: reauthorize_transform_request + - type + - data_source + - thresholds + title: Reference Line Layer (DSL) type: object - Kibana_HTTP_APIs_review_upgrade_request: + Kibana_HTTP_APIs_xyRefLineCountMetric: additionalProperties: false properties: - action: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - accept - - decline - - pending + - x + - 'y' + - y2 type: string - target_version: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - action - - target_version - title: review_upgrade_request + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_review_upgrade_response: + Kibana_HTTP_APIs_xyRefLineFormula: additionalProperties: false properties: - success: - type: boolean + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string required: - - success - title: review_upgrade_response + - operation + - formula + title: Formula Operation type: object - Kibana_HTTP_APIs_rollback_package_response: + Kibana_HTTP_APIs_xyRefLineLastValue: additionalProperties: false properties: - success: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - version: + operation: + enum: + - last_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - version - - success - title: rollback_package_response + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_simplified_create_package_policy_request: + Kibana_HTTP_APIs_xyRefLinePercentile: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 100 - nullable: true - type: array - cloud_connector: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - cloud_connector_id: - description: >- - ID of an existing cloud connector to reuse. If not provided, a - new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. + visible: + description: Show text label on the reference line type: boolean - name: - description: >- - Optional name for the cloud connector. If not provided, will be - auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: >- - Target cloud service provider. If not provided, will be - auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - description: - description: Policy description. + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentileRanks: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - type: array - id: - description: Policy unique identifier. + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to know - which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - name: - description: Unique name for the policy. + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - namespace: - description: >- - Policy namespace. When not specified, it inherits the agent policy - namespace. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - policy_template: - description: >- - The policy template to use for the agentless package policy. If not - provided, the default policy template will be used. + label: + description: Label for the operation type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + operation: + enum: + - percentile_rank + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration documentation - for more information. + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyRefLineStatic: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - static_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + value: + default: 100 + description: Static value + type: number required: - - name - - package - title: simplified_create_package_policy_request + - operation + title: Static Operation Definition type: object - Kibana_HTTP_APIs_update_output_elasticsearch: + Kibana_HTTP_APIs_xyRefLineStatsMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + label: + description: Label for the operation type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + operation: + enum: + - min + - max + - average + - median + - standard_deviation type: string - preset: + position: + description: Position of the icon and label relative to the reference line enum: - - balanced - - custom - - throughput - - scale - - latency + - auto + - left + - right type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - elasticsearch + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_elasticsearch + required: + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_update_output_kafka: + Kibana_HTTP_APIs_xyRefLineSumMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - none - - user_pass - - ssl - - kerberos + - x + - 'y' + - y2 type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - ca_trusted_fingerprint: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - client_id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - compression: + label: + description: Label for the operation + type: string + operation: enum: - - gzip - - snappy - - lz4 - - none + - sum type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - connection_type: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style enum: - - plaintext - - encryption + - solid + - dashed + - dotted type: string - hash: + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - hash: - type: string - random: + visible: + description: Show text label on the reference line type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + field: + description: Field to be used for the metric type: string - name: + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - partition: + label: + description: Label for the operation + type: string + operation: enum: - - random - - round_robin - - hash + - unique_count type: string - password: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - random: + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - required_acks: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_xyStyling: + additionalProperties: false + description: Visual styling options for the chart + properties: + areas: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingAreas' + bars: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingBars' + fitting: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyFitting' + interpolation: + description: Curve interpolation method for line and area series enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + - linear + - smooth + - stepped + type: string + overlays: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingOverlays' + points: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingPoints' + title: xyStyling + type: object + Kibana_HTTP_APIs_xyStylingAreas: + additionalProperties: false + description: Area-specific rendering settings + properties: + fill_opacity: + description: Area fill opacity (0-1 typical, max 2 for legacy) + maximum: 2 + minimum: 0 + type: number + title: xyStylingAreas + type: object + Kibana_HTTP_APIs_xyStylingBars: + additionalProperties: false + description: Bar-specific rendering settings + properties: + data_labels: additionalProperties: false + description: Data label configuration for bar series type: object properties: - group_events: - type: number - sasl: + visible: + default: false + description: Display value labels on bar data points + type: boolean + minimum_height: + description: Minimum bar height in pixels + minimum: 0 + type: number + title: xyStylingBars + type: object + Kibana_HTTP_APIs_xyStylingOverlays: + additionalProperties: false + description: Visual overlays drawn on top of the chart canvas + properties: + current_time_marker: additionalProperties: false - nullable: true + description: Current time marker configuration type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + visible: + default: false + description: Show current time marker line + type: boolean + partial_buckets: additionalProperties: false + description: Partial (incomplete) bucket indicator configuration type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: + visible: + default: false + description: Show partial bucket indicators at time range edges + type: boolean + title: xyStylingOverlays + type: object + Kibana_HTTP_APIs_xyStylingPoints: + additionalProperties: false + description: Data point marker settings for line and area series + properties: + visibility: + description: Data point marker visibility on line and area series enum: - - kafka + - auto + - visible + - hidden type: string - username: - nullable: true + title: xyStylingPoints + type: object + Kibana_HTTP_APIs_xyXDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - version: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - name - title: update_output_kafka + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_update_output_logstash: + Kibana_HTTP_APIs_xyXFilters: additionalProperties: false properties: - allow_edit: + filters: items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - ca_sha256: - nullable: true + label: + description: Label for the operation type: string - ca_trusted_fingerprint: - nullable: true + operation: + enum: + - filters type: string - config_yaml: - nullable: true + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_xyXHistogram: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. type: string - hosts: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_xyXRanges: + additionalProperties: false + properties: + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyXTerms: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 10 + maxItems: 4 minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - proxy_id: - nullable: true + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms type: string - secrets: + other_bucket: additionalProperties: false type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyYCounterRate: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_xyYCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_xyYCumulativeSum: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - logstash + - cumulative_sum type: string - title: update_output_logstash + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: + Kibana_HTTP_APIs_xyYDifferences: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - config_yaml: - nullable: true + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - kibana_url: - nullable: true + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_xyYFormula: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - name: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - preset: + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - formula type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: false - type: object - properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + time_scale: + description: Time scale + enum: + - s + - m + - h + - d type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyYLastValue: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. enum: - - remote_elasticsearch + - 'y' + - y2 type: string - write_to_logs_streams: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - title: update_output_remote_elasticsearch + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_update_package_policy_request: + Kibana_HTTP_APIs_xyYMovingAverage: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average type: string - description: - description: Package policy description + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - enabled: - type: boolean - force: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 - type: array - is_managed: - type: boolean - name: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_xyYPercentile: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 type: string - output_id: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + operation: + enum: + - percentile type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - version: + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - package - title: update_package_policy_request + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_update_package_request: + Kibana_HTTP_APIs_xyYPercentileRanks: additionalProperties: false properties: - keepPoliciesUpToDate: - type: boolean - namespace_customization_enabled_for: - description: >- - Namespaces for which namespace-level customization is enabled on - this package. - items: - type: string - maxItems: 100 - type: array - title: update_package_request + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_update_package_response: + Kibana_HTTP_APIs_xyYStatsMetric: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: update_package_response + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_upgrade_package_policies_request: + Kibana_HTTP_APIs_xyYSumMetric: additionalProperties: false properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packagePolicyIds - title: upgrade_package_policies_request + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyYUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -52319,97 +105417,63 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -52417,11 +105481,7 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -52501,8 +105561,7 @@ components: description: The name associated with the message. type: string role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: @@ -52608,8 +105667,7 @@ components: example: user.name type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id @@ -52627,15 +105685,12 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -52659,8 +105714,7 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: @@ -52671,14 +105725,12 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated @@ -52874,9 +105926,7 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. + description: List of field names within the data object that should be anonymized. example: - user.name - source.ip @@ -52899,18 +105949,12 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object @@ -53062,9 +106106,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -53074,8 +106116,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -53093,18 +106134,14 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -53140,10 +106177,8 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -53163,16 +106198,13 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -53218,9 +106250,7 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -53281,9 +106311,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -53293,8 +106321,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -53312,27 +106339,21 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. + description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author @@ -53343,9 +106364,7 @@ components: type: object properties: description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -53357,9 +106376,7 @@ components: example: knowledge_base_index type: string queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -53376,10 +106393,8 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -53399,20 +106414,15 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: @@ -53435,8 +106445,7 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -53476,11 +106485,9 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -53491,11 +106498,9 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -53514,8 +106519,7 @@ components: example: Skipped Entry type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason @@ -53535,15 +106539,12 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary @@ -53578,29 +106579,23 @@ components: text: This is the content of the new entry. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. + description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. + description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -53612,8 +106607,7 @@ components: text: Updated content. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated @@ -53628,15 +106622,11 @@ components: example: 2 type: integer skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. + description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: @@ -53673,16 +106663,12 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -53728,37 +106714,27 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: @@ -53778,9 +106754,7 @@ components: example: complete type: string security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. + description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: @@ -53788,9 +106762,7 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights @@ -53878,16 +106850,10 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -53903,9 +106869,7 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -53916,8 +106880,7 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. @@ -53945,8 +106908,7 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. @@ -53972,8 +106934,7 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. @@ -54132,8 +107093,7 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id @@ -54146,15 +107106,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -54192,8 +107149,7 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. @@ -54350,8 +107306,7 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -54360,9 +107315,7 @@ components: example: SELECT_OPTION type: string value: - description: >- - The value of the selected option to resume the graph execution - with + description: The value of the selected option to resume the graph execution with example: option_1 type: string required: @@ -54384,8 +107337,7 @@ components: - label: Option 1 - label: Option 2 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: @@ -54429,9 +107381,7 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: @@ -54529,9 +107479,7 @@ components: type: string type: array alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -54540,22 +107488,16 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert + description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert + description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -54566,20 +107508,13 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery + description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -54588,9 +107523,7 @@ components: description: The unique ID of the attack discovery type: string index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -54599,13 +107532,9 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields + description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert + description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -54625,14 +107554,10 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -54653,8 +107578,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created @@ -54670,19 +107594,16 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -54704,30 +107625,22 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary @@ -54740,9 +107653,7 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval @@ -54750,14 +107661,10 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -54768,8 +107675,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled @@ -54778,12 +107684,10 @@ components: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -54803,8 +107707,7 @@ components: message: type: string status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date @@ -54826,20 +107729,15 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -54889,11 +107787,9 @@ components: description: The action type used for sending notifications. type: string id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -54907,19 +107803,16 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -54927,9 +107820,7 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string @@ -54937,10 +107828,7 @@ components: type: object properties: alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -54950,29 +107838,19 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user + description: The number of successful generations for the same connector id, for the current user type: number discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -55003,23 +107881,15 @@ components: type: object properties: alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - + description: | + The (space specific) index pattern that contains the alerts to use as context for the attack discovery. - Example: .alerts-security.alerts-default type: string anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -55030,10 +107900,8 @@ components: type: string filter: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { @@ -55078,10 +107946,7 @@ components: - size - subAction Security_Attack_discovery_API_AttackDiscoveryGenericError: - description: >- - Error response for Attack discovery schedule operations when the request - is rejected. Uses `status_code` (snake_case), `error`, and `message` to - match the implementation. + description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation. type: object properties: error: @@ -55106,8 +107971,7 @@ components: type: object properties: id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the failed schedule. name: description: The name of the failed schedule. @@ -55137,13 +108001,10 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError' type: array ids: - description: >- - The unique identifiers of the schedules successfully affected by the - bulk action. + description: The unique identifiers of the schedules successfully affected by the bulk action. items: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' type: array @@ -55155,9 +108016,7 @@ components: - errors - total Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -55175,9 +108034,7 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -55233,18 +108090,14 @@ components: properties: add: items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -55271,8 +108124,7 @@ components: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -55280,9 +108132,7 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged @@ -55293,21 +108143,18 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer @@ -55328,72 +108175,48 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created - suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. + description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. + description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -55404,19 +108227,12 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > + description: | Edits index patterns of rulesClient. - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -55434,20 +108250,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > + description: | Edits investigation fields of rules. - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -55462,18 +108270,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > + description: | Edits rule actions of rules. - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -55486,30 +108287,22 @@ components: properties: actions: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: > + description: | Overwrites schedule of rules. + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -55520,20 +108313,15 @@ components: type: object properties: interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: > + description: | Lookback time for the rules. - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -55563,24 +108351,17 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: > + description: | Edits tags of rules. - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -55595,12 +108376,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: > + description: | Edits timeline of rules. - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -55613,8 +108392,7 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title @@ -55645,8 +108423,7 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason @@ -55658,14 +108435,10 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55676,10 +108449,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55698,14 +108469,10 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55716,10 +108483,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55751,14 +108516,10 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55769,10 +108530,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55791,15 +108550,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary @@ -55838,13 +108594,7 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: @@ -55874,14 +108624,10 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55892,10 +108638,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55919,14 +108663,10 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55937,10 +108677,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -55961,14 +108699,10 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -55979,10 +108713,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56005,9 +108737,7 @@ components: - fill_gaps type: string fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: @@ -56020,14 +108750,10 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -56038,10 +108764,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56061,14 +108785,10 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -56079,10 +108799,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -56113,9 +108831,7 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -56178,9 +108894,7 @@ components: - items: type: string type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object @@ -56240,18 +108954,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56265,8 +108975,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56282,35 +108991,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56337,13 +109035,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56382,18 +109078,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56407,8 +109099,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56424,35 +109115,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56481,13 +109161,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56518,18 +109196,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56543,12 +109217,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -56562,35 +109235,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56619,13 +109281,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56640,18 +109300,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56665,12 +109321,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -56684,35 +109339,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56741,13 +109385,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56794,18 +109436,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56819,8 +109457,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56836,35 +109473,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -56891,13 +109517,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -56936,18 +109560,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -56961,8 +109581,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -56978,35 +109597,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57035,13 +109643,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57062,18 +109668,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57087,12 +109689,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57108,13 +109709,11 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -57122,23 +109721,14 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57167,13 +109757,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -57209,18 +109797,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57234,12 +109818,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57253,35 +109836,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57310,13 +109882,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57342,9 +109912,7 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: @@ -57355,27 +109923,18 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external @@ -57410,31 +109969,20 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). - + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info - > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: @@ -57444,12 +109992,9 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: @@ -57463,19 +110008,14 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -57498,18 +110038,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57523,8 +110059,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -57540,35 +110075,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57595,13 +110119,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57630,31 +110152,24 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57668,8 +110183,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -57685,35 +110199,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57742,13 +110245,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -57758,8 +110259,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -57772,32 +110272,26 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57811,12 +110305,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57830,35 +110323,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -57887,19 +110369,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -57918,27 +110397,21 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -57952,12 +110425,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -57971,35 +110443,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58028,13 +110489,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58044,25 +110503,13 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_NewTermsFields: @@ -58077,18 +110524,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58102,8 +110545,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58119,35 +110561,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58174,13 +110605,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58209,33 +110638,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58249,8 +110670,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58266,35 +110686,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58323,13 +110732,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58339,8 +110746,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -58372,27 +110778,21 @@ components: enum: - new_terms type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58406,12 +110806,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -58425,35 +110824,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58482,13 +110870,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58515,10 +110901,8 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: @@ -58530,18 +110914,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58555,12 +110935,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -58574,35 +110953,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58631,13 +110999,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58647,8 +111013,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -58675,8 +111040,7 @@ components: type: object properties: err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: @@ -58695,31 +111059,20 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object @@ -58773,18 +111126,13 @@ components: type: object properties: command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object @@ -58836,18 +111184,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -58861,8 +111205,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -58878,35 +111221,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -58933,13 +111265,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -58973,25 +111303,20 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59005,8 +111330,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -59022,35 +111346,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59079,13 +111392,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59126,25 +111437,20 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59158,12 +111464,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -59177,35 +111482,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59234,13 +111528,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59274,18 +111566,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -59299,12 +111587,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -59318,35 +111605,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -59375,13 +111651,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -59393,11 +111667,7 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -59411,45 +111681,23 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. - package's "integrations" that this package contains. It is represented - by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -59471,35 +111719,23 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and + description: | + Describes an Elasticsearch field that is needed for the rule to function. + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - - Required field is an event field that must be present in the source - indices of a given rule. - + Required field is an event field that must be present in the source indices of a given rule. @example - const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; - @example - const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -59508,10 +111744,7 @@ components: type: object properties: ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field @@ -59532,10 +111765,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: @@ -59571,7 +111801,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -59610,9 +111840,7 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: @@ -59675,34 +111903,27 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: > + description: | Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -59712,9 +111933,7 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. + description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -59728,10 +111947,8 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - + description: | + Object containing the allowed connector fields, which varies according to the connector type. For Slack: @@ -59779,30 +111996,22 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -59819,11 +112028,8 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: @@ -59857,10 +112063,7 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: @@ -59881,9 +112084,7 @@ components: type: object properties: type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) + description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -59891,50 +112092,25 @@ components: required: - type total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle + description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle + description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running @@ -59961,14 +112137,12 @@ components: message: type: string metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status @@ -59978,33 +112152,22 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info - > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -60014,13 +112177,10 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: > + description: | Placeholder for metadata about the rule. - > info - - > This field is overwritten when you save changes to the rule’s - settings. + > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -60028,31 +112188,19 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -60078,8 +112226,7 @@ components: type: array requests: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -60103,22 +112250,14 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array @@ -60144,47 +112283,26 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: > + description: | The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array @@ -60192,47 +112310,31 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: - description: > + description: | The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. - > info - - > It is not incremented on each update. Compare this to the `revision` - field. + > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -60258,22 +112360,17 @@ components: - runscript type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log + description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -60290,28 +112387,21 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60325,8 +112415,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -60342,35 +112431,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60397,13 +112475,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60432,33 +112508,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60472,8 +112540,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -60489,35 +112556,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60546,13 +112602,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60562,8 +112616,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -60593,27 +112646,21 @@ components: enum: - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60627,12 +112674,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -60646,35 +112692,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60703,19 +112738,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -60731,10 +112763,8 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: @@ -60746,18 +112776,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -60771,12 +112797,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -60790,35 +112815,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -60847,13 +112861,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -60863,8 +112875,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SetAlertAssigneesBody: type: object properties: @@ -60883,15 +112894,12 @@ components: propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' Security_Detections_API_SetAlertsStatusByIdsBase: type: object properties: signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -60910,8 +112918,7 @@ components: propertyName: status oneOf: - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' Security_Detections_API_SetAlertsStatusByQueryBase: type: object properties: @@ -60951,25 +112958,15 @@ components: - ids - tags Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. type: string Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred + * `critical`: Alerts that indicate it is highly likely a security incident has occurred enum: - low - medium @@ -61014,11 +113011,9 @@ components: - desc type: string Security_Detections_API_Threat: - description: > + description: | > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. type: object properties: framework: @@ -61040,9 +113035,7 @@ components: type: array Security_Detections_API_ThreatFilters: items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. @@ -61050,28 +113043,17 @@ components: type: string type: array Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) + description: Defines the path to the threat indicator in the indicator documents (optional) type: string Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - field: field from the event indices on which the rule runs - - type: must be mapping - - value: field from the Elasticsearch threat index - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. items: type: object properties: @@ -61105,18 +113087,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61130,8 +113108,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61147,35 +113124,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61202,13 +113168,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61237,33 +113201,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61277,8 +113233,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61294,35 +113249,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61351,13 +113295,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61367,8 +113309,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -61414,27 +113355,21 @@ components: enum: - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61448,12 +113383,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -61467,35 +113401,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61524,19 +113447,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -61561,10 +113481,8 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: @@ -61576,18 +113494,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61601,12 +113515,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -61620,35 +113533,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61677,13 +113579,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61693,12 +113593,9 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -61773,8 +113670,7 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: @@ -61786,9 +113682,7 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -61796,10 +113690,7 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: @@ -61812,18 +113703,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61837,8 +113724,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -61854,35 +113740,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -61909,13 +113784,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -61944,33 +113817,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -61984,8 +113849,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -62001,35 +113865,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62058,13 +113911,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -62074,8 +113925,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -62085,8 +113935,7 @@ components: type: object properties: alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -62108,27 +113957,21 @@ components: enum: - threshold type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -62142,12 +113985,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -62161,35 +114003,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62218,19 +114049,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -62249,10 +114077,8 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: @@ -62264,18 +114090,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -62289,12 +114111,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -62308,35 +114129,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -62365,13 +114175,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -62381,26 +114189,17 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: > + description: | Defines the maximum interval in which a rule’s actions are executed. - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h @@ -62417,17 +114216,10 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -62462,10 +114254,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -62475,39 +114264,28 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -62516,8 +114294,7 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id @@ -62537,30 +114314,17 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -62575,14 +114339,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -62591,46 +114351,32 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -62683,32 +114429,24 @@ components: - comment (string): Comments about the exception item. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -62716,8 +114454,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -62742,8 +114479,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -62759,8 +114495,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -62778,16 +114513,14 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: @@ -62801,8 +114534,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -62819,8 +114551,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -62835,21 +114566,16 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -62874,14 +114600,11 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -62908,20 +114631,15 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -62937,21 +114655,14 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -62965,17 +114676,12 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -63038,8 +114744,7 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -63057,8 +114762,7 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -63067,9 +114771,7 @@ components: type: object properties: canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for response - actions. + description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data @@ -63084,8 +114786,7 @@ components: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions @@ -63138,17 +114839,12 @@ components: example: updatedAt type: string Security_Endpoint_Management_API_ArchivePathToExecutableSchema: - description: >- - Used only for when the uploaded script is an archive (.zip file for - example). This property defines the relative path to the file included - in the archive that should be executed once its contents are extracted. - The path should be relative to the root of the archive. + description: Used only for when the uploaded script is an archive (.zip file for example). This property defines the relative path to the file included in the archive that should be executed once its contents are extracted. The path should be relative to the root of the archive. example: ./bin/script.sh type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63174,10 +114870,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63188,9 +114881,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63203,8 +114894,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63284,24 +114974,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -63309,8 +114994,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array required: - name @@ -63321,10 +115005,8 @@ components: type: object properties: downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - + description: | + The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -63352,9 +115034,7 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -63433,9 +115113,7 @@ components: type: object properties: {} Security_Endpoint_Management_API_EndpointRunScriptParameters: - description: >- - Parameters for Run Script response action against Elastic Defend agent - type. + description: Parameters for Run Script response action against Elastic Defend agent type. example: agent_type: endpoint endpoint_ids: @@ -63449,9 +115127,7 @@ components: minLength: 1 type: string scriptInput: - description: >- - The input parameter arguments (if any) for the script that will be - executed. + description: The input parameter arguments (if any) for the script that will be executed. minLength: 1 type: string required: @@ -63472,11 +115148,8 @@ components: example: Collects host data for investigation type: string downloadUri: - description: >- - URI to download the script file. Note that this is the relative path - and does not include the space (if applicable) - example: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + description: URI to download the script file. Note that this is the relative path and does not include the space (if applicable) + example: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download type: string example: type: string @@ -63497,31 +115170,25 @@ components: format: uuid type: string instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: example: Collect host data type: string pathToExecutable: - description: > - The relative path to the file included in the archive that should be - executed once its contents are extracted. Applicable only for - scripts uploaded as an archive (.zip file for example). + description: | + The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example). type: string platform: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: type: boolean tags: description: Tags that categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array updatedAt: format: date-time @@ -63532,12 +115199,7 @@ components: version: type: string Security_Endpoint_Management_API_EndpointScriptFileType: - description: >- - The type of the uploaded file, which determines the expected value of - `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` - should not be included. If `fileType` is "archive", then - `pathToExecutable` is required and should specify the path to the - executable file within the archive. + description: The type of the uploaded file, which determines the expected value of `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` should not be included. If `fileType` is "archive", then `pathToExecutable` is required and should specify the path to the executable file within the archive. enum: - script - archive @@ -63564,8 +115226,7 @@ components: type: string Security_Endpoint_Management_API_Execute: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63574,8 +115235,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -63613,10 +115273,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63627,9 +115284,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63642,8 +115297,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63658,9 +115312,7 @@ components: minLength: 1 type: string timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. + description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: @@ -63738,8 +115390,7 @@ components: data: description: The list of response actions. items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -63773,8 +115424,7 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -63783,8 +115433,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -63819,10 +115468,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63833,9 +115479,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -63848,8 +115492,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -63872,10 +115515,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -63938,8 +115578,7 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -63949,12 +115588,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64005,9 +115642,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -64016,10 +115651,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64030,9 +115662,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64045,8 +115675,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64072,9 +115701,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -64085,9 +115712,7 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -64110,8 +115735,7 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64123,17 +115747,13 @@ components: code: type: string disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk + description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: >- - The path to the memory dump compressed file on the - host machine + description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object @@ -64187,10 +115807,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64201,9 +115818,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64216,8 +115831,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64270,9 +115884,7 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -64331,9 +115943,7 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux @@ -64356,9 +115966,7 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -64458,9 +116066,7 @@ components: description: Parameters object type: object Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody: - description: >- - The script entry properties to be updated. At least one property must be - provided. + description: The script entry properties to be updated. At least one property must be provided. minProperties: 1 type: object properties: @@ -64475,24 +116081,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -64500,8 +116101,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array Security_Endpoint_Management_API_PendingActionDataType: description: Number of pending actions of this type. @@ -64511,40 +116111,31 @@ components: - type: object properties: execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object @@ -64552,9 +116143,7 @@ components: type: object properties: note: - description: >- - A note associated with the protection updates for the given package - policy. + description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -64599,8 +116188,7 @@ components: type: object properties: data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -64616,9 +116204,7 @@ components: type: object properties: completedAt: - description: >- - The date and time the response action was completed for the - agent ID + description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -64626,9 +116212,7 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to + description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -64649,9 +116233,7 @@ components: name: description: The host name type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to + description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID @@ -64669,9 +116251,7 @@ components: format: uuid properties: content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. + description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string @@ -64685,17 +116265,12 @@ components: - content title: Agent ID type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action type: object parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command + description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time @@ -64711,8 +116286,7 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64721,10 +116295,8 @@ components: properties: content: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -64755,8 +116327,7 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64765,8 +116336,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -64778,12 +116348,9 @@ components: type: object parameters: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -64818,10 +116385,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64832,9 +116396,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64847,8 +116409,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64856,28 +116417,20 @@ components: - type: object properties: parameters: - description: > - One of the following set of parameters must be provided for the - `agentType` that is specified. + description: | + One of the following set of parameters must be provided for the `agentType` that is specified. oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -64902,10 +116455,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -64916,9 +116466,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -64931,8 +116479,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -64954,8 +116501,7 @@ components: example: data: description: Collects host data for investigation - downloadUri: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + downloadUri: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download example: ./collect_host_data.sh --help fileHash: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 fileName: collect_host_data.sh @@ -64972,9 +116518,7 @@ components: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. + description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: @@ -64984,9 +116528,7 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. + description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: @@ -65027,8 +116569,7 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -65075,10 +116616,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -65089,9 +116627,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -65104,8 +116640,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -65148,8 +116683,7 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -65159,12 +116693,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -65182,10 +116714,8 @@ components: type: string type: object parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that - + description: | + The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: @@ -65204,10 +116734,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -65218,9 +116745,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -65233,8 +116758,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -65272,9 +116796,7 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. + description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 @@ -65296,8 +116818,7 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: @@ -65353,10 +116874,7 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -65366,10 +116884,8 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': @@ -65397,8 +116913,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: @@ -65408,8 +116923,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: @@ -65423,8 +116937,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65438,8 +116951,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65453,8 +116965,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -65520,13 +117031,11 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -65537,17 +117046,13 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. + description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition @@ -65562,9 +117067,7 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: @@ -65595,10 +117098,9 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed @@ -65622,23 +117124,17 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. + description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -65660,9 +117156,7 @@ components: example: 10 type: integer filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -65729,10 +117223,7 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -65787,9 +117278,7 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: @@ -65801,9 +117290,7 @@ components: description: Whether the entity is classified as an asset. type: boolean managed: - description: >- - Whether the entity is managed (for example, via a directory - service). + description: Whether the entity is managed (for example, via a directory service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. @@ -65913,8 +117400,7 @@ components: type: object properties: calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: @@ -65922,9 +117408,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -65966,9 +117450,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -65977,14 +117459,10 @@ components: description: Unique identifier for the scoring run that produced this document. type: string category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). type: integer category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: @@ -65993,27 +117471,20 @@ components: format: double type: number criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array @@ -66093,9 +117564,7 @@ components: - type: object Security_Entity_Analytics_API_GenericEntity: additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. type: object properties: '@timestamp': @@ -66111,9 +117580,7 @@ components: - entity Security_Entity_Analytics_API_HostEntity: additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + description: An entity record representing a host, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66175,9 +117642,7 @@ components: type: string os: additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: family: @@ -66203,8 +117668,7 @@ components: version: type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: description: Observed host types. items: @@ -66222,10 +117686,7 @@ components: - entity.id type: string Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. example: logs-* type: string Security_Entity_Analytics_API_InspectQuery: @@ -66264,10 +117725,7 @@ components: description: Index to read latest sync markers from type: string Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -66279,11 +117737,8 @@ components: type: string type: array values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. oneOf: - items: type: string @@ -66295,12 +117750,10 @@ components: - fields - values Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: '@timestamp': @@ -66340,8 +117793,7 @@ components: properties: labels: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array id: type: string @@ -66378,19 +117830,15 @@ components: type: object properties: message: - description: >- - Error message typically only present if the engine is in error - state + description: Error message typically only present if the engine is in error state type: string status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' required: - status Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: id: @@ -66402,8 +117850,7 @@ components: - managed Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - type: object properties: managed: @@ -66518,9 +117965,7 @@ components: - category Security_Entity_Analytics_API_ServiceEntity: additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66551,8 +117996,7 @@ components: description: Primary service name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: @@ -66680,9 +118124,7 @@ components: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' Security_Entity_Analytics_API_UserEntity: additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -66736,8 +118178,7 @@ components: description: Primary user name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' additionalProperties: false roles: description: Observed roles assigned to the user. @@ -66764,9 +118205,7 @@ components: description: The field name for the label type: string source: - description: >- - The source where this label was created (api, csv, or - index_sync) + description: The source where this label was created (api, csv, or index_sync) enum: - api - csv @@ -66943,8 +118382,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -66975,8 +118413,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -67063,10 +118500,8 @@ components: * Code signature entry: only 1 allowed items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -67091,18 +118526,14 @@ components: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -67118,21 +118549,16 @@ components: - description Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: @@ -67142,23 +118568,19 @@ components: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - example: description: This is a sample detection type exception item. entries: @@ -67183,63 +118605,46 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] required: - list_id - entries Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: @@ -67249,28 +118654,23 @@ components: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -67279,8 +118679,7 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' @@ -67294,15 +118693,10 @@ components: - entries Security_Exceptions_API_EndpointArtifactTags: default: [] - description: > + description: | Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) items: type: string type: array @@ -67311,24 +118705,18 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. list_id: enum: - endpoint_list example: endpoint_list type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -67339,16 +118727,11 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) **Minimum requirement:** At least 1 entry required list_id: @@ -67357,8 +118740,7 @@ components: example: endpoint_event_filters type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -67368,10 +118750,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -67381,8 +118760,7 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: @@ -67396,14 +118774,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' @@ -67435,30 +118810,17 @@ components: example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -67473,14 +118835,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -67489,19 +118847,15 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: @@ -67511,14 +118865,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' @@ -67581,18 +118932,12 @@ components: type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: @@ -67605,8 +118950,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -67631,8 +118975,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -67648,8 +118991,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -67667,8 +119009,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any @@ -67689,8 +119030,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -67707,8 +119047,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -67723,21 +119062,16 @@ components: - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: @@ -67766,9 +119100,7 @@ components: type: array Security_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -67813,28 +119145,22 @@ components: id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -67850,21 +119176,14 @@ components: minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -67899,9 +119218,7 @@ components: - match type: string value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") type: string required: - field @@ -67938,17 +119255,12 @@ components: minLength: 1 type: string Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -68035,9 +119347,7 @@ components: type: object properties: entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object @@ -68133,15 +119443,11 @@ components: type: object properties: entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) + description: Process hash or executable path entries (code signature not supported on Linux) items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' minItems: 1 type: array list_id: @@ -68170,12 +119476,9 @@ components: description: Process hash, executable path, or code signature entries items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' minItems: 1 type: array list_id: @@ -68204,12 +119507,9 @@ components: description: Process hash, executable path, or code signature entries items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -68234,9 +119534,7 @@ components: type: object properties: entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + description: Must include exactly 2 entries - one for subject_name and one for trusted items: oneOf: - type: object @@ -68302,15 +119600,11 @@ components: - type - entries Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). + description: Trusted devices list item properties (macOS-only, username not supported). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: @@ -68372,22 +119666,16 @@ components: required: - list_id Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). + description: Trusted devices list item properties (Windows + macOS, username not supported). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) items: type: object properties: field: - description: >- - Device field to match against (username not available for - multi-OS) + description: Device field to match against (username not available for multi-OS) enum: - device.serial_number - device.type @@ -68445,15 +119733,11 @@ components: required: - list_id Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + description: Trusted devices list item properties (Windows-only, allows username field). type: object properties: entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: @@ -68519,27 +119803,20 @@ components: type: object properties: _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' @@ -68556,21 +119833,16 @@ components: - description Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: @@ -68582,23 +119854,19 @@ components: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array Security_Exceptions_API_UpdateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_UpdateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_UpdateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - example: comments: [] description: Updated description @@ -68615,71 +119883,50 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' required: - entries Security_Exceptions_API_UpdateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_UUID: description: A universally unique identifier format: uuid type: string Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 @@ -68701,12 +119948,12 @@ components: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: @@ -68724,16 +119971,14 @@ components: name: $ref: '#/components/schemas/Security_Lists_API_ListName' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: @@ -68771,12 +120016,12 @@ components: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: @@ -68790,16 +120035,14 @@ components: meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z + example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: @@ -68898,17 +120141,12 @@ components: - index - application Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -68940,9 +120178,8 @@ components: minimum: 1 type: integer Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. example: WzIsMV0= type: string Security_Lists_API_PlatformErrorResponse: @@ -68977,19 +120214,19 @@ components: type: object properties: ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CopyPacksResponse: description: The response for copying a pack. example: @@ -69029,24 +120266,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: @@ -69127,10 +120360,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -69138,15 +120370,15 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -69200,7 +120432,7 @@ components: type: string type: array ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' event_ids: description: A list of event IDs associated with the live query. items: @@ -69211,13 +120443,13 @@ components: nullable: true type: object pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackId' queries: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' Security_Osquery_API_CreateLiveQueryResponse: description: The response for creating a live query. example: @@ -69308,8 +120540,7 @@ components: type: string type: array ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string platform: @@ -69359,13 +120590,13 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: @@ -69415,14 +120646,13 @@ components: description: The profile UID of the user who created the pack. type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: @@ -69472,24 +120702,23 @@ components: type: object properties: description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_CreateSavedQueryResponse: description: The response for creating a saved query. example: @@ -69524,33 +120753,30 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. + description: An interval, in seconds, on which to run the query. May be returned as number or string. oneOf: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: description: Whether the saved query is prebuilt. type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: description: The saved object ID of the saved query. type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: description: The query timeout in seconds. type: integer @@ -69579,18 +120805,13 @@ components: Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields example: host.uptime: field: total_seconds type: object Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). items: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' type: array @@ -69695,8 +120916,7 @@ components: description: Number of result documents. type: integer ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' failed: description: Number of failed queries. type: integer @@ -69801,8 +121021,7 @@ components: type: string type: array ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: type: string query: @@ -69811,9 +121030,7 @@ components: type: string type: array result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). + description: Result count statistics (present when withResultCounts is true). type: object properties: error_agents: @@ -69871,10 +121088,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' namespaces: @@ -69883,7 +121099,7 @@ components: type: string type: array policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' read_only: @@ -69956,24 +121172,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' items: type: object properties: ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' id: type: string interval: @@ -70059,10 +121271,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70070,17 +121281,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70140,11 +121351,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70152,17 +121361,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70218,9 +121427,7 @@ components: _id: type: string _source: - description: >- - The Elasticsearch document source containing query - results. + description: The Elasticsearch document source containing query results. type: object type: array total: @@ -70255,8 +121462,7 @@ components: type: object properties: aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' currentPage: description: The current page number (zero-based). type: integer @@ -70353,9 +121559,7 @@ components: description: Whether there are more results beyond the current page. type: boolean nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. type: string required: - data @@ -70409,14 +121613,10 @@ components: description: The number of sub-queries that returned results. type: integer savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. + description: The saved query ID, if the live query was based on a saved query. type: string source: - description: >- - Whether this was a manually run live query or triggered by a - rule. + description: Whether this was a manually run live query or triggered by a rule. enum: - Live - Rule @@ -70447,21 +121647,21 @@ components: type: object properties: ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_PackDescription: description: The pack description. example: Pack description @@ -70491,10 +121691,7 @@ components: nullable: true type: integer Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: @@ -70616,10 +121813,7 @@ components: Security_Osquery_API_Shards: additionalProperties: type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. example: policy_id: 50 type: object @@ -70702,13 +121896,13 @@ components: type: object properties: description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: @@ -70755,14 +121949,13 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: @@ -70787,24 +121980,23 @@ components: type: object properties: description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Version' Security_Osquery_API_UpdateSavedQueryResponse: description: The response for updating a saved query. example: @@ -70833,10 +122025,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -70844,17 +122035,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' prebuilt: type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -70874,26 +122065,15 @@ components: required: - data Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. + description: Uses the Osquery versions greater than or equal to the specified version string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Version' nullable: true Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). enum: - all - document_only @@ -70903,15 +122083,12 @@ components: type: string Security_Timeline_API_BareNote: allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - type: object properties: eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc nullable: true type: string @@ -70921,17 +122098,14 @@ components: nullable: true type: string timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - type: object properties: eventId: @@ -70939,9 +122113,7 @@ components: example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with + description: The `savedObjectId` of the timeline that this pinned event is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: @@ -70997,1046 +122169,2116 @@ components: id: nullable: true type: string - kqlQuery: + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + example: + favoriteDate: 1741337636741 + userName: elastic + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: + example: + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' + type: object + properties: + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true + type: object + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported + type: object + properties: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON + type: string + status_code: + description: The HTTP status code of the error + example: 400 + type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e + type: string + version: + description: The version of the note + example: WzQ2LDFd + type: string + required: + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true + type: string + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: + type: object + properties: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true + type: string + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true + type: string + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true + type: object + properties: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' nullable: true - type: string - name: + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all nullable: true type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: + type: array + favorite: items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' nullable: true type: array - enabled: + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' nullable: true - type: boolean - excluded: + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string nullable: true - type: boolean - id: + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search nullable: true type: string kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true type: string - name: + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 nullable: true type: number - fullName: + updatedBy: + description: The user who last updated the Timeline + example: casetester nullable: true type: string - userName: + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + version: + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string + required: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. + example: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' + type: object + properties: + filterQuery: nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + columnId: '@timestamp' + sortDirection: desc type: object properties: - exists: + columnId: nullable: true type: string - match_all: + columnType: nullable: true type: string - meta: + sortDirection: nullable: true - type: object + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - type: object properties: - alias: + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - controlledBy: + type: array + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e + items: + type: string nullable: true - type: string - disabled: + type: array + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: boolean - field: + type: array + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string nullable: true - type: string - formattedValue: + type: array + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true - type: string - index: + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - key: + type: array + noteIds: + items: + type: string nullable: true - type: string - negate: + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: boolean - params: + type: array + pinnedEventIds: + items: + type: string nullable: true - type: string - type: + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true + type: array + savedObjectId: type: string - value: - nullable: true + version: type: string - missing: - nullable: true + required: + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object + properties: + error: + example: Forbidden + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references + items: + type: object + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: array + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + required: + - list + title: Bulk delete SLO request + type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status + properties: + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + title: Bulk delete SLO response + type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. + properties: + error: + description: The error message if the bulk deletion operation failed + example: Task not found + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO + items: + type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean + type: array + title: The status of the bulk deletion + type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string + type: object + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - query: - nullable: true + title: Bulk Purge Rollup data response + type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. type: string - range: - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id type: string - script: - nullable: true + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Timeline_API_Note' + type: string type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). - type: number + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response type: object properties: - errors: - description: The list of failed Timeline imports + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id items: type: object properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string + required: + - sloId + - instanceId type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 + initial: + description: The initial error budget, as 1 - objective + example: 0.02 type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: - type: object properties: - eventNotes: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - globalNotes: + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true + $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array - pinnedEventIds: + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id items: type: string - nullable: true type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd - type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true + page: + example: 1 type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true + perPage: + example: 25 type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: type: string - Security_Timeline_API_PersistPinnedEventResponse: + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value + example: + - - service.name + - service.name + - - service.name + - service.environment oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + environment: + description: The APM service environment or "*" + example: production type: string - version: - description: The version of this pinned event - example: WzQ2LDFe + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request type: string required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: - type: object - properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true - type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - Security_Timeline_API_QueryMatchResult: + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string - field: - nullable: true - type: string - operator: - nullable: true - type: string - value: - oneOf: - - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true - type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true - type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - eventCategoryField: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - query: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - size: - oneOf: - - nullable: true + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A type: string - - nullable: true - type: number - tiebreakerField: - nullable: true + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* type: string timestampField: - nullable: true + description: | + The timestamp field used in the source indice. + example: timestamp type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true - type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - description: A list of filters that should be applied to the query - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* - items: - type: string - nullable: true - type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true - type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true - type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - filterQuery: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - kuery: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: - expression: - nullable: true + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT type: string - kind: - nullable: true + equation: + description: The equation to calculate the metric. + example: A type: string - serializedQuery: - nullable: true + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - sortDirection: - nullable: true + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - type: object properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string - type: object properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: + filters: items: - type: string - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - pinnedEventsSaveObject: + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - savedObjectId: - type: string - version: + kqlQuery: type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - SLOs_400_response: - title: Bad request + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 type: number + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m + type: string required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. properties: - error: - example: Unauthorized + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - error: - example: Forbidden + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO type: string - statusCode: - example: 404 + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 type: number required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - error: - example: Conflict + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + description: + description: The description of the SLO. + example: My SLO description type: string - statusCode: - example: 409 + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id + type: string type: array - title: Artifacts + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. + SLOs_summary_status: enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. + SLOs_time_window: + description: Defines properties for the SLO time window + type: object properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d + type: string + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string required: - - list - title: Bulk delete SLO request + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count type: string - title: Bulk delete SLO response - type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. - properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true - type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO - items: - type: object - properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion - type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object required: - - list - - purgePolicy - title: Bulk Purge Rollup data request + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile type: string - title: Bulk Purge Rollup data response - type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: artifacts: $ref: '#/components/schemas/SLOs_artifacts' @@ -72047,12 +124289,6 @@ components: type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id - type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' @@ -72075,1520 +124311,1949 @@ components: type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request + title: Update SLO request type: object - SLOs_create_slo_response: - title: Create SLO response + Task_manager_health_Serverless_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_Serverless_APIs_health_response_serverless: + title: Task health response properties type: object properties: id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string + last_update: + type: string + stats: + type: object + properties: + configuration: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_configuration' + workload: + $ref: '#/components/schemas/Task_manager_health_Serverless_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_Serverless_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. + type: object required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. + - apiUrl properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array + apiUrl: + type: string + description: The Amazon Bedrock request URL. + region: + type: string + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true - type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. + type: object required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter + - url properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + url: + type: string + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. + required: + - from type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string - controlledBy: + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true + type: boolean + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: string - disabled: + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. type: boolean - field: + service: + description: | + The name of the email service. type: string - group: + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string - index: + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. + type: object + required: + - apiUrl + - gcpRegion + - gcpProjectID + properties: + apiUrl: type: string - isMultiIndex: - type: boolean - key: + description: The Google Gemini request URL. + defaultModel: type: string - negate: + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: + type: string + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: + type: string + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector + required: + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + apiUrl: + description: The IBM Resilient instance URL. + type: string + orgId: + description: The IBM Resilient organization ID. + type: string + index_config: + title: Connector request properties for an index connector + required: + - index + description: Defines properties for connectors when type is `.index`. + type: object + properties: + executionTimeField: + description: A field that indicates when the document was indexed. + default: null + type: string + nullable: true + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false type: boolean - params: - type: object - type: + jira_config: + title: Connector request properties for a Jira connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + apiUrl: + description: The Jira instance URL. type: string - value: + projectKey: + description: The Jira project key. type: string - title: FilterMeta + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. type: object - SLOs_find_slo_definitions_response: + properties: + apiUrl: + type: string + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: + type: string + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: + type: string + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: + type: string + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object - SLOs_find_slo_response: + required: + - apiProvider + - apiUrl + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector description: | - A paginated response of SLOs matching the query. + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. + type: object + required: + - apiProvider + - apiUrl properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + apiProvider: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiUrl: + description: The PagerDuty event URL. type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - url + description: Defines properties for connectors when type is `.sentinelone`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector + required: + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. + type: object + properties: + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. + items: + type: object + required: + - id + - name + maxItems: 25 + properties: + id: + type: string + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. type: object properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "good" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "total" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. + type: object required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. + type: object required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. + type: object required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object + required: + - url + properties: + organisation: + type: string + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: type: string + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. + type: object required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + - url + properties: + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + type: string + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. type: object + required: + - webhookIntegrationUrl properties: - params: - description: An object containing the indicator parameters. - nullable: false + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: + type: string + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: + type: string + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: + type: string + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: + type: string + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: + type: string + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. + type: object + properties: + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). + type: boolean + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. + type: object + required: + - accessKey + - secret + properties: + accessKey: + type: string + description: The AWS access key for authentication. + secret: + type: string + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. + type: string + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. + required: + - token + type: object + properties: + token: + type: string + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. + type: object + properties: + clientSecret: + type: string + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: + type: string + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. + type: object + required: + - credentialsJson + properties: + credentialsJson: + type: string + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: + type: string + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: + type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector + required: + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. + type: object + properties: + apiToken: + description: The Jira API authentication token for HTTP basic authentication. + type: string + email: + description: The account email for HTTP Basic authentication. + type: string + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object + required: + - webhookUrl + properties: + webhookUrl: + type: string + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + type: object + properties: + apiKey: + type: string + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: + type: string + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: + type: string + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. + type: object + properties: + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object + required: + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. + type: object + required: + - token + properties: + token: + description: The A SentinelOne API token. type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + clientSecret: + type: string + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: + type: string + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: type: string + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: + type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + - token + type: object properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + token: type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. + required: + - apiKey + type: object + properties: + apiKey: type: string - title: Settings + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. type: object - SLOs_slo_definition_response: - title: SLO definition response + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. + type: string + token: + description: The Tines API token. + type: string + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. type: object + required: + - token properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + token: + description: The secret of the webhook authentication header. type: string - description: - description: The description of the SLO. - example: My SLO description + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: + type: string + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. + type: object + properties: + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + type: string + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. + type: object + required: + - apiProvider + - apiUrl + - defaultModel + properties: + apiProvider: + type: string + description: The OpenAI API provider. + enum: + - Other + apiUrl: + type: string + description: The OpenAI-compatible API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + certificateData: + type: string + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: + type: string + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: + type: object + description: Custom headers to include in requests. + additionalProperties: + type: string + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector + required: + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object + properties: + clientSecret: + description: The client secret for your app in the Azure portal. + type: string + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. + type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. + type: object + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + type: object + required: + - message + - subject + properties: + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: string + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: + type: array + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + items: + type: string + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object + required: + - message properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + message: type: string - description: - description: The description of the SLO. - example: My SLO description + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. + type: object + required: + - eventAction + properties: + class: + description: The class or type of the event. type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string - name: - description: The name of the SLO. - example: My Service SLO + maxLength: 255 + eventAction: + description: The type of event. type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + items: + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - version: - description: The internal SLO version - example: 2 - type: number + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - addEvent + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction + type: object + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: + type: object + required: + - incident + properties: + incident: + type: object + anyOf: + - required: + - correlation_id + - required: + - externalId + properties: + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. + description: + type: string + description: A description that provides detailed information about the alert. + details: + type: object + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: + type: string + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. + enum: + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: + type: string + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: + type: string + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: + type: string + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + type: + type: string + description: The type of alert in TheHive connectors. + user: + type: string + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + subAction: type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. + description: The action to test. enum: - - rolling - - calendarAligned - example: rolling - type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + subAction: type: string - percentile: - description: The percentile value. - example: 95 - type: number + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - subAction + - subActionParams properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + subAction: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + description: The action to test. + enum: + - getIncident + subActionParams: + type: object + required: + - externalId + properties: + externalId: + type: string + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction type: object - Task_manager_health_Serverless_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: + type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction type: object - Task_manager_health_Serverless_APIs_health_response_serverless: - title: Task health response properties + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object + required: + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction + type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - postMessage + subActionParams: type: object + description: The set of configuration properties for the action. properties: - configuration: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_configuration - workload: - $ref: >- - #/components/schemas/Task_manager_health_Serverless_APIs_workload - status: - type: string - timestamp: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - Task_manager_health_Serverless_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: The action to test. + enum: + - pushToService + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: + type: object + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: >- - You must create an API key and use the encoded value in the request - header. To learn about creating keys, go to [API - keys](https://www.elastic.co/docs/current/serverless/api-keys). + description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). in: header name: Authorization type: apiKey -security: - - apiKeyAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - name: Message Signing Service - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - ## Lists requirements + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces). diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index e100dc14b09fa..b52fd675a9bcf 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -2,68 +2,38 @@ openapi: 3.0.3 info: contact: name: Kibana Team - description: > - The Kibana REST APIs enable you to manage resources such as connectors, data - views, and saved objects. - + description: | + The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. - - Each request that you make happens in isolation from other calls and must - include all of the necessary information for Kibana to fulfill the - + Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. - - API requests return JSON output, which is a format that is machine-readable - and works well for automation. - + API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - - GET: Fetches the information. - - PATCH: Applies partial modifications to the existing information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. - + You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: - ``` - GET kbn:/api/data_views - ``` + For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - For more information about the console, refer to [Run API - requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). - - - NOTE: Access to internal Kibana API endpoints will be restricted in Kibana - version 9.0. Please move any integrations to publicly documented APIs. - + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - - - This documentation contains work-in-progress information for future Elastic - Stack releases. + This documentation contains work-in-progress information for future Elastic Stack releases. title: Kibana APIs version: '' x-doc-license: @@ -71,948 +41,2136 @@ info: url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: http://localhost:5622 - - url: / - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - name: agent builder + description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + **Elastic Agent Builder requires an Enterprise subscription.** + externalDocs: + description: Agent Builder docs + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + x-displayName: Agent Builder + - name: alerting + description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: | + Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. + For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. + name: APM sourcemaps + - description: | + Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. + name: cases + externalDocs: + description: Cases documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases + x-displayName: Cases + - name: connectors + description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + x-displayName: Connectors + - name: Dashboards + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + externalDocs: + description: Dashboards documentation + url: https://www.elastic.co/docs/explore-analyze/dashboards + x-displayName: Dashboards + - name: Data streams + description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - name: Elastic Agent actions + description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + x-displayName: Elastic Agent actions + - name: Elastic Agent binary download sources + description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + x-displayName: Elastic Agent binary download sources + - name: Elastic Agent policies + description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + x-displayName: Elastic Agent policies + - name: Elastic Agent status + description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + x-displayName: Elastic Agent status + - name: Elastic Agents + description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + x-displayName: Elastic Agents + - name: Elastic Package Manager (EPM) + description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - name: Fleet cloud connectors + description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + x-displayName: Fleet cloud connectors + - name: Fleet enrollment API keys + description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + x-displayName: Fleet enrollment API keys + - name: Fleet internals + description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + x-displayName: Fleet internals + - name: Fleet outputs + description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + x-displayName: Fleet outputs + - name: Fleet package policies + description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + x-displayName: Fleet package policies + - name: Fleet proxies + description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + x-displayName: Fleet proxies + - name: Fleet remote synced integrations + description: | + Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: + * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. + * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. + externalDocs: + description: Automatic integrations synchronization documentation + url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization + - name: Fleet Server hosts + description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + x-displayName: Fleet Server hosts + - name: Fleet service tokens + description: | + Enables you to create tokens for Fleet service authentication and authorization. + x-displayName: Fleet service tokens + - name: Fleet uninstall tokens + description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + x-displayName: Fleet uninstall tokens + - description: | + Programmatically integrate with Logstash configuration management. + > warn + > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management + name: logstash + x-displayName: Logstash configuration management + - name: maintenance-window + description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + x-displayName: Maintenance windows + - name: Message Signing Service + description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - name: roles + x-displayName: Roles + description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles + - name: saved objects + x-displayName: Saved objects + description: | + Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + * [Data views](../group/endpoint-data-views) + * [Spaces](../group/endpoint-spaces) + * [Short URLs](../group/endpoint-short-url) + + Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - name: Security entity store + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - name: spaces + x-displayName: Spaces + description: Manage your Kibana spaces. + externalDocs: + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + description: Space overview + - name: streams + description: | + Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types: + * **Wired** streams are managed by Kibana. They route documents to child streams based on + field conditions and support custom field mappings and processing steps. + + * **Classic** streams map to existing Elasticsearch data streams. You can add processing + steps to classic streams without changing their underlying index template. + + * **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate + data from multiple streams into a single logical view without duplicating documents. + x-displayName: Streams + externalDocs: + description: Streams documentation + url: https://www.elastic.co/docs/solutions/observability/streams + - name: synthetics + x-displayName: Synthetics + description: Synthetics APIs enable you to check the status of your services and applications. + externalDocs: + description: Synthetic monitoring + url: https://www.elastic.co/docs/solutions/observability/synthetics + - name: system + x-displayName: System + description: | + Get information about the system status, resource usage, features, and installed plugins. + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - description: | + The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release. + > warn + > This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL: + > * Self-managed URL pattern: `https://localhost:5601` + > * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` + name: upgrade + x-displayName: Upgrade assistant + - description: Uptime APIs enable you to view and update uptime monitoring settings. + externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/docs/solutions/observability/uptime + name: uptime + x-displayName: Uptime + - name: user session + x-displayName: User session management + description: | + Enables you to invalidate user sessions for security and session management purposes. + - name: Visualizations + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + externalDocs: + description: Visualizations documentation + url: https://www.elastic.co/docs/explore-analyze/visualize/lens + x-displayName: Visualizations + - name: workflows + description: | + Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools. + + Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions. + externalDocs: + description: Workflows documentation + url: https://www.elastic.co/docs/explore-analyze/workflows + x-displayName: Workflows paths: - /api/alerting/_health: - get: - description: > - You must have `read` privileges for the **Management > Stack Rules** - feature or for at least one of the **Analytics > Discover**, **Analytics - > Machine Learning**, **Observability**, or **Security** features. - operationId: getAlertingHealth - responses: - '200': - content: - application/json: - examples: - getAlertingHealthResponse: - $ref: '#/components/examples/Alerting_get_health_response' - schema: - type: object - properties: - alerting_framework_health: - description: > - Three substates identify the health of the alerting - framework: `decryption_health`, `execution_health`, and - `read_health`. - type: object - properties: - decryption_health: - description: The timestamp and status of the rule decryption. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - execution_health: - description: The timestamp and status of the rule run. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - read_health: - description: The timestamp and status of the rule reading events. - type: object - properties: - status: - enum: - - error - - ok - - warn - example: ok - type: string - timestamp: - example: '2023-01-13T01:28:00.280Z' - format: date-time - type: string - has_permanent_encryption_key: - description: >- - If `false`, the encrypted saved object plugin does not - have a permanent encryption key. - example: true - type: boolean - is_sufficiently_secure: - description: If `false`, security is enabled but TLS is not. - example: true - type: boolean - description: Indicates a successful call. - '401': - content: - application/json: - examples: - healthUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_health_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the alerting framework health - tags: - - alerting - /api/alerting/rule_types: + /api/actions/connector_types: get: - description: > - If you have `read` privileges for one or more Kibana features, the API - response contains information about the appropriate rule types. For - example, there are rule types associated with the **Management > Stack - Rules** feature, **Analytics > Discover** and **Machine Learning** - features, **Observability** features, and **Security** features. To get - rule types associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. - operationId: getRuleTypes + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types + parameters: + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string responses: '200': content: application/json: - examples: - getRuleTypesResponse: - $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: + additionalProperties: false type: object properties: - action_groups: - description: > - An explicit list of groups for which the rule type can - schedule actions, each with the action group's unique ID - and human readable name. Rule actions validation uses - this configuration to ensure that groups are valid. - items: - type: object - properties: - id: - type: string - name: - type: string - type: array - action_variables: - description: > - A list of action variables that the rule type makes - available via context and state in action parameter - templates, and a short human readable description. When - you create a rule in Kibana, it uses this information to - prompt you for these variables in action parameter - editors. - type: object - properties: - context: - items: - type: object - properties: - description: - type: string - name: - type: string - useWithTripleBracesInTemplates: - type: boolean - type: array - params: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - state: - items: - type: object - properties: - description: - type: string - name: - type: string - type: array - alerts: - description: > - Details for writing alerts as data documents for this - rule type. - type: object - properties: - context: - description: | - The namespace for this rule type. - enum: - - ml.anomaly-detection - - observability.apm - - observability.logs - - observability.metrics - - observability.slo - - observability.threshold - - observability.uptime - - security - - stack - type: string - dynamic: - description: Indicates whether new fields are added dynamically. - enum: - - 'false' - - runtime - - strict - - 'true' - type: string - isSpaceAware: - description: > - Indicates whether the alerts are space-aware. If - true, space-specific alert indices are used. - type: boolean - mappings: - type: object - properties: - fieldMap: - additionalProperties: - $ref: >- - #/components/schemas/Alerting_fieldmap_properties - description: > - Mapping information for each field supported in - alerts as data documents for this rule type. For - more information about mapping parameters, refer - to the Elasticsearch documentation. - type: object - secondaryAlias: - description: > - A secondary alias. It is typically used to support - the signals alias for detection rules. - type: string - shouldWrite: - description: > - Indicates whether the rule should write out alerts - as data. - type: boolean - useEcs: - description: > - Indicates whether to include the ECS component - template for the alerts. - type: boolean - useLegacyAlerts: - default: false - description: > - Indicates whether to include the legacy component - template for the alerts. - type: boolean - authorized_consumers: - description: >- - The list of the plugins IDs that have access to the rule - type. - type: object - properties: - alerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - apm: - type: object - properties: - all: - type: boolean - read: - type: boolean - discover: - type: object - properties: - all: - type: boolean - read: - type: boolean - infrastructure: - type: object - properties: - all: - type: boolean - read: - type: boolean - logs: - type: object - properties: - all: - type: boolean - read: - type: boolean - ml: - type: object - properties: - all: - type: boolean - read: - type: boolean - monitoring: - type: object - properties: - all: - type: boolean - read: - type: boolean - siem: - type: object - properties: - all: - type: boolean - read: - type: boolean - slo: - type: object - properties: - all: - type: boolean - read: - type: boolean - stackAlerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - uptime: - type: object - properties: - all: - type: boolean - read: - type: boolean - category: - description: >- - The rule category, which is used by features such as - category-specific maintenance windows. - enum: - - management - - observability - - securitySolution - type: string - default_action_group_id: - description: The default identifier for the rule type group. - type: string - does_set_recovery_context: - description: >- - Indicates whether the rule passes context variables to - its recovery action. + allow_multiple_system_actions: + description: Indicates whether multiple instances of the same system action connector can be used in a single rule. type: boolean - enabled_in_license: - description: >- - Indicates whether the rule type is enabled or disabled - based on the subscription. + description: + description: Description of the connector type. + type: string + enabled: + description: Indicates whether the connector is enabled. type: boolean - has_alerts_mappings: - description: >- - Indicates whether the rule type has custom mappings for - the alert data. + enabled_in_config: + description: Indicates whether the connector is enabled in the Kibana configuration. type: boolean - has_fields_for_a_a_d: + enabled_in_license: + description: Indicates whether the connector is enabled through the license. type: boolean id: - description: The unique identifier for the rule type. + description: The identifier for the connector. type: string - is_exportable: - description: >- - Indicates whether the rule type is exportable in **Stack - Management > Saved Objects**. + is_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_experimental: + description: Indicates whether the connector type is in technical preview. + type: boolean + is_system_action_type: + description: Indicates whether the action is a system action. type: boolean minimum_license_required: - description: The subscriptions required to use the rule type. - example: basic + description: The minimum license required to enable the connector. + enum: + - basic + - standard + - gold + - platinum + - enterprise + - trial type: string name: - description: The descriptive name of the rule type. + description: The name of the connector type. type: string - producer: - description: >- - An identifier for the application that produces this - rule type. - example: stackAlerts + source: + description: The source of the connector type definition. + enum: + - yml + - spec + - stack type: string - recovery_action_group: - description: >- - An action group to use when an alert goes from an active - state to an inactive one. - type: object - properties: - id: - type: string - name: - type: string - rule_task_timeout: - example: 5m + sub_feature: + description: Indicates the sub-feature type the connector is grouped under. + enum: + - endpointSecurity type: string + supported_feature_ids: + description: The list of supported features + items: + type: string + type: array + required: + - id + - name + - enabled + - enabled_in_config + - enabled_in_license + - minimum_license_required + - supported_feature_ids + - is_system_action_type + - is_deprecated + - source type: array - description: Indicates a successful call. - '401': - content: - application/json: examples: - ruleTypesUnauthorizedResponse: - $ref: '#/components/examples/Alerting_401_rule_types_response' - schema: - $ref: '#/components/schemas/Alerting_401_response' - description: Authorization information is missing or invalid. - summary: Get the rule types + getConnectorTypesServerlessResponse: + $ref: '#/components/examples/get_connector_types_generativeai_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector types tags: - - alerting - /api/apm/agent_keys: - post: - description: > - Create a new agent key for APM. + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback: + get: + description: |- + **Spaces method and path for this operation:** - The user creating an APM agent API key must have at least the - `manage_own_api_key` cluster privilege and the APM application-level - privileges that it wishes to grant. +
get /s/{space_id}/api/actions/connector/_oauth_callback
- After it is created, you can copy the API key (Base64 encoded) and use - it to to authorize requests from APM agents to the APM Server. - operationId: createAgentKey + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.

[Required authorization] Route required privileges: actions:oauth. + operationId: get-actions-connector-oauth-callback parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createAgentKeyRequest1: - $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_object' - required: true + - description: The authorization code returned by the OAuth provider. + in: query + name: code + required: false + schema: + type: string + - description: The state parameter for CSRF protection. + in: query + name: state + required: false + schema: + type: string + - description: Error code if the authorization failed. + in: query + name: error + required: false + schema: + type: string + - description: Human-readable error description. + in: query + name: error_description + required: false + schema: + type: string + - description: Session state from the OAuth provider (e.g., Microsoft). + in: query + name: session_state + required: false + schema: + type: string responses: '200': - content: - application/json: - examples: - createAgentKeyResponse1: - $ref: >- - #/components/examples/APM_UI_agent_keys_object_post_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_keys_response' - description: Agent key created successfully - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response + description: Returns an HTML callback page. + '302': + description: Redirects to the return URL with authorization result query parameters. '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + description: User is not authenticated. + summary: Handle OAuth callback + tags: + - connectors + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/_oauth_callback_script: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/_oauth_callback_script
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the OAuth callback script + operationId: get-actions-connector-oauth-callback-script + parameters: [] + responses: + '200': + description: Returns the OAuth callback script + summary: '' + tags: [] + x-state: Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Create an APM agent key + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + getConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Get connector information tags: - - APM agent keys - /api/apm/fleet/apm_server_schema: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by Fleet - integrations to push the APM Server configuration schema. Do not use for - new integrations. It stores the provided schema object as a Kibana saved - object. If Fleet migration is not available on the current deployment, - the API returns a 404. - operationId: saveApmServerSchema + operationId: post-actions-connector-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + maxLength: 36 + minLength: 1 + type: string requestBody: content: application/json: - examples: - saveApmServerSchemaRequest: - description: >- - An example request payload for `POST - /api/apm/fleet/apm_server_schema`. - value: - schema: - foo: bar schema: + additionalProperties: false type: object properties: - schema: - additionalProperties: true - description: Schema object - example: - foo: bar - type: object - required: true + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + - connector_type_id + examples: + createEmailConnectorRequest: + $ref: '#/components/examples/create_email_connector_request' + createIndexConnectorRequest: + $ref: '#/components/examples/create_index_connector_request' + createWebhookConnectorRequest: + $ref: '#/components/examples/create_webhook_connector_request' + createXmattersConnectorRequest: + $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: - examples: - saveApmServerSchemaResponseExample1: - $ref: >- - #/components/examples/APM_UI_fleet_apm_server_schema_200_response1 schema: additionalProperties: false - description: The response body is intentionally empty for this endpoint. type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + createEmailConnectorResponse: + $ref: '#/components/examples/create_email_connector_response' + createIndexConnectorResponse: + $ref: '#/components/examples/create_index_connector_response' + createWebhookConnectorResponse: + $ref: '#/components/examples/create_webhook_connector_response' + createXmattersConnectorResponse: + $ref: '#/components/examples/get_connector_response' + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Create a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-actions-connector-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + name: + description: The display name for the connector. + type: string + config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + required: + - name + examples: + updateIndexConnectorRequest: + $ref: '#/components/examples/update_index_connector_request' + responses: + '200': content: application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Save APM server schema + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Update a connector tags: - - APM server schema - /api/apm/services/{serviceName}/annotation: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/actions/connector/{id}/_execute: post: - description: Create a new annotation for a specific service. - operationId: createAnnotation + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: The name of the service + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. in: path - name: serviceName + name: id required: true schema: type: string requestBody: content: application/json: - examples: - createAnnotationRequest1: - $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/APM_UI_create_annotation_object' - required: true + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + examples: + runIndexConnectorRequest: + $ref: '#/components/examples/run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/run_jira_connector_request' + runServerLogConnectorRequest: + $ref: '#/components/examples/run_servicenow_itom_connector_request' + runSlackConnectorRequest: + $ref: '#/components/examples/run_slack_api_connector_request' + runSwimlaneConnectorRequest: + $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: - examples: - createAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_object_post_200_response1 schema: - $ref: '#/components/schemas/APM_UI_create_annotation_response' - description: Annotation created successfully - '400': + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + examples: + runIndexConnectorResponse: + $ref: '#/components/examples/run_index_connector_response' + runJiraConnectorResponse: + $ref: '#/components/examples/run_jira_connector_response' + runServerLogConnectorResponse: + $ref: '#/components/examples/run_server_log_connector_response' + runServiceNowITOMConnectorResponse: + $ref: '#/components/examples/run_servicenow_itom_connector_response' + runSlackConnectorResponse: + $ref: '#/components/examples/run_slack_api_connector_response' + runSwimlaneConnectorResponse: + $ref: '#/components/examples/run_swimlane_connector_response' + description: Indicates a successful call. + '403': + description: Indicates that this call is forbidden. + summary: Run a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connectors: + get: + operationId: get-actions-connectors + parameters: [] + responses: + '200': content: application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: + items: + additionalProperties: false + type: object + properties: + auth_mode: + description: The authentication mode used for the connector. + enum: + - shared + - per-user + type: string + config: + additionalProperties: + nullable: true + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_connector_type_deprecated: + description: Indicates whether the connector type is deprecated. + type: boolean + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the connector.' + type: string + referenced_by_count: + description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated. + type: number + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + - is_connector_type_deprecated + - referenced_by_count + type: array examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + getConnectorsResponse: + $ref: '#/components/examples/get_connectors_response' + description: Indicates a successful call. '403': + description: Indicates that this call is forbidden. + summary: Get all connectors + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead. + To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-a2a-agentid + parameters: + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + a2aTaskRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.' + value: + id: task-123 + jsonrpc: '2.0' + method: complete + params: + messages: + - content: Hello from A2A protocol + role: user + schema: {} + responses: + '200': content: application/json: examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create a service annotation + a2aTaskResponseExample: + description: Example response from A2A Task Endpoint with results of task execution + value: + id: task-123 + jsonrpc: '2.0' + result: + conversation_id: conv-456 + response: + message: Hello! How can I help you today? + type: response + description: Indicates a successful response + summary: Send A2A task tags: - - APM annotations - x-codeSamples: - - lang: Curl - source: | - curl -X POST \ - http://localhost:5601/api/apm/services/opbeans-java/annotation \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ - -d '{ - "@timestamp": "2020-05-08T10:31:30.452Z", - "service": { - "version": "1.2" - }, - "message": "Deployment 1.2" - }' - /api/apm/services/{serviceName}/annotation/search: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/a2a/{agentId}.json: get: - description: Search for annotations related to a specific service. - operationId: getAnnotation + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery. To learn more about the Agent Builder A2A server, refer to the [A2A server documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/a2a-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-a2a-agentid.json parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service + - description: The unique identifier of the agent to get A2A metadata for. in: path - name: serviceName + name: agentId required: true schema: type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - example: '2024-01-01T00:00:00.000Z' - in: query - name: start - required: false - schema: - format: date-time - type: string - - description: The end date for the search - example: '2024-01-31T23:59:59.999Z' - in: query - name: end - required: false - schema: - format: date-time - type: string responses: '200': content: application/json: examples: - getAnnotationResponse1: - $ref: >- - #/components/examples/APM_UI_annotation_search_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_annotation_search_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': + a2aAgentCardResponseExample: + description: Example response card of Elastic AI Agent + value: + capabilities: + pushNotifications: false + stateTransitionHistory: false + streaming: false + defaultInputModes: + - text/plain + defaultOutputModes: + - text/plain + description: Elastic AI Agent + name: Elastic AI Agent + protocolVersion: 0.3.0 + provider: + organization: Elastic + url: https://elastic.co + securitySchemes: + authorization: + description: Authentication token + in: header + name: Authorization + type: apiKey + skills: + - description: A powerful tool for searching and analyzing data within your Elasticsearch cluster. + examples: [] + id: platform.core.search + inputModes: + - text/plain + - application/json + name: platform.core.search + outputModes: + - text/plain + - application/json + tags: + - tool + supportsAuthenticatedExtendedCard: false + url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent + version: 0.1.0 + description: Indicates a successful response + summary: Get A2A agent card + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/a2a/{agentId}.json + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents + parameters: [] + responses: + '200': content: application/json: examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - summary: Search for annotations + listAgentsResponseExample: + description: Example response that returns one built-in Elastic agent and one created by the user + value: + results: + - configuration: + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Elastic AI Agent + id: elastic-ai-agent + name: Elastic AI Agent + type: chat + - avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: List agents tags: - - APM annotations - /api/apm/settings/agent-configuration: - delete: - description: > - Delete an existing agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When successful, the - configuration is removed and, if Fleet is enabled, APM package policies - are synchronized accordingly. - operationId: deleteAgentConfiguration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - deleteAgentConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_request1 + createAgentRequestExample: + description: Example request for creating a custom agent with special prompt and tools + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_delete_service_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Optional system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order. + type: string + maxItems: 100 + type: array + required: + - tools + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string + required: + - id + - name + - description + - configuration responses: '200': content: application/json: examples: - deleteAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_delete_agent_configurations_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': + createAgentResponseExample: + description: Example response returning the definition of an agent created as a result of the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Create an agent + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + }' + - lang: Console + source: | + POST kbn://api/agent_builder/agents + { + "id": "new-agent-id", + "name": "Search Index Helper", + "description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.", + "labels": ["custom-indices", "department-search"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [ + { + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + } + ] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{agent_id}/consumption: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents/{agent_id}/consumption
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege. To learn more about monitoring agent token usage, refer to the [monitor usage documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/monitor-usage).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: post-agent-builder-agents-agent-id-consumption + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent. + in: path + name: agent_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + consumptionDefaultExample: + description: Get consumption data for an agent with default pagination + value: + size: 25 + sort_field: updated_at + sort_order: desc + consumptionFilteredExample: + description: Get consumption data filtered by username with warnings + value: + has_warnings: true + size: 10 + sort_field: total_tokens + sort_order: desc + usernames: + - elastic + - admin + schema: + additionalProperties: false + type: object + properties: + has_warnings: + description: Filter to conversations with or without high-token warnings. + type: boolean + search: + description: Free-text search filter on conversation title. + type: string + search_after: + description: Cursor for pagination. Pass the search_after value from the previous response. + items: + nullable: true + maxItems: 10000 + type: array + size: + default: 25 + description: Number of results per page. + maximum: 100 + minimum: 1 + type: number + sort_field: + default: updated_at + description: Field to sort results by. + enum: + - updated_at + - total_tokens + - round_count + type: string + sort_order: + default: desc + description: Sort direction. + enum: + - asc + - desc + type: string + usernames: + description: Filter results to conversations by these usernames. + items: + type: string + maxItems: 10000 + type: array + responses: + '200': content: application/json: examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': + consumptionResponseExample: + description: Example response with per-conversation token usage data + value: + aggregations: + total_with_warnings: 0 + usernames: + - elastic + - admin + results: + - conversation_id: conv-abc123 + created_at: '2025-03-01T10:00:00Z' + llm_calls: 8 + round_count: 5 + title: Help me search my data + token_usage: + input_tokens: 15000 + output_tokens: 3000 + total_tokens: 18000 + updated_at: '2025-03-01T10:15:00Z' + user: + id: uid-1 + username: elastic + warnings: [] + - conversation_id: conv-def456 + created_at: '2025-03-02T14:00:00Z' + llm_calls: 20 + round_count: 12 + title: Analyze server logs + token_usage: + input_tokens: 250000 + output_tokens: 8000 + total_tokens: 258000 + updated_at: '2025-03-02T14:30:00Z' + user: + id: uid-2 + username: admin + warnings: + - input_tokens: 250000 + round_id: round-7 + type: high_input_tokens + search_after: + - 1709391000000 + - '2025-03-02T14:30:00Z' + total: 2 + description: Indicates a successful response + summary: Get agent consumption data + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -H "elastic-api-version: 2023-10-31" \ + -d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}' + - lang: Console + source: | + POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption + {"size": 25, "sort_field": "updated_at", "sort_order": "desc"} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: delete-agent-builder-agents-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Delete agent configuration + deleteAgentResponseExample: + description: Example response showing that deletion of the agent has been successful + value: + success: true + description: Indicates a successful response + summary: Delete an agent tags: - - APM agent configuration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieve all agent configurations. You must have `read` privileges for - the APM and User Experience feature in Kibana. If agent configuration is - not available on the current deployment, the API returns a 404. - operationId: getAgentConfigurations + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The unique identifier of the agent to retrieve. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - getAgentConfigurationsResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_agent_configurations_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get a list of agent configurations + getAgentByIdResponseExample: + description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions. + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Hi! I can help you search the data within the indices starting with "content-" prefix. + id: created-agent-id + labels: + - custom-indices + - department-search + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Get an agent by ID tags: - - APM agent configuration + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Create or update an agent configuration. You must have `all` privileges - for the APM and User Experience feature in Kibana. When updating an - existing configuration, the `?overwrite=true` query parameter is - required. If the configuration already exists and `overwrite` is not set - to `true`, the API returns a 400 error. When successful and Fleet is - enabled, APM package policies are synchronized accordingly. - operationId: createUpdateAgentConfiguration + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: If the config exists ?overwrite=true is required - in: query - name: overwrite + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + - description: The unique identifier of the agent to update. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - createUpdateAgentConfigurationRequestExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_request1 + createAgentRequestExample: + description: Example request for updating custom agent + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper schema: - $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' - required: true + additionalProperties: false + type: object + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + type: object + properties: + connector_ids: + description: Array of connector IDs to associate with the agent. + items: + description: Connector ID to associate with the agent. + type: string + maxItems: 100 + type: array + enable_elastic_capabilities: + description: When true, enables built-in Elastic capabilities for the agent. + type: boolean + instructions: + description: Updated system instructions that define the agent behavior. + type: string + plugin_ids: + description: Array of plugin IDs to assign to the agent. + items: + description: Plugin ID to assign to the agent. + type: string + maxItems: 100 + type: array + skill_ids: + description: Array of skill IDs to be available to the agent. + items: + description: Skill ID to be available to the agent. + type: string + maxItems: 100 + type: array + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + type: object + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: array + workflow_ids: + items: + description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order. + type: string + maxItems: 100 + type: array + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + visibility: + description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).' + enum: + - public + - shared + - private + type: string responses: '200': content: application/json: examples: - createUpdateAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Create or update agent configuration + updateAgentResponseExample: + description: Example response returning the agent definition with the changes applied from the request + value: + avatar_color: '#BFDBFF' + avatar_symbol: SI + configuration: + instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-". + tools: + - tool_ids: + - platform.core.search + - platform.core.list_indices + - platform.core.get_index_mapping + - platform.core.get_document_by_id + description: Updated description - Search for anything in "content-*" indices! + id: created-agent-id + labels: + - custom-indices + - department-search + - elastic-employees + name: Search Index Helper + type: chat + description: Indicates a successful response + summary: Update an agent tags: - - APM agent configuration - /api/apm/settings/agent-configuration/agent_name: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id} + { + "name": "Search Index Helper", + "description": "Updated description - Search for anything in \"content-*\" indices!", + "labels": ["custom-indices", "department-search", "elastic-employees"], + "avatar_color": "#BFDBFF", + "avatar_symbol": "SI", + "configuration": { + "instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".", + "tools": [{ + "tool_ids": [ + "platform.core.search", + "platform.core.list_indices", + "platform.core.get_index_mapping", + "platform.core.get_document_by_id" + ] + }] + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/agents/{id}/acl: get: - description: Retrieve `agentName` for a service. - operationId: getAgentNameForService + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}/acl
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the access control list (ACL) for a specific agent. Callers without permission to manage the ACL receive `can_manage: false` and an empty `entries` list — the principal list itself is sensitive. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-agents-id-acl parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: The name of the service - example: node - in: query - name: serviceName + - description: The unique identifier of the agent whose ACL to retrieve. + in: path + name: id required: true schema: type: string @@ -1021,186 +2179,222 @@ paths: content: application/json: examples: - getAgentNameForServiceResponse1: - $ref: >- - #/components/examples/APM_UI_service_agent_name_get_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_agent_name_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + getAgentAclMaskedResponseExample: + description: Example response for a caller without manage permission — the principal list is hidden and `entries` is always empty. + value: + acl: + entries: [] + can_manage: false + getAgentAclResponseExample: + description: Example response for a caller who can manage the ACL — the agent has two grantees. + value: + acl: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user + can_manage: true + description: Indicates a successful response '404': content: application/json: examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get agent name for service + agentNotFoundResponseExample: + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Not Found + message: Agent custom-agent-id not found + statusCode: 404 + description: Not Found — no agent with this ID is visible to the caller. Matches the existing `agentNotFound` shape, so unprivileged callers cannot probe for hidden agents. + summary: Get an agent's access control list tags: - - APM agent configuration - /api/apm/settings/agent-configuration/environments: - get: - description: > - Retrieve the available environments for a given service, to be used in - agent configuration. You must have `read` privileges for the APM and - User Experience feature in Kibana. If `serviceName` is omitted, - environments across all services are returned. - operationId: getEnvironmentsForService + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/agents/{id}/acl + x-state: Added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}/acl
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Replace the per-agent access control list (ACL). The agent owner, cluster admins, and anyone the ACL grants Editor or higher can call this endpoint (or anyone with `manageAgents` on a Public agent). Each call replaces the entire entries list — the most recent successful update wins. To learn more about agents, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).

[Required authorization] Route required privileges: agentBuilder:manageAgents. + operationId: put-agent-builder-agents-id-acl parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: >- - The name of the service. If omitted, environments across all - services are returned. - example: opbeans-node - in: query - name: serviceName + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the agent whose ACL to update. + in: path + name: id + required: true schema: type: string - responses: - '200': - content: - application/json: - examples: - getEnvironmentsForServiceResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_environments_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_service_environments_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get environments for service - tags: - - APM agent configuration - /api/apm/settings/agent-configuration/search: - post: - deprecated: true - description: > - DEPRECATED: This endpoint is intended for internal use by APM agents to - fetch their configuration and mark it as applied. Do not use for new - integrations. It searches for a single agent configuration matching the - given service, and optionally updates the `applied_by_agent` field when - the provided `etag` matches the current configuration. - operationId: searchSingleConfiguration - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - searchSingleConfigurationRequest1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_request1 + clearAgentAclRequestExample: + description: Submit an empty entries list to remove all ACL grants. Access then falls back to the agent's visibility setting. + value: + entries: [] + updateAgentAclRequestExample: + description: Example request granting two users access to the agent — Alice as Editor (can update the agent and its ACL), Bob as User (can run the agent). + value: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user schema: - $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' - required: true + additionalProperties: false + type: object + properties: + entries: + description: Access control entries to apply to the agent. Each entry has a `type` (currently only `user` is supported; role-based grants are planned for a future release), a `name` (the principal username), and a `role`. Submitting this field replaces the existing ACL entirely; submit an empty array to clear all grants. + items: + additionalProperties: false + type: object + properties: + name: + description: Case-sensitive Kibana username of the principal to grant access to. + maxLength: 1024 + minLength: 1 + type: string + role: + description: 'Role granted to the principal. Roles are hierarchical: `user` allows viewing, listing, reading, and running the agent; `editor` adds updating the agent and its ACL; `manager` adds deleting the agent and changing visibility.' + enum: + - user + - editor + - manager + type: string + type: + enum: + - user + type: string + required: + - type + - name + - role + maxItems: 100 + type: array + required: + - entries responses: '200': content: application/json: examples: - searchSingleConfigurationResponse1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_search_agent_configuration_response - description: Successful response + updateAgentAclResponseExample: + description: Example response returning the persisted ACL after the update. + value: + entries: + - name: alice + role: editor + type: user + - name: bob + role: user + type: user + description: Indicates a successful response '400': content: application/json: examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response + aclOnDefaultAgentResponseExample: + description: The built-in Elastic default agent (`elastic-ai-agent`) cannot have a custom ACL — its access is governed by the platform, not per-agent grants. + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Bad Request + message: The default agent (elastic-ai-agent) does not support custom access controls. + statusCode: 400 + tooManyEntriesResponseExample: + description: Request body exceeds the 100-entry maximum. + value: + error: Bad Request + message: '[request body.entries]: array size is [101], but cannot be greater than [100]' + statusCode: 400 + description: Bad Request — the request body failed validation, or the request targets the built-in Elastic default agent (which cannot have an ACL). '404': content: application/json: examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Lookup single agent configuration + agentNotFoundResponseExample: + value: + attributes: + trace_id: 8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e + error: Not Found + message: Agent custom-agent-id not found + statusCode: 404 + description: Not Found — no agent with this ID is visible to the caller, or the caller lacks write access. Matches the existing `agentNotFound` shape so unprivileged callers cannot probe for hidden agents. + summary: Update an agent's access control list tags: - - APM agent configuration - /api/apm/settings/agent-configuration/view: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "entries": [ + { "type": "user", "name": "alice", "role": "editor" }, + { "type": "user", "name": "bob", "role": "user" } + ] + }' + - lang: Console + source: | + PUT kbn://api/agent_builder/agents/{id}/acl + { + "entries": [ + { "type": "user", "name": "alice", "role": "editor" }, + { "type": "user", "name": "bob", "role": "user" } + ] + } + x-state: Added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations: get: - description: > - Retrieve a single agent configuration matching the given service name - and environment. You must have `read` privileges for the APM and User - Experience feature in Kibana. If no matching configuration is found, the - API returns a 404. - operationId: getSingleAgentConfiguration + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Service name - example: node - in: query - name: name - schema: - type: string - - description: Service environment - example: prod + - description: Optional agent ID to filter conversations by a specific agent. in: query - name: environment + name: agent_id + required: false schema: type: string responses: @@ -1208,230 +2402,100 @@ paths: content: application/json: examples: - getSingleAgentConfigurationResponseExample1: - $ref: >- - #/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1 - schema: - $ref: >- - #/components/schemas/APM_UI_single_agent_configuration_response - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '404': - content: - application/json: - examples: - notFoundResponse: - $ref: '#/components/examples/APM_UI_error_404_response' - schema: - $ref: '#/components/schemas/APM_UI_404_response' - description: Not found response - summary: Get single agent configuration + listConversationsResponseExample: + description: Example response containing the list of conversations with all agents + value: + results: + - agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: List conversations tags: - - APM agent configuration - /api/apm/sourcemaps: - get: - description: > - Get an array of Fleet artifacts, including source map uploads. You must - have `read` or `all` Kibana privileges for the APM and User Experience - feature. - operationId: getSourceMaps + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - description: Page number - in: query - name: page + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: Number of records per page - in: query - name: perPage + example: 'true' + type: string + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id + required: true schema: - type: number + type: string responses: '200': content: application/json: examples: - getSourceMapsResponse1: - $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' - schema: - $ref: '#/components/schemas/APM_UI_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Get source maps + deleteConversationResponseExample: + description: Example response showing that deletion of conversation has been successful + value: + success: true + description: Indicates a successful response + summary: Delete conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl + - lang: curl source: | - curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ - -H 'Content-Type: application/json' \ - -H 'kbn-xsrf: true' \ - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - post: - description: > - Upload a source map for a specific service and version. You must have - `all` Kibana privileges for the APM and User Experience feature. - - The maximum payload size is `1mb`. If you attempt to upload a source map - that exceeds the maximum payload size, you will get a 413 error. Before - uploading source maps that exceed this default, change the maximum - payload size allowed by Kibana with the `server.maxPayload` variable. - operationId: uploadSourceMap - parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - requestBody: - content: - multipart/form-data: - examples: - uploadSourceMapRequest: - $ref: '#/components/examples/APM_UI_source_maps_upload_request1' - schema: - $ref: '#/components/schemas/APM_UI_upload_source_map_object' - required: true - responses: - '200': - content: - application/json: - examples: - uploadSourceMapResponse1: - $ref: >- - #/components/examples/APM_UI_source_maps_upload_200_response1 - schema: - $ref: '#/components/schemas/APM_UI_upload_source_maps_response' - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Upload a source map - tags: - - APM sourcemaps - x-codeSamples: - - lang: Curl - source: > - curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ - - -H 'Content-Type: multipart/form-data' \ - - -H 'kbn-xsrf: true' \ - - -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ - - -F 'service_name="foo"' \ + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** - -F 'service_version="1.0.0"' \ +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
- -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -F - 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' - /api/apm/sourcemaps/{id}: - delete: - description: > - Delete a previously uploaded source map. You must have `all` Kibana - privileges for the APM and User Experience feature. - operationId: deleteSourceMap + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata. To learn more about agent conversations, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id parameters: - - $ref: '#/components/parameters/APM_UI_elastic_api_version' - - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - - description: Source map identifier + - description: The unique identifier of the conversation to retrieve. in: path - name: id + name: conversation_id required: true schema: type: string @@ -1440,1923 +2504,1440 @@ paths: content: application/json: examples: - deleteSourceMapResponseExample1: - $ref: >- - #/components/examples/APM_UI_source_maps_delete_200_response1 - schema: - additionalProperties: false - description: The response body is intentionally empty for this endpoint. - type: object - description: Successful response - '400': - content: - application/json: - examples: - badRequestResponse: - $ref: '#/components/examples/APM_UI_error_400_response' - schema: - $ref: '#/components/schemas/APM_UI_400_response' - description: Bad Request response - '401': - content: - application/json: - examples: - unauthorizedResponse: - $ref: '#/components/examples/APM_UI_error_401_response' - schema: - $ref: '#/components/schemas/APM_UI_401_response' - description: Unauthorized response - '403': - content: - application/json: - examples: - forbiddenResponse: - $ref: '#/components/examples/APM_UI_error_403_response' - schema: - $ref: '#/components/schemas/APM_UI_403_response' - description: Forbidden response - '500': - content: - application/json: - examples: - internalServerErrorResponse: - $ref: '#/components/examples/APM_UI_error_500_response' - schema: - $ref: '#/components/schemas/APM_UI_500_response' - description: Internal Server Error response - '501': - content: - application/json: - examples: - notImplementedResponse: - $ref: '#/components/examples/APM_UI_error_501_response' - schema: - $ref: '#/components/schemas/APM_UI_501_response' - description: Not Implemented response - summary: Delete source map + getConversationByIdResponseExample: + description: Example response containing the contents of a convesation with the chat agent + value: + agent_id: elastic-ai-agent + created_at: '2025-09-19T17:45:39.554Z' + id: bcc176c5-38f6-40be-be0c-898e34fa1480 + rounds: + - id: 170ec3b2-0f5a-4538-8b60-549572386d2a + input: + message: Hello, how are you? + response: + message: |- + Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools. + + Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today? + steps: [] + title: General Greeting + updated_at: '2025-09-19T17:45:39.554Z' + user: + username: elastic + description: Indicates a successful response + summary: Get conversation by ID tags: - - APM sourcemaps + - agent builder x-codeSamples: - - lang: Curl - source: > - curl -X DELETE - "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/conversations/{conversation_id} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments: + get: + description: |- + **Spaces method and path for this operation:** - -H 'Content-Type: application/json' \ +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
- -H 'kbn-xsrf: true' \ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - -H 'Authorization: ApiKey ${YOUR_API_KEY}' - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific entity. - operationId: DeleteAssetCriticalityRecord + List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. + - description: Whether to include deleted attachments in the list. in: query - name: refresh + name: include_deleted required: false schema: - enum: - - wait_for - type: string + type: boolean responses: '200': content: application/json: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete an asset criticality record + examples: + listAttachmentsResponseExample: + description: Example response containing active attachments for a conversation + value: + results: + - active: true + current_version: 2 + description: My text file + id: attachment-1 + type: text + versions: + - content_hash: abc123 + created_at: '2025-01-01T10:00:00.000Z' + data: Initial content + estimated_tokens: 3 + version: 1 + - content_hash: def456 + created_at: '2025-01-01T11:00:00.000Z' + data: Updated content + estimated_tokens: 3 + version: 2 + - active: true + current_version: 1 + description: Configuration data + id: attachment-2 + type: json + versions: + - content_hash: ghi789 + created_at: '2025-01-01T12:00:00.000Z' + data: + key: value + nested: + field: 123 + estimated_tokens: 15 + version: 1 + total_token_estimate: 21 + description: Indicates a successful response + summary: List conversation attachments tags: - - Security Entity Analytics API - get: - description: Get the asset criticality record for a specific entity. - operationId: GetAssetCriticalityRecord + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new attachment for a conversation with version tracking.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments parameters: - - description: The ID value of the asset. - example: my_host - in: query - name: id_value + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field + - description: The unique identifier of the conversation. + in: path + name: conversation_id required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get an asset criticality record - tags: - - Security Entity Analytics API - post: - description: > - Create or update an asset criticality record for a specific entity. - - - If a record already exists for the specified entity, that record is - overwritten with the specified value. If a record doesn't exist for the - specified entity, a new record is created. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json: - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - example: - criticality_level: high_impact - id_field: host.name - id_value: my_host - required: true - responses: - '200': - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert an asset criticality record - tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: - post: - description: > - Bulk upsert up to 1000 asset criticality records. - - - If asset criticality records already exist for the specified entities, - those records are overwritten with the specified values. If asset - criticality records don't exist for the specified entities, new records - are created. - operationId: BulkUpsertAssetCriticalityRecords + type: string requestBody: content: application/json: + examples: + createHiddenAttachmentExample: + description: Example request for creating a hidden attachment + value: + data: Internal system data + description: System context + hidden: true + type: text + createJsonAttachmentExample: + description: Example request for creating a JSON attachment with custom ID + value: + data: + configuration: + enabled: true + threshold: 50 + metadata: + source: user_input + description: Application settings + id: custom-attachment-id + type: json + createTextAttachmentExample: + description: Example request for creating a text attachment + value: + data: This is the content of my text attachment + description: Meeting notes + type: text schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 + additionalProperties: false type: object properties: - records: - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload - required: - - criticality_level - maxItems: 1000 - minItems: 1 - type: array + data: + description: The attachment data/content. Required unless origin is provided. + nullable: true + description: + description: Human-readable description of the attachment. + type: string + hidden: + description: Whether the attachment should be hidden from the user. + type: boolean + id: + description: Optional custom ID for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time. + type: string + type: + description: The type of the attachment (e.g., text, esql, visualization). + type: string required: - - records + - type + - data responses: '200': content: application/json: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk upsert asset criticality records + examples: + createAttachmentResponseExample: + description: Example response returning the created attachment + value: + attachment: + active: true + current_version: 1 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: This is the content of my text attachment + estimated_tokens: 12 + version: 1 + description: Indicates a successful response + summary: Create conversation attachment tags: - - Security Entity Analytics API - /api/asset_criticality/list: - get: - description: List asset criticality records, paging, sorting and filtering as needed. - operationId: FindAssetCriticalityRecords + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - id_value - - id_field - - criticality_level - - '@timestamp' + example: 'true' type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: - enum: - - asc - - desc type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false + - description: The unique identifier of the attachment to delete. + in: path + name: attachment_id + required: true schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. + type: string + - description: If true, permanently removes the attachment (only for unreferenced attachments). in: query - name: kuery + name: permanent required: false schema: - type: string + type: boolean responses: '200': content: application/json: - schema: - example: - page: 1 - per_page: 10 - records: - - '@timestamp': '2024-08-02T14:40:35.705Z' - asset: - criticality: medium_impact - criticality_level: medium_impact - host: - asset: - criticality: medium_impact - name: my_other_host - id_field: host.name - id_value: my_other_host - - '@timestamp': '2024-08-02T11:15:34.290Z' - asset: - criticality: high_impact - criticality_level: high_impact - host: - asset: - criticality: high_impact - name: my_host - id_field: host.name - id_value: my_host - total: 2 - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Successfully retrieved asset criticality records - summary: List asset criticality records + examples: + permanentDeleteAttachmentResponseExample: + description: Example response for permanent delete (cannot be restored) + value: + permanent: true + success: true + softDeleteAttachmentResponseExample: + description: Example response for soft delete (can be restored) + value: + permanent: false + success: true + description: Indicates a successful response + summary: Delete conversation attachment tags: - - Security Entity Analytics API - /api/attack_discovery/_bulk: - post: - description: >- - Performs bulk updates on multiple Attack discoveries, including workflow - status changes and visibility settings. This endpoint allows efficient - batch processing of alert modifications without requiring individual API - calls for each alert. - operationId: PostAttackDiscoveryBulk + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rename an attachment without creating a new version.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: patch-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to rename. + in: path + name: attachment_id + required: true + schema: + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryBulkRequestBodyExample: - summary: Acknowledge two Attack discoveries in bulk. + renameAttachmentExample: + description: Example request for renaming an attachment value: - update: - enable_field_rendering: false - ids: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - kibana_alert_workflow_status: acknowledged - with_replacements: true + description: Updated attachment name schema: + additionalProperties: false type: object properties: - update: - description: >- - Configuration object containing all parameters for the bulk - update operation - type: object - properties: - enable_field_rendering: - default: false - description: >- - Enables a markdown syntax used to render pivot fields, - for example `{{ user.name james }}`. When disabled, the - same example would be rendered as `james`. This is - primarily used for Attack Discovery views within Kibana. - Defaults to `false`. - example: false - type: boolean - ids: - description: Array of Attack Discovery IDs to update - example: - - >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - - >- - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 - items: - type: string - type: array - kibana_alert_workflow_status: - description: >- - When provided, update the kibana.alert.workflow_status - of the attack discovery alerts - enum: - - open - - acknowledged - - closed - example: acknowledged - type: string - visibility: - description: >- - When provided, update the visibility of the alert, as - determined by the kibana.alert.attack_discovery.users - field - enum: - - not_shared - - shared - example: shared - type: string - with_replacements: - default: true - description: >- - When true, returns the updated Attack discoveries with - text replacements applied to the detailsMarkdown, - entitySummaryMarkdown, summaryMarkdown, and title - fields. This substitutes anonymized values with - human-readable equivalents. Defaults to `true`. - example: true - type: boolean - required: - - ids + description: + description: The new description/name for the attachment. + type: string required: - - update - description: Bulk update parameters for Attack discoveries - required: true + - description responses: '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse200Example: - summary: >- - A successful bulk update response containing the modified - Attack discoveries. + renameAttachmentResponseExample: + description: Example response returning the renamed attachment (version unchanged) value: - data: - - alert_ids: - - alert-abc-1 - alert_workflow_status: acknowledged - connector_id: gen-ai-connector - connector_name: OpenAI GPT-4 - details_markdown: >- - - **Host** `workstation-01` showed credential access - patterns consistent with mimikatz. - generation_uuid: 550e8400-e29b-41d4-a716-446655440000 - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - summary_markdown: >- - A user account was compromised using mimikatz to dump - credentials. - timestamp: '2024-01-15T10:00:00.000Z' - title: Credential theft via mimikatz - schema: - type: object - properties: - data: - description: >- - Array of updated Attack Discovery alert objects. Each item - includes the applied modifications from the bulk update - request. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - required: - - data - description: Indicates a successful call. - '400': + attachment: + active: true + current_version: 1 + description: Updated attachment name + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Content remains the same + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Rename attachment + tags: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an attachment content. Creates a new version if content changed.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateAttachmentContentExample: + description: Example request for updating attachment content + value: + data: This is the updated content + updateAttachmentWithDescriptionExample: + description: Example request for updating both content and description + value: + data: New content version + description: Updated meeting notes - v2 + schema: + additionalProperties: false + type: object + properties: + data: + description: The new attachment data/content. + nullable: true + description: + description: Optional new description for the attachment. + type: string + required: + - data + responses: + '200': content: application/json: examples: - PostAttackDiscoveryBulkResponse400Example: - summary: >- - Bad Request error returned when the bulk update payload is - invalid. + updateAttachmentResponseExample: + description: Example response returning the updated attachment with new version value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the bulk update request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Bulk update Attack discoveries + attachment: + active: true + current_version: 2 + description: Meeting notes + id: att-abc123 + type: text + versions: + - content_hash: sha256-abc + created_at: '2025-01-06T10:00:00.000Z' + data: Original content + estimated_tokens: 10 + version: 1 + - content_hash: sha256-def + created_at: '2025-01-06T11:00:00.000Z' + data: This is the updated content + estimated_tokens: 12 + version: 2 + new_version: 2 + description: Indicates a successful response + summary: Update conversation attachment tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data-raw '{ - "update": { - "ids": [ - "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", - "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" - ], - "kibana_alert_workflow_status": "acknowledged" - } - }' - /api/attack_discovery/_find: - get: - description: >- - Find Attack discoveries that match the search criteria. Supports free - text search, filtering, pagination, and sorting. - operationId: AttackDiscoveryFind + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Restore a soft-deleted attachment.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore parameters: - - description: >- - Filter results to Attack discoveries that include any of the - provided alert IDs - in: query - name: alert_ids - required: false - schema: - items: - type: string - type: array - - description: >- - Filter results to Attack discoveries created by any of the provided - human readable connector names. Note that values must match the - human readable `connector_name` property of an Attack discovery, - e.g. "GPT-5 Chat", which are distinct from `connector_id` values - used to generate Attack discoveries. - in: query - name: connector_names - required: false - schema: - items: - type: string - type: array - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false - in: query - name: enable_field_rendering - required: false - schema: - default: false - type: boolean - - description: >- - End of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Filter results to the Attack discoveries with the specified IDs - in: query - name: ids - required: false - schema: - items: - type: string - type: array - - description: >- - If `true`, the response will include `unique_alert_ids` and - `unique_alert_ids_count` aggregated across the matched Attack - discoveries - example: false - in: query - name: include_unique_alert_ids - required: false - schema: - type: boolean - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: >- - Number of Attack discoveries to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 1 - type: integer - - description: >- - Free-text search query applied to relevant text fields of Attack - discoveries (title, description, tags, etc.) - example: '' - in: query - name: search - required: false + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true schema: type: string - - description: >- - Whether to filter by shared visibility. If omitted, both shared and - privately visible Attack discoveries are returned. Use `true` to - return only shared discoveries, `false` to return only those visible - to the current user. - in: query - name: shared - required: false - schema: - type: boolean - - description: >- - Whether to filter by scheduled or ad-hoc attack discoveries. If - omitted, both types of attack discoveries are returned. Use `true` - to return only scheduled discoveries or `false` to return only - ad-hoc discoveries. - in: query - name: scheduled - required: false - schema: - type: boolean - - description: >- - Field used to sort results. See `AttackDiscoveryFindSortField` for - allowed values. - example: '@timestamp' - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField - default: '@timestamp' - - description: >- - Sort order direction `asc` for ascending or `desc` for descending. - Defaults to `desc`. - example: desc - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' - default: desc - - description: >- - Start of the time range for the search. Accepts absolute timestamps - (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h - in: query - name: start - required: false + - description: The unique identifier of the attachment to restore. + in: path + name: attachment_id + required: true schema: type: string - - description: >- - Filter by alert workflow status. Provide one or more of the allowed - workflow states. - example: - - open - - acknowledged - in: query - name: status - required: false - schema: - items: - enum: - - acknowledged - - closed - - open - type: string - type: array - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean responses: '200': content: application/json: examples: - AttackDiscoveryFindResponse200Example: - summary: >- - Paginated list of Attack discoveries matching the search - criteria. + restoreAttachmentResponseExample: + description: Example response returning the restored attachment value: - connector_names: - - GPT-5 Chat - data: - - connector_name: GPT-5 Chat - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - page: 1 - per_page: 10 - total: 1 - unique_alert_ids_count: 0 - schema: - type: object - properties: - connector_names: - description: >- - List of human readable connector names that are present in - the matched Attack discoveries. Useful for building client - filters or summaries. - items: - type: string - type: array - data: - description: >- - Array of matched Attack discovery objects. Each item - follows the `AttackDiscoveryApiAlert` schema. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - page: - description: Current page number of the paginated result set. - type: integer - per_page: - description: Number of items requested per page. - type: integer - total: - description: >- - Total number of Attack discoveries matching the query - (across all pages). - type: integer - unique_alert_ids: - description: >- - List of unique alert IDs aggregated from the matched - Attack discoveries. Only present if - `include_unique_alert_ids=true` in the request. - items: + attachment: + active: true + current_version: 1 + description: Restored attachment + id: att-abc123 + type: text + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: Restored content + estimated_tokens: 10 + version: 1 + success: true + description: Indicates a successful response + summary: Restore deleted attachment + tags: + - agent builder + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/origin
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + - description: The unique identifier of the attachment to update. + in: path + name: attachment_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateOriginExample: + description: Example request for linking an attachment to a saved visualization + value: + origin: abc123 + schema: + additionalProperties: false + type: object + properties: + origin: + description: The origin string (e.g., saved object ID for visualizations and dashboards). + type: string + required: + - origin + responses: + '200': + content: + application/json: + examples: + updateOriginResponseExample: + description: Example response returning the attachment with updated origin + value: + attachment: + active: true + current_version: 1 + description: Sales chart + id: att-123 + origin: abc123 + type: visualization + versions: + - content_hash: sha256-xyz + created_at: '2025-01-06T10:00:00.000Z' + data: + chart_type: bar + esql: FROM sales | STATS count=COUNT(*) BY month + query: Show monthly sales + visualization: {} + estimated_tokens: 50 + version: 1 + success: true + description: Indicates a successful response + summary: Update attachment origin + tags: + - agent builder + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/conversations/{conversation_id}/attachments/stale: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}/attachments/stale
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Checks staleness for the latest version of all conversation attachments against their origin snapshot.

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-conversations-conversation-id-attachments-stale + parameters: + - description: The unique identifier of the conversation. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + checkStaleAttachmentsResponseExample: + description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.' + value: + attachments: + - id: att-text-meeting-notes + is_stale: false + - id: att-lens-active-users + is_stale: false + - error: Origin could not be resolved + id: att-query-attachment + is_stale: false + - data: This is the content of my text attachment + hidden: false + id: att-text-runbook + is_stale: true + origin: document:hr-onboarding-v2 + type: text + description: Indicates a successful response + summary: Check attachment staleness + tags: + - agent builder + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more about agent chat, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + converseRequestExample: + description: Example request to send a message to the agent as a part of the conversation + value: + agent_id: elastic-ai-agent + connector_id: my-connector-id + input: What is Elasticsearch? + converseRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: What is Elasticsearch? + schema: + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. type: string - type: array - unique_alert_ids_count: - description: >- - Number of unique alert IDs across all matched Attack - discoveries. Only present if - `include_unique_alert_ids=true` in the request. - type: integer - required: - - connector_names - - data - - page - - per_page - - total - - unique_alert_ids_count - description: Indicates a successful call. - '400': + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object + responses: + '200': content: application/json: examples: - AttackDiscoveryFindResponse400Example: - summary: >- - Bad Request error returned when find query parameters are - invalid. + converseResponseExample: + description: Example response containing the chain of events representing a conversation with the agent value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack discoveries that match the search criteria + conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16 + response: + message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease. + steps: + - reasoning: Searching for official documentation or content that explains what Elasticsearch is + type: reasoning + - params: + query: what is elasticsearch definition overview introduction + progression: + - message: Selecting the best target for this query + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ + tool_id: platform.core.search + type: tool_call + description: Indicates a successful response + summary: Send chat message tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/_generate: + -X POST "${KIBANA_URL}/api/agent_builder/converse" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent"}' + - lang: Console + source: | + POST kbn://api/agent_builder/converse + { + "input": "What is Elasticsearch?", + "agent_id": "elastic-ai-agent" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/converse/async: post: - description: >- - Initiates the generation of attack discoveries by analyzing security - alerts using AI. Returns an execution UUID that can be used to track the - generation progress and retrieve results. Results may also be retrieved - via the find endpoint. - operationId: PostAttackDiscoveryGenerate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete` + +

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-converse-async + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - PostAttackDiscoveryGenerateRequestBodyExample: - summary: Generate Attack discoveries from alerts in the last 24 hours. + converseAsyncRequestExample: + description: Example request to send a message to the agent as a part of the conversation value: - alertsIndexPattern: .alerts-security.alerts-default - anonymizationFields: - - allowed: true - anonymized: true - field: host.name - - allowed: true - anonymized: true - field: user.name - - allowed: true - anonymized: false - field: process.name - apiConfig: - actionTypeId: .gen-ai - connectorId: 12345678-1234-1234-1234-123456789012 - connectorName: GPT-5 Chat - end: now - replacements: {} - size: 100 - start: now-24h - subAction: invokeAI + agent_id: elastic-ai-agent + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + input: Hello + converseAsyncRequestInferenceExample: + description: Example using inference_id (mutually exclusive with connector_id) + value: + agent_id: elastic-ai-agent + inference_id: my-inference-endpoint-id + input: Hello schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig - required: true + additionalProperties: false + type: object + properties: + _execution_mode: + description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)' + enum: + - local + - task_manager + type: string + action: + description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id. + enum: + - regenerate + type: string + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.' + items: + additionalProperties: false + type: object + properties: + data: + additionalProperties: + nullable: true + description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time). + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + origin: + description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + type: object + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: + description: JSON Schema defining the tool parameters (JsonSchema7Type). + nullable: true + required: + - id + - description + - schema + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + type: object + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + configuration_overrides: + additionalProperties: false + description: Runtime configuration overrides. These override the stored agent configuration for this execution only. + type: object + properties: + instructions: + description: Custom instructions for the agent. + type: string + tools: + description: Tool selection to enable for this execution. + items: + additionalProperties: false + type: object + properties: + tool_ids: + items: + type: string + type: array + required: + - tool_ids + type: array + connector_id: + description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one. + nullable: true + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + inference_id: + description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`. + nullable: true + type: string + input: + description: The user input message to send to the agent. + type: string + prompts: + additionalProperties: + additionalProperties: false + type: object + properties: + allow: + type: boolean + required: + - allow + description: Can be used to respond to a confirmation prompt. + type: object responses: '200': content: - application/json: + text/event-stream: examples: - PostAttackDiscoveryGenerateResponse200Example: - summary: >- - Generation started; use the returned execution UUID to track - progress. + converseAsyncResponseExample: + description: Example stream containing the chain of events representing a conversation with the agent value: - execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 - schema: - type: object - properties: - execution_uuid: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier for the attack discovery generation - process. Use this UUID to track the generation progress - and retrieve results via the find endpoint. - example: edd26039-0990-4d9f-9829-2a1fcacb77b5 - required: - - execution_uuid - description: Indicates a successful call. - '400': + - data: + data: + conversation_id: c250305b-1929-4248-b568-b9e3f065fda5 + event: conversation_id_set + - data: + data: + reasoning: Starting with a general search to understand what content is available. + event: reasoning + - data: + data: + params: + query: latest documents + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + tool_id: platform.core.search + event: tool_call + - data: + data: + results: + - data: + message: Could not figure out which index to use + type: error + tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg + event: tool_result + - data: + data: + round: + id: a5692d54-bc06-4a6e-aea1-412779c73f66 + input: + message: Hello + response: + message: Hello! How can I help you today? + event: round_complete + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/agent_builder/converse/async" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": "Hello again let us have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/converse/async + { + "input": "Hello again let's have an async chat", + "agent_id": "elastic-ai-agent", + "conversation_id": "" + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + > warn + > This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead. + To learn more about the Agent Builder MCP server, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-mcp + parameters: + - description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned. + in: query + name: namespace + required: false + schema: + type: string + requestBody: + content: + application/json: + examples: + mcpInitializeRequestExample: + description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.' + value: + id: 1 + jsonrpc: '2.0' + method: initialize + params: + capabilities: {} + clientInfo: + name: test-client + version: 1.0.0 + protocolVersion: '2024-11-05' + schema: {} + responses: + '200': content: application/json: examples: - PostAttackDiscoveryGenerateResponse400Example: - summary: >- - Bad Request error returned when the generate payload is - invalid. + mcpInitializeResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message describing what went wrong - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Generate attack discoveries from alerts + id: 1 + jsonrpc: '2.0' + result: + capabilities: + tools: + listChanged: true + protocolVersion: '2024-11-05' + serverInfo: + name: elastic-mcp-server + version: 0.0.1 + description: Indicates a successful response + summary: MCP server tags: - - Security Attack discovery API - x-codeSamples: - - label: Example request - lang: curl + - agent builder + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins). To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins + parameters: [] + responses: + '200': + content: + application/json: + examples: + listPluginsResponseExample: + description: Example response that returns one installed plugin + value: + results: + - created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: List plugins + tags: + - agent builder + x-codeSamples: + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "alertsIndexPattern": ".alerts-security.alerts-default", - "anonymizationFields": [ - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "@timestamp", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.feature", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "saiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.data", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.entropy", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "s6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.extension", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.metrics", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "taiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.operation", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "tqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "t6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.files.score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "Ransomware.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "Z6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "agent.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aaiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.availability_zone", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "aqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.provider", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "a6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "cloud.region", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "destination.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "baiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "bqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "dns.question.type", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "b6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.category", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cKiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.dataset", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "caiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.module", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "cqiJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "event.outcome", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "c6iJW5gB4U27o8XO8oLf" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.Ext.original.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "daiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "dqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "file.path", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "d6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "group.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "eqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "e6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.os.version", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "faiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "fqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "host.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "f6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.original_time", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.risk_score", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.description", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "gqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "g6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.references", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "haiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "hqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "h6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "iqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "i6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.rule.threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "jqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.severity", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "j6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "kibana.alert.workflow_status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "message", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "network.protocol", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "kqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.bytes_compressed_present", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.all_names", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "naiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.matches", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "nqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.memory_region.malware_signature.primary.signature.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "n6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.Ext.token.integrity_level_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "k6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.signing_id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "laiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "lqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "l6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "maiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "mqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.exit_code", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "m6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.md5", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha1", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "oqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.hash.sha256", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "o6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "paiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.args_count", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "pqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.exists", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "p6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.status", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.subject_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.code_signature.trusted", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "qqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.command_line", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "q6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.executable", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.parent.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "raiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pe.original_file_name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "rqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.pid", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "r6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "process.working_directory", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "sKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "uqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "rule.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "u6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "source.ip", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.framework", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "vqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "v6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.tactic.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "waiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "wqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "w6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.id", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.name", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "threat.technique.subtechnique.reference", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "xqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.asset.criticality", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "x6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.domain", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yKiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "yaiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_level", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "yqiJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.risk.calculated_score_norm", - "allowed": true, - "anonymized": false, - "namespace": "default", - "id": "y6iJW5gB4U27o8XO8oLg" - }, - { - "timestamp": "2025-07-30T13:33:44.029Z", - "createdAt": "2025-07-30T13:33:44.029Z", - "field": "user.target.name", - "allowed": true, - "anonymized": true, - "namespace": "default", - "id": "zKiJW5gB4U27o8XO8oLg" - } - ], - "replacements": {}, - "size": 100, - "subAction": "invokeAI", - "apiConfig": { - "connectorId": "12345678-1234-1234-1234-123456789012", - "actionTypeId": ".gen-ai" - }, - "connectorName": "GPT-5 Chat", - "end": "now", - "start": "now-24h" - }' - /api/attack_discovery/generations: - get: - description: >- - Get the latest Attack Discovery generations metadata (that are not - dismissed) for the current user. This endpoint retrieves generation - metadata including execution status and statistics for Attack Discovery - generations. - operationId: GetAttackDiscoveryGenerations + -X GET "${KIBANA_URL}/api/agent_builder/plugins" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/{pluginId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an installed plugin by ID. This action cannot be undone. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: delete-agent-builder-plugins-pluginid parameters: - - description: >- - End of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - example: now - in: query - name: end - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: The maximum number of generations to retrieve - example: 50 - in: query - name: size - required: false + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true schema: - default: 50 - minimum: 1 - type: number - - description: >- - Start of the time range for filtering generations. Accepts absolute - timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - example: now-24h + type: string + - description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents. in: query - name: start + name: force required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + deletePluginResponseExample: + description: Example response showing that deletion of the plugin has been successful + value: + success: true + description: Indicates a successful response + summary: Delete a plugin + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/agent_builder/plugins/{id} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/plugins/{pluginId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific plugin by ID. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-plugins-pluginid + parameters: + - description: The unique identifier of the plugin. + in: path + name: pluginId + required: true schema: type: string responses: @@ -3364,7496 +3945,20492 @@ paths: content: application/json: examples: - GetAttackDiscoveryGenerationsResponse200Example: - summary: >- - Latest Attack Discovery generation metadata for the current - user. + getPluginByIdResponseExample: + description: Example response returning a single installed plugin value: - generations: - - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours - to generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - generations: - description: List of Attack Discovery generations - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - type: array - required: - - generations - description: Indicates a successful call. - '400': + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Get a plugin by id + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/agent_builder/plugins/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/agent_builder/plugins/{id} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/plugins/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/plugins/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills. To learn more about Agent Builder plugins, refer to the [plugins documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/plugins).

[Required authorization] Route required privileges: agentBuilder:write. + operationId: post-agent-builder-plugins-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + installPluginFromGithubExample: + description: Example request for installing a plugin from a GitHub URL + value: + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + installPluginFromZipExample: + description: Example request for installing a plugin from a direct zip URL + value: + url: https://my-server.example.com/my-plugin.zip + installPluginWithNameOverrideExample: + description: Example request for installing a plugin with a custom name + value: + plugin_name: my-custom-plugin-name + url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + schema: + additionalProperties: false + type: object + properties: + plugin_name: + description: Optional name override for the plugin. Defaults to the manifest name. + type: string + url: + description: URL to install the plugin from (GitHub URL or direct zip URL). + type: string + required: + - url + responses: + '200': content: application/json: examples: - GetAttackDiscoveryGenerationsResponse400Example: - summary: >- - Bad Request error returned when the size parameter is - invalid. + installPluginResponseExample: + description: Example response returning the definition of the installed plugin value: - error: Bad Request - message: Invalid size parameter. Must be a positive number. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid size parameter. Must be a positive number. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: >- - Get the latest Attack Discovery generations metadata for the current - user + created_at: '2025-01-01T00:00:00.000Z' + description: Financial analysis tools and skills for Claude + id: financial-analysis + manifest: + author: + name: Anthropic + url: https://www.anthropic.com + keywords: + - finance + - analysis + repository: https://github.com/anthropics/financial-services-plugins + name: financial-analysis + skill_ids: + - financial-analysis-analyze-portfolio + source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis + unmanaged_assets: + agents: [] + hooks: [] + lsp_servers: [] + mcp_servers: [] + output_styles: [] + updated_at: '2025-01-01T00:00:00.000Z' + version: 1.0.0 + description: Indicates a successful response + summary: Install a plugin tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}: + -X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + }' + - lang: Console + source: | + POST kbn://api/agent_builder/plugins/install + { + "url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis" + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills: get: - description: >- - Returns a specific Attack Discovery generation, including all generated - Attack discoveries and associated metadata, including execution status - and statistics. - operationId: GetAttackDiscoveryGeneration + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available skills (built-in and user-created). To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned at the start of an Attack Discovery - generation. - example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - in: path - name: execution_uuid - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Enables a markdown syntax used to render pivot fields, for example - `{{ user.name james }}`. When disabled, the same example would be - rendered as `james`. This is primarily used for Attack Discovery - views within Kibana. Defaults to `false`. - example: false + - description: Set to true to include skills from plugins. in: query - name: enable_field_rendering + name: include_plugins required: false schema: default: false type: boolean - - description: >- - When true, return the created Attack discoveries with text - replacements applied to the detailsMarkdown, entitySummaryMarkdown, - summaryMarkdown, and title fields. Defaults to `true`. - example: true - in: query - name: with_replacements - required: false - schema: - default: true - type: boolean responses: '200': content: application/json: examples: - GetAttackDiscoveryGenerationResponse200Example: - summary: >- - Single Attack Discovery generation with its discoveries and - metadata. + listSkillsResponseExample: + description: Example response returning a list of skills value: - data: - - id: >- - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f - title: Suspicious process execution on host-01 - generation: - alerts_context_count: 50 - discoveries: 1 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 - start: '2025-09-29T06:42:08.962Z' - status: succeeded - schema: - type: object - properties: - data: - description: >- - Array of Attack discoveries generated during this - execution. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert - type: array - generation: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration - description: >- - Optional metadata about the attack discovery generation - process, metadata including execution status and - statistics. This metadata may not be available for all - generations. - required: - - data - description: Indicates a successful call. - '400': + results: + - description: A built-in skill provided by the platform. + experimental: false + id: built-in-skill-id + name: Built-in Skill + readonly: true + referenced_content_count: 0 + - description: A user-created skill for data analysis. + experimental: false + id: custom-skill-id + name: Custom Skill + readonly: false + referenced_content_count: 1 + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: List skills + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/skills
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new user-defined skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: post-agent-builder-skills + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + createSkillRequestExample: + description: Example request to create a user-defined skill + value: + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + id: my-custom-skill + name: Custom Analysis Skill + tool_ids: + - platform.core.search + schema: + additionalProperties: false + type: object + properties: + content: + description: Skill instructions content (markdown). + type: string + description: + description: Description of what the skill does. + type: string + id: + description: Unique identifier for the skill. + type: string + name: + description: Human-readable name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + default: [] + description: Tool IDs from the tool registry that this skill references. + items: + description: Tool ID from the tool registry. + type: string + maxItems: 100 + type: array + required: + - id + - name + - description + - content + responses: + '200': content: application/json: examples: - GetAttackDiscoveryGenerationResponse400Example: - summary: >- - Bad Request error returned when the get-generation request - is invalid. + createSkillResponseExample: + description: Example response returning the created skill value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: >- - Get a single Attack Discovery generation, including its discoveries and - (optional) generation metadata + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Create a skill tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/generations/{execution_uuid}/_dismiss: - post: - description: >- - Dismisses an Attack Discovery generation for the current user, - indicating that its status should not be reported in the UI. This sets - the generation's status to "dismissed" and affects how the generation - appears in subsequent queries. - operationId: PostAttackDiscoveryGenerationsDismiss + -X POST "https://${KIBANA_URL}/api/agent_builder/skills" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/skills + { + "id": "my-custom-skill", + "name": "Custom Analysis Skill", + "description": "A skill for performing custom data analysis.", + "content": "You are an expert data analyst.", + "tool_ids": ["platform.core.search"] + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/skills/{skillId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: delete-agent-builder-skills-skillid parameters: - - description: >- - The unique identifier for the Attack Discovery generation execution. - This UUID is returned when an Attack Discovery generation is created - and can be found in generation responses. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. in: path - name: execution_uuid + name: skillId required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + maxLength: 512 + minLength: 1 + type: string + - description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents. + in: query + name: force + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - PostAttackDiscoveryGenerationsDismissResponse200Example: - summary: Successfully dismissed an Attack Discovery generation. + deleteSkillResponseExample: + description: Example response showing that the deletion operation was successful value: - alerts_context_count: 75 - connector_id: chatGpt5_0ChatAzure - discoveries: 3 - end: '2025-09-29T06:42:44.810Z' - execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 - loading_message: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - start: '2025-09-29T06:42:08.962Z' - status: dismissed - schema: - type: object - properties: - alerts_context_count: - description: >- - The number of alerts that were sent as context to the LLM - for this generation. - example: 75 - type: number - connector_id: - description: >- - The unique identifier of the connector used to generate - the attack discoveries. - example: chatGpt5_0ChatAzure - type: string - connector_stats: - description: >- - Statistical information about the connector's performance - for this user, providing insights into usage patterns and - success rates. - type: object - properties: - average_successful_duration_nanoseconds: - description: >- - The average duration in nanoseconds for successful - generations using this connector by the current user. - example: 47958500000 - type: number - successful_generations: - description: >- - The total number of Attack discoveries successfully - created for this generation - example: 2 - type: number - discoveries: - description: >- - The number of attack discoveries that were generated - during this execution. - example: 3 - type: number - end: - description: >- - The timestamp when the generation process completed, in - ISO 8601 format. This field may be absent for generations - that haven't finished. - example: '2025-09-29T06:42:44.810Z' - type: string - execution_uuid: - description: >- - The unique identifier for this attack discovery generation - execution. This UUID can be used to reference this - specific generation in other API calls. - example: 46b218d5-535d-4329-be56-d0f6af6986b7 - type: string - loading_message: - description: >- - A human-readable message describing the current state or - progress of the generation process. Provides context about - what the AI is analyzing. - example: >- - AI is analyzing up to 100 alerts in the last 24 hours to - generate discoveries. - type: string - reason: - description: >- - Additional context or reasoning provided when a generation - fails or encounters issues. This field helps diagnose - problems with the generation process. - example: Connection timeout to AI service - type: string - start: - description: >- - The timestamp when the generation process began, in ISO - 8601 format. This marks the beginning of the AI analysis. - example: '2025-09-29T06:42:08.962Z' - type: string - status: - description: >- - The current status of the attack discovery generation. - After dismissing, this will be set to "dismissed". - enum: - - canceled - - dismissed - - failed - - started - - succeeded - example: dismissed - type: string - required: - - connector_id - - discoveries - - execution_uuid - - loading_message - - start - - status - description: Indicates a successful call. - '400': + success: true + description: Indicates a successful response + summary: Delete a skill + tags: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific skill by ID. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-skills-skillid + parameters: + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string + responses: + '200': content: application/json: examples: - PostAttackDiscoveryGenerationsDismissResponse400Example: - summary: >- - Bad Request error returned when the dismiss request is - invalid. + getSkillResponseExample: + description: Example response returning a skill by ID value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type or category - example: Bad Request - type: string - message: - description: >- - Human-readable error message describing what went wrong - with the request. - example: Invalid request parameters. - type: string - status_code: - description: HTTP status code indicating the type of client error - example: 400 - type: number - required: - - status_code - - error - - message - description: Bad Request response. - summary: Dismiss an Attack Discovery generation + content: You are an expert data analyst. Use the available tools to query and analyze data. + description: A skill for performing custom data analysis. + experimental: false + id: my-custom-skill + name: Custom Analysis Skill + readonly: false + tool_ids: + - platform.core.search + description: Indicates a successful response + summary: Get a skill by id tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules: - post: - description: >- - Creates a new Attack Discovery schedule that analyzes security alerts at - specified intervals. The schedule defines when and how Attack Discovery - analysis should run, including which alerts to analyze, which AI - connector to use, and what actions to take when discoveries are found. - operationId: CreateAttackDiscoverySchedules + -X GET "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/skills/{skillId} + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/skills/{skillId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing user-created skill. To learn more about Agent Builder skills, refer to the [skills documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/skills).

[Required authorization] Route required privileges: agentBuilder:manageSkills. + operationId: put-agent-builder-skills-skillid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the skill. + in: path + name: skillId + required: true + schema: + maxLength: 512 + minLength: 1 + type: string requestBody: content: application/json: examples: - CreateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Create a daily Attack Discovery schedule that runs every 24 - hours. + updateSkillRequestExample: + description: Example request to update a user-defined skill value: - actions: [] - enabled: true - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h + content: Updated skill instructions content. + description: Updated description for the skill. + name: Updated Skill Name + tool_ids: + - platform.core.search + - platform.core.execute_esql schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps - description: >- - Attack Discovery schedule configuration including name, parameters, - schedule interval, and actions - required: true + additionalProperties: false + type: object + properties: + content: + description: Updated skill instructions content. + type: string + description: + description: Updated description. + type: string + name: + description: Updated name for the skill. + type: string + referenced_content: + items: + additionalProperties: false + type: object + properties: + content: + description: Content of the reference. + type: string + name: + description: Name of the referenced content. + type: string + relativePath: + description: Relative path of the referenced content. + type: string + required: + - name + - relativePath + - content + maxItems: 100 + type: array + tool_ids: + description: Updated tool IDs from the tool registry. + items: + description: Updated tool ID. + type: string + maxItems: 100 + type: array responses: '200': content: application/json: examples: - CreateAttackDiscoverySchedulesResponse200Example: - summary: A newly created Attack Discovery schedule. - value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: The Attack Discovery schedule was successfully created. - '400': - content: - application/json: - examples: - CreateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the create schedule payload - is invalid. + updateSkillResponseExample: + description: Example response returning the updated skill value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Create Attack Discovery schedule + content: Updated skill instructions content. + description: Updated description for the skill. + experimental: false + id: my-custom-skill + name: Updated Skill Name + readonly: false + tool_ids: + - platform.core.search + - platform.core.execute_esql + description: Indicates a successful response + summary: Update a skill tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Create an Attack Discovery schedule - lang: curl + - lang: curl source: | curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Daily Security Analysis", - "enabled": true, - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 100, - "start": "now-24h", - "end": "now" - }, - "schedule": { - "interval": "24h" - }, - "actions": [ - { - "action_type_id": ".cases", - "id": "system-connector-.cases", - "params": { - "subAction": "run", - "subActionParams": { - "timeWindow": "7d", - "reopenClosedCases": false, - "groupingBy": [], - "templateId": null - } - }, - "uuid": "12345678-1234-1234-1234-123456789012" - } - ] - }' - /api/attack_discovery/schedules/_bulk_delete: - post: - description: Deletes multiple Attack Discovery schedules by ID. - operationId: BulkDeleteAttackDiscoverySchedules - requestBody: - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesRequestBodyExample: - summary: Delete two Attack Discovery schedules. - value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true + -X PUT "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Updated Skill Name", + "description": "Updated description for the skill." + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/skills/{skillId} + { + "name": "Updated Skill Name", + "description": "Updated description for the skill." + } + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools + parameters: [] responses: '200': content: application/json: examples: - BulkDeleteAttackDiscoverySchedulesResponse200Example: - summary: Bulk delete response for two successfully deleted schedules. - value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk delete request. - '400': - content: - application/json: - examples: - BulkDeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk delete payload is - invalid. + listToolsResponseExample: + description: Example response returning a list of existing tools value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk delete Attack Discovery schedules + results: + - configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + - configuration: {} + description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name. + id: platform.core.get_document_by_id + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + id: + description: ID of the document to retrieve + type: string + index: + description: Name of the index to retrieve the document from + type: string + required: + - id + - index + tags: [] + type: builtin + - configuration: {} + description: |- + Execute an ES|QL query and return the results in a tabular format. + + **IMPORTANT**: This tool only **runs** queries; it does not write them. + Think of this as the final step after a query has been prepared. + + You **must** get the query from one of two sources before calling this tool: + 1. The output of the `platform.core.generate_esql` tool (if the tool is available). + 2. A verbatim query provided directly by the user. + + Under no circumstances should you invent, guess, or modify a query yourself for this tool. + If you need a query, use the `platform.core.generate_esql` tool first. + id: platform.core.execute_esql + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + query: + description: The ES|QL query to execute + type: string + required: + - query + tags: [] + type: builtin + - configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + - configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: List tools tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_disable: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name post: - description: Disables multiple Attack Discovery schedules by ID. - operationId: BulkDisableAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: post-agent-builder-tools + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - BulkDisableAttackDiscoverySchedulesRequestBodyExample: - summary: Disable two Attack Discovery schedules. + createEsqlToolRequest: + description: Example request to create an ESQL query tool with a pre-defined query value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + tags: + - analytics + - finance + type: esql + createIndexSearchToolRequest: + description: Example request to create an index_search tool with a pre-defined index pattern + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + tags: + - search + - finance + type: index_search schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: '' + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + - mcp + type: string + required: + - id + - type + - configuration responses: '200': content: application/json: examples: - BulkDisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Bulk disable response for two successfully disabled - schedules. - value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk disable request. - '400': - content: - application/json: - examples: - BulkDisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk disable payload is - invalid. + createEsqlToolExample: + description: Example response returning a definition of ESQL tool created value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk disable Attack Discovery schedules + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + createIndexSearchToolExample: + description: Example response returning a definition of search tool tool created + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Create a tool tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_bulk_enable: + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "id": "example-esql-tool", + "type": "esql", + "description": "Example ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools + { + "id": "example-esql-tool", + "type": "esql", + "description": "An ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/_execute: post: - description: Enables multiple Attack Discovery schedules by ID. - operationId: BulkEnableAttackDiscoverySchedules + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: post-agent-builder-tools-execute + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - BulkEnableAttackDiscoverySchedulesRequestBodyExample: - summary: Enable two Attack Discovery schedules. + executeBuiltinEsqlToolRequest: + description: Example request executing platform.core.execute_esql tool value: - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 + tool_id: platform.core.execute_esql + tool_params: + query: FROM financial_trades | LIMIT 3 + executeBuiltinToolRequest: + description: Example request executing platform.core.get_document_by_id tool + value: + tool_id: platform.core.get_document_by_id + tool_params: + id: TRD-20250805-0820a89f + index: financial_trades + executeCustomEsqlToolRequest: + description: Example request executing custom example-esql-tool tool + value: + tool_id: example-esql-tool + tool_params: + limit: 3 + startTime: '2024-01-01T00:00:00Z' + executeIndexSearchToolRequest: + description: Example request executing custom example-index-search-tool tool + value: + tool_id: example-index-search-tool + tool_params: + nlQuery: find trades with high execution prices above 100 schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody - required: true + additionalProperties: false + type: object + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: + nullable: true + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params responses: '200': content: application/json: examples: - BulkEnableAttackDiscoverySchedulesResponse200Example: - summary: Bulk enable response for two successfully enabled schedules. + executeBuiltinEsqlToolExample: + description: Example response calling built-in platform.core.execute_esql tool value: - errors: [] - ids: - - 12345678-1234-1234-1234-123456789012 - - 98765432-1234-1234-1234-123456789012 - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse - description: Successfully processed the bulk enable request. - '400': - content: - application/json: - examples: - BulkEnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the bulk enable payload is - invalid. + results: + - data: + esql: FROM financial_trades | LIMIT 3 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: FROM financial_trades | LIMIT 3 + source: esql + values: + - - ACC00179-1f91 + - 43.77000045776367 + - CVX + - sell + - - ACC00407-0bbb + - 660.4199829101562 + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - KO + - buy + tool_result_id: xTpT + type: esql_results + executeBuiltinToolExample: + description: Example response calling built-in platform.core.get_document_by_id tool value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Bulk enable Attack Discovery schedules + results: + - data: + content: + account_id: ACC00271-fb5c + execution_price: 488.54 + execution_timestamp: '2025-08-05T08:04:11.649855' + last_updated: '2025-09-15T13:23:36' + order_status: executed + order_type: market + quantity: 131 + status_reason: fully_filled + symbol: EWL + trade_cost: 63998.74 + trade_id: TRD-20250805-0820a89f + trade_type: sell + partial: false + reference: + id: TRD-20250805-0820a89f + index: financial_trades + type: resource + executeCustomEsqlToolExample: + description: Example response calling custom example-esql-tool tool + value: + results: + - data: + columns: + - name: trade_count + type: long + - name: avg_price + type: double + - name: symbol + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + source: esql + values: + - - 2115 + - 89.33911587329621 + - US_T_BOND_20YR + - - 2112 + - 104.20854155945055 + - INTL_CORP_ASIA_D + - - 2105 + - 89.93244177666526 + - INTL_CORP_EU_B + tool_result_id: Voy8 + type: esql_results + executeIndexSearchToolExample: + description: Example response calling custom example-index-search-tool tool + value: + results: + - data: + esql: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + type: query + - data: + columns: + - name: account_id + type: keyword + - name: execution_price + type: double + - name: execution_timestamp + type: date + - name: symbol + type: keyword + - name: trade_type + type: keyword + query: |- + FROM financial_trades + | WHERE execution_price > 100 + | LIMIT 100 + source: esql + values: + - - ACC00407-0bbb + - 660.4199829101562 + - '2020-09-25T11:06:08.687Z' + - V + - buy + - - ACC00179-1f91 + - 440.3599853515625 + - '2025-08-07T21:56:45.377Z' + - KO + - buy + - - ACC00407-0bbb + - 132.8800048828125 + - '2020-11-19T04:39:13.655Z' + - JAP_JGB_10YR + - sell + tool_result_id: uE8y + type: esql_results + description: Indicates a successful response + summary: Run a tool tags: - - Security Attack discovery API - /api/attack_discovery/schedules/_find: - get: - description: >- - Find Attack Discovery schedules that match the search criteria. Supports - pagination and sorting by various fields. - operationId: FindAttackDiscoverySchedules + - agent builder + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?"} + } + }' + - lang: Console + source: | + POST kbn:/api/agent_builder/tools/_execute + { + "tool_id": "platform.core.search", + "tool_params": { + "query": "can you find john doe's email from the employee index?" + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/tools/{toolId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: delete-agent-builder-tools-toolid parameters: - - description: Page number to return (used for pagination). Defaults to 1. - example: 1 - in: query - name: page - required: false - schema: - type: number - - description: >- - Number of Attack Discovery schedules to return per page (used for - pagination). Defaults to 10. - example: 10 - in: query - name: per_page - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: number - - description: >- - Field used to sort results. Common fields include 'name', - 'created_at', 'updated_at', and 'enabled'. - example: name - in: query - name: sort_field - required: false + example: 'true' + type: string + - description: The unique identifier of the tool to delete. + in: path + name: toolId + required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - - description: >- - Sort order direction. Use 'asc' for ascending or 'desc' for - descending. Defaults to 'asc'. - example: asc + type: string + - description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents. in: query - name: sort_direction + name: force required: false schema: - enum: - - asc - - desc - type: string + default: false + type: boolean responses: '200': content: application/json: examples: - FindAttackDiscoverySchedulesResponse200Example: - summary: >- - Paginated list of Attack Discovery schedules matching the - search criteria. - value: - data: - - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - page: 1 - per_page: 10 - total: 1 - schema: - type: object - properties: - data: - description: Array of matched Attack Discovery schedule objects. - items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - type: array - page: - description: Current page number of the paginated result set. - type: number - per_page: - description: Number of items requested per page. - type: number - total: - description: >- - Total number of Attack Discovery schedules matching the - query (across all pages). - type: number - required: - - page - - per_page - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - FindAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when find-schedules query - parameters are invalid. + deleteAgentResponseExample: + description: Example response showing that the deletion operation was successful value: - error: Bad Request - message: Invalid request payload. - status_code: 400 - schema: - type: object - properties: - error: - description: Error type - example: Bad Request - type: string - message: - description: Human-readable error message - example: Invalid request payload. - type: string - status_code: - description: HTTP status code - example: 400 - type: number - description: Bad Request response. - summary: Find Attack Discovery schedules that match the search criteria + success: true + description: Indicates a successful response + summary: Delete a tool tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Example request - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}: - delete: - description: >- - Permanently deletes an Attack Discovery schedule and all associated - configuration. - operationId: DeleteAttackDiscoverySchedules + -X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:read. + operationId: get-agent-builder-tools-toolid parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - delete. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: The unique identifier of the tool to retrieve. in: path - name: id + name: toolId required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string responses: '200': content: application/json: examples: - DeleteAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after deleting an Attack Discovery - schedule. + getBuiltinToolExample: + description: Example response returning built-in platform.core.search tool value: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the deleted Attack Discovery - schedule - required: - - id - description: >- - Successfully deleted Attack Discovery schedule, returning the ID of - the deleted schedule for confirmation - '400': - content: - application/json: - examples: - DeleteAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the delete schedule request - is invalid. + configuration: {} + description: |- + A powerful tool for searching and analyzing data within your Elasticsearch cluster. + It supports both full-text relevance searches and structured analytical queries. + + Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index. + + Examples of queries: + - "find articles about serverless architecture" + - "search for support tickets mentioning 'billing issue' or 'refund request'" + - "what is our policy on parental leave?" + - "list all products where the category is 'electronics'" + - "show me the last 5 documents from that index" + - "show me the sales over the last year break down by month" + + Note: + - The 'index' parameter can be used to specify which index to search against. + If not provided, the tool will decide itself which is the best index to use. + - It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already + know about the index and fields you want to search on, e.g. if the user explicitly specified it. + id: platform.core.search + readonly: true + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + index: + description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query. + type: string + query: + description: A natural language query expressing the search request + type: string + required: + - query + tags: [] + type: builtin + getEsqlToolExample: + description: Example response returning custom example-esql-tool tool value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Delete Attack Discovery schedule + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Example ES|QL query tool for analyzing financial trades with time filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + required: + - startTime + - limit + tags: + - analytics + - finance + type: esql + getIndexSearchToolExample: + description: Example response returning custom example-index-search-tool tool + value: + configuration: + pattern: financial_* + description: Search tool specifically for financial data analysis and reporting + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + type: index_search + description: Indicates a successful response + summary: Get a tool by id tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Delete an Attack Discovery schedule - lang: curl + - lang: curl source: | curl \ - --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - get: - description: >- - Retrieves a specific Attack Discovery schedule by its unique identifier. - Returns complete schedule configuration including parameters, interval - settings, associated actions, and execution history. - operationId: GetAttackDiscoverySchedules + -X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn:/api/agent_builder/tools/{toolId} + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more about Agent Builder tools, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).

[Required authorization] Route required privileges: agentBuilder:manageTools. + operationId: put-agent-builder-tools-toolid parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - retrieve. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the tool to update. in: path - name: id + name: toolId required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string + requestBody: + content: + application/json: + examples: + updateEsqlToolRequest: + description: Example request to update the custom ESQL tool + value: + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + tags: + - analytics + - finance + - reporting + updateIndexSearchToolRequest: + description: Example request to update the custom Search tool + value: + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + tags: + - search + - finance + - compliance + - reporting + schema: + additionalProperties: false + type: object + properties: + configuration: + additionalProperties: + nullable: true + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array responses: '200': content: application/json: examples: - GetAttackDiscoverySchedulesResponse200Example: - summary: >- - An Attack Discovery schedule retrieved by ID, including last - execution metadata. + updateEsqlToolExample: + description: Example response showing the updated ESQL tool value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - last_execution: - date: '2023-10-31T10:00:00.000Z' - last_duration: 45.2 - status: ok - name: Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 100 - start: now-24h - schedule: - interval: 24h - updated_at: '2023-10-31T10:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully retrieved Attack Discovery schedule with complete - configuration and metadata - '400': - content: - application/json: - examples: - GetAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the get-schedule request is - invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Get Attack Discovery schedule by ID + configuration: + params: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + type: date + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: keyword + query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit + description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering + id: example-esql-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + description: Parameters needed to execute the enhanced query + type: object + properties: + limit: + description: Maximum number of results to return + type: integer + startTime: + description: Start time for the analysis in ISO format + format: date-time + type: string + symbolPattern: + description: Pattern to filter symbols (e.g., 'US_*' for US instruments) + type: string + required: + - startTime + - symbolPattern + - limit + tags: + - analytics + - finance + - reporting + type: esql + updateIndexSearchToolExample: + description: Example response showing the updated Search tool + value: + configuration: + pattern: financial_* + description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring + id: example-index-search-tool + readonly: false + schema: + $schema: http://json-schema.org/draft-07/schema# + additionalProperties: false + type: object + properties: + nlQuery: + description: A natural language query expressing the search request + type: string + required: + - nlQuery + tags: + - search + - finance + - compliance + - reporting + type: index_search + description: Indicates a successful response + summary: Update a tool tags: - - Security Attack discovery API + - agent builder x-codeSamples: - - label: Get an Attack Discovery schedule by ID - lang: curl + - lang: curl source: | curl \ - --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - put: - description: >- - Updates an existing Attack Discovery schedule with new configuration. - All schedule properties can be modified including name, parameters, - interval, and actions. The update operation replaces the entire schedule - configuration with the provided values. - operationId: UpdateAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - update. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' - requestBody: - content: - application/json: - examples: - UpdateAttackDiscoverySchedulesRequestBodyExample: - summary: >- - Update an Attack Discovery schedule to run every 12 hours over - a 48-hour window. - value: - actions: [] - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps - description: >- - Updated Attack Discovery schedule configuration. All fields are - required as this replaces the entire schedule configuration. - required: true + -X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + }' + - lang: Console + source: | + PUT kbn:/api/agent_builder/tools/{toolId} + { + "description": "Updated ES|QL query tool for analyzing financial trades with time filtering", + "tags": ["analytics", "finance", "updated"], + "configuration": { + "query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit", + "params": { + "startTime": { + "type": "date", + "description": "Start time for the analysis in ISO format" + }, + "limit": { + "type": "integer", + "description": "Maximum number of results to return" + } + } + } + } + x-state: Added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/_health: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/_health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth responses: '200': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse200Example: - summary: An Attack Discovery schedule after being updated. - value: - actions: [] - created_at: '2023-10-31T10:00:00.000Z' - created_by: elastic - enabled: true - id: 12345678-1234-1234-1234-123456789012 - name: Updated Daily Security Analysis - params: - alerts_index_pattern: .alerts-security.alerts-default - api_config: - actionTypeId: bedrock - connectorId: my-bedrock-connector - name: Claude 3.5 Sonnet - end: now - size: 200 - start: now-48h - schedule: - interval: 12h - updated_at: '2023-10-31T12:00:00.000Z' - updated_by: elastic + getAlertingHealthResponse: + $ref: '#/components/examples/Alerting_get_health_response' schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule - description: >- - Successfully updated Attack Discovery schedule with the new - configuration and metadata - '400': + type: object + properties: + alerting_framework_health: + description: | + Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. + type: object + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + execution_health: + description: The timestamp and status of the rule run. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + read_health: + description: The timestamp and status of the rule reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + has_permanent_encryption_key: + description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + example: true + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean + description: Indicates a successful call. + '401': content: application/json: examples: - UpdateAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the update schedule payload - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + healthUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_health_response' schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Update Attack Discovery schedule + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health tags: - - Security Attack discovery API - x-codeSamples: - - label: Update an Attack Discovery schedule - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{ - "name": "Updated Daily Security Analysis", - "params": { - "alerts_index_pattern": ".alerts-security.alerts-default", - "api_config": { - "actionTypeId": "bedrock", - "connectorId": "my-bedrock-connector", - "name": "Claude 3.5 Sonnet" - }, - "size": 200, - "start": "now-48h", - "end": "now" - }, - "schedule": { - "interval": "12h" - }, - "actions": [] - }' - /api/attack_discovery/schedules/{id}/_disable: - post: - description: >- - Disables an Attack Discovery schedule, preventing it from running - according to its configured interval. The schedule configuration is - preserved and can be re-enabled later. Any currently running executions - will complete, but no new executions will be started. - operationId: DisableAttackDiscoverySchedules - parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - disable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule_types: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. + operationId: getRuleTypes responses: '200': content: application/json: examples: - DisableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after disabling an Attack Discovery - schedule. - value: - id: 12345678-1234-1234-1234-123456789012 + getRuleTypesResponse: + $ref: '#/components/examples/Alerting_get_rule_types_response' schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the disabled Attack Discovery - schedule - required: - - id - description: >- - Successfully disabled Attack Discovery schedule, returning the - schedule ID for confirmation - '400': + items: + type: object + properties: + action_groups: + description: | + An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + action_variables: + description: | + A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + alerts: + description: | + Details for writing alerts as data documents for this rule type. + type: object + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - 'false' + - runtime + - strict + - 'true' + type: string + isSpaceAware: + description: | + Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. + type: boolean + mappings: + type: object + properties: + fieldMap: + additionalProperties: + $ref: '#/components/schemas/Alerting_fieldmap_properties' + description: | + Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. + type: object + secondaryAlias: + description: | + A secondary alias. It is typically used to support the signals alias for detection rules. + type: string + shouldWrite: + description: | + Indicates whether the rule should write out alerts as data. + type: boolean + useEcs: + description: | + Indicates whether to include the ECS component template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: | + Indicates whether to include the legacy component template for the alerts. + type: boolean + authorized_consumers: + description: The list of the plugins IDs that have access to the rule type. + type: object + properties: + alerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + apm: + type: object + properties: + all: + type: boolean + read: + type: boolean + discover: + type: object + properties: + all: + type: boolean + read: + type: boolean + infrastructure: + type: object + properties: + all: + type: boolean + read: + type: boolean + logs: + type: object + properties: + all: + type: boolean + read: + type: boolean + ml: + type: object + properties: + all: + type: boolean + read: + type: boolean + monitoring: + type: object + properties: + all: + type: boolean + read: + type: boolean + siem: + type: object + properties: + all: + type: boolean + read: + type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean + stackAlerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + uptime: + type: object + properties: + all: + type: boolean + read: + type: boolean + category: + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: Indicates whether the rule passes context variables to its recovery action. + type: boolean + enabled_in_license: + description: Indicates whether the rule type is enabled or disabled based on the subscription. + type: boolean + has_alerts_mappings: + description: Indicates whether the rule type has custom mappings for the alert data. + type: boolean + has_fields_for_a_a_d: + type: boolean + id: + description: The unique identifier for the rule type. + type: string + is_exportable: + description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. + type: boolean + minimum_license_required: + description: The subscriptions required to use the rule type. + example: basic + type: string + name: + description: The descriptive name of the rule type. + type: string + producer: + description: An identifier for the application that produces this rule type. + example: stackAlerts + type: string + recovery_action_group: + description: An action group to use when an alert goes from an active state to an inactive one. + type: object + properties: + id: + type: string + name: + type: string + rule_task_timeout: + example: 5m + type: string + type: array + description: Indicates a successful call. + '401': content: application/json: examples: - DisableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the disable schedule request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 + ruleTypesUnauthorizedResponse: + $ref: '#/components/examples/Alerting_401_rule_types_response' schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Disable Attack Discovery schedule + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types tags: - - Security Attack discovery API - x-codeSamples: - - label: Disable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/attack_discovery/schedules/{id}/_enable: - post: - description: >- - Enables a previously disabled Attack Discovery schedule, allowing it to - run according to its configured interval. Once enabled, the schedule - will begin executing at the next scheduled time based on its interval - configuration. - operationId: EnableAttackDiscoverySchedules + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}: + delete: + operationId: delete-alerting-rule-id parameters: - - description: >- - The unique identifier (UUID) of the Attack Discovery schedule to - enable. This ID is returned when creating a schedule and can be - found in schedule listings. - example: 12345678-1234-1234-1234-123456789012 + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + type: string responses: - '200': - content: - application/json: - examples: - EnableAttackDiscoverySchedulesResponse200Example: - summary: >- - Confirmation returned after enabling an Attack Discovery - schedule. - value: - id: 12345678-1234-1234-1234-123456789012 - schema: - type: object - properties: - id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString - description: >- - The unique identifier of the enabled Attack Discovery - schedule - required: - - id - description: >- - Successfully enabled Attack Discovery schedule, returning the - schedule ID for confirmation + '204': + description: Indicates a successful call. '400': - content: - application/json: - examples: - EnableAttackDiscoverySchedulesResponse400Example: - summary: >- - Bad Request error returned when the enable schedule request - is invalid. - value: - error: Bad Request - message: Invalid request parameters. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError - description: Bad Request response. - summary: Enable Attack Discovery schedule + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule tags: - - Security Attack discovery API - x-codeSamples: - - label: Enable an Attack Discovery schedule - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" - /api/cases: - delete: - description: > - You must have `read` or `all` privileges and the `delete` sub-feature - privilege for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + operationId: get-alerting-rule-id parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_ids' + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string responses: - '204': - description: Indicates a successful call. - '401': + '200': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + getRuleResponse: + description: A response that contains information about an index threshold rule. + summary: Get an index threshold rule + value: + actions: [] + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + mute_all: false + muted_alert_ids: [] + name: my alert + notify_when: onActionGroupChange + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete cases + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - updating. - operationId: updateCaseDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + post: + operationId: post-alerting-rule-id parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - updateCaseRequest: - $ref: '#/components/examples/Cases_update_case_request' + createEsQueryEsqlRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - frequency: + notify_when: onActiveAlert + summary: false + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + consumer: stackAlerts + name: my Elasticsearch query ESQL rule + params: + esqlQuery: + esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createEsQueryKqlRuleRequest: + description: Create an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m + createEsQueryRuleRequest: + description: | + Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. + summary: Elasticsearch query rule (DSL) + value: + actions: + - frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + - frequency: + notify_when: onActionGroupChange + summary: false + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + consumer: alerts + name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + createIndexThresholdRuleRequest: + description: | + Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 48de3460-f401-11ed-9f8e-399c75a2deeb + params: + level: info + message: |- + Rule '{{rule.name}}' is active for group '{{context.group}}': + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + alert_delay: + active: 3 + consumer: alerts + name: my rule + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + createTrackingContainmentRuleRequest: + description: | + Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. + summary: Tracking containment rule + value: + consumer: alerts + name: my tracking rule + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField": '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + rule_type_id: .geo-containment + schedule: + interval: 1h schema: - $ref: '#/components/schemas/Cases_update_case_request' + anyOf: + - discriminator: + mapping: + .es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + .geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + .index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + propertyName: rule_type_id + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule' responses: '200': content: application/json: examples: - updateCaseResponse: - $ref: '#/components/examples/Cases_update_case_response' + createEsQueryEsqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). + summary: Elasticsearch query rule (ES|QL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActiveAlert + summary: false + throttle: null + group: query matched + id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 + params: + level: info + message: |- + Elasticsearch query rule '{{rule.name}}' is active: + - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} + uuid: bfe370a3-531b-4855-bbe6-ad739f578844 + api_key_created_by_user: false + api_key_owner: elastic + consumer: stackAlerts + created_at: '2023-11-01T19:00:10.453Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-11-01T19:00:10.453Z' + status: pending + id: e0d62360-78e8-11ee-9177-f7d404c8c945 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query ESQL rule + notify_when: null + params: + aggType: count + esqlQuery: + esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 + excludeHitsFromPreviousRun": true, + groupBy: all + searchType: esqlQuery + size: 0 + threshold: + - 0 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 + tags: [] + throttle: null + updated_at: '2023-11-01T19:00:10.453Z' + updated_by: elastic", + createEsQueryKqlRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). + summary: Elasticsearch query rule (KQL) + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-07-14T20:24:50.729Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-07-14T20:24:50.729Z' + status: pending + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query KQL rule" + notify_when: null + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + query: + language: kuery + query: '""geo.src : "US" ""' + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: '>' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1m + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + tags: [] + throttle: null + updated_at: '2023-07-14T20:24:50.729Z' + updated_by: elastic + createEsQueryRuleResponse: + description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). + summary: Elasticsearch query rule (DSL) + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onThrottleInterval + summary: true + throttle: 1d + group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2023-08-22T00:03:38.263Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2023-08-22T00:03:38.263Z' + status: pending + id: 58148c70-407f-11ee-850e-c71febc4ca7f + mute_all: false + muted_alert_ids: [] + name: my Elasticsearch query rule + notify_when: null + params: + aggType: count + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + groupBy: all + index: + - kibana_sample_data_logs + searchType: esQuery + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + revision: 0 + rule_type_id: .es-query + running: false + schedule: + interval: 1d + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + tags: [] + throttle: null + updated_at: '2023-08-22T00:03:38.263Z' + updated_by: elastic + createIndexThresholdRuleResponse: + description: The response for successfully creating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group} : + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + alert_delay: + active: 3 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-06-08T17:20:31.632Z' + created_by: elastic + enabled: true + execution_status: + last_execution_date: '2022-06-08T17:20:31.632Z' + status: pending + id: 41893910-6bca-11eb-9e0d-85d233e3ee35 + mute_all: false + muted_alert_ids: [] + name: my rule + notify_when: null + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 + tags: + - cpu + throttle: null + updated_at: '2022-06-08T17:20:31.632Z' + updated_by: elastic + createTrackingContainmentRuleResponse: + description: The response for successfully creating a tracking containment rule. + summary: Tracking containment rule + value: + actions: [] + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-02-14T19:52:55.920Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 74 + last_execution_date: '2024-02-15T03:25:38.125Z' + status: ok + id: b6883f9d-5f70-4758-a66e-369d7c26012f + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: my tracking rule + next_run: '2024-02-15T03:26:38.033Z' + notify_when: null + params: + boundaryGeoField: location + boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc + boundaryIndexTitle: boundary* + boundaryNameField: name + boundaryType: entireIndex + dateField: '@timestamp' + entity: agent.keyword + geoField: geo.coordinates + index: kibana_sample_data_logs + indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 + revision: 1 + rule_type_id: .geo-containment + running: false + schedule: + interval: 1h + scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f + tags: [] + throttle: null + updated_at: '2024-02-15T03:24:32.574Z' + updated_by: elastic schema: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - type: array + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update cases + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule tags: - - cases - post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - creating. - operationId: createCaseDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + operationId: put-alerting-rule-id parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - createCaseRequest: - $ref: '#/components/examples/Cases_create_case_request' + updateRuleRequest: + description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. + summary: Index threshold rule + value: + actions: + - frequency: + notify_when: onActionGroupChange + summary: false + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + name: new name + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + schedule: + interval: 1m + tags: [] schema: - $ref: '#/components/schemas/Cases_create_case_request' - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule' responses: '200': content: application/json: examples: - createCaseResponse: - $ref: '#/components/examples/Cases_create_case_response' + updateRuleResponse: + description: The response for successfully updating an index threshold rule. + summary: Index threshold rule + value: + actions: + - connector_type_id: .server-log + frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 96b668d0-a1b6-11ed-afdf-d39a49596974 + params: + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date} + uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2024-03-26T23:13:20.985Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 52 + last_execution_date: '2024-03-26T23:22:51.390Z' + status: ok + id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: new name + next_run: '2024-03-26T23:23:51.316Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - .updated-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + running: false + schedule: + interval: 1m + scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea + tags: [] + throttle: null + updated_at: '2024-03-26T23:22:59.949Z' + updated_by: elastic schema: - $ref: '#/components/schemas/Cases_case_response_properties' + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Create a case + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule tags: - - cases - /api/cases/_find: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: findCasesDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_disable: + post: + operationId: post-alerting-rule-id-disable parameters: - - $ref: '#/components/parameters/Cases_assignees_filter' - - $ref: '#/components/parameters/Cases_category' - - $ref: '#/components/parameters/Cases_defaultSearchOperator' - - $ref: '#/components/parameters/Cases_from' - - $ref: '#/components/parameters/Cases_owner_filter' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_reporters' - - $ref: '#/components/parameters/Cases_search' - - $ref: '#/components/parameters/Cases_searchFields' - - $ref: '#/components/parameters/Cases_severity' - - $ref: '#/components/parameters/Cases_sortField' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_status' - - $ref: '#/components/parameters/Cases_tags' - - $ref: '#/components/parameters/Cases_to' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + disableRuleRequest: + description: A request that disables a rule and untracks all alerts that were generated by the rule. + summary: Disable a rule and untrack its alerts + value: + untrack: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean responses: - '200': - content: - application/json: - examples: - findCaseResponse: - $ref: '#/components/examples/Cases_find_case_response' - schema: - type: object - properties: - cases: - items: - $ref: '#/components/schemas/Cases_case_response_properties' - maxItems: 10000 - type: array - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer - page: - type: integer - per_page: - type: integer - total: - type: integer + '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Search cases + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule tags: - - cases - /api/cases/{caseId}: - get: - description: > - Returns case details. The response does not include a comments - property; use the find case comments API to retrieve comments. The - totalComment field reflects the actual number of user comments on the - case. You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're seeking. - operationId: getCaseDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_enable: + post: + operationId: post-alerting-rule-id-enable parameters: - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string responses: - '200': - content: - application/json: - examples: - getDefaultCaseResponse: - $ref: '#/components/examples/Cases_get_case_response' - getDefaultObservabilityCaseResponse: - $ref: '#/components/examples/Cases_get_case_observability_response' - schema: - $ref: '#/components/schemas/Cases_case_response_get_case' + '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case information + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule tags: - - cases - /api/cases/{caseId}/alerts: - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCaseAlertsDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_mute_all: + post: + operationId: post-alerting-rule-id-mute-all parameters: - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string responses: - '200': - content: - application/json: - examples: - getCaseAlertsResponse: - $ref: '#/components/examples/Cases_get_case_alerts_response' - schema: - items: - $ref: '#/components/schemas/Cases_alert_response_properties' - type: array + '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get all alerts for a case + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts tags: - - cases - x-state: Technical preview - /api/cases/{caseId}/comments: - delete: - description: > - Deletes all comments and alerts from a case. You must have `all` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentsDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: post-alerting-rule-id-unmute-all parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string responses: '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete all case comments and alerts + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: | - DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments - patch: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're updating. - NOTE: You cannot change the comment type or the owner of a comment. - operationId: updateCaseCommentDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: post-alerting-rule-id-update-api-key parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - content: - application/json: - examples: - updateCaseCommentRequest: - $ref: '#/components/examples/Cases_update_comment_request' - schema: - $ref: '#/components/schemas/Cases_update_case_comment_request' - required: true + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{id}/query_inspector: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}/query_inspector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the Elasticsearch query that a rule executes, and optionally its response. + operationId: get-alerting-rule-id-query-inspector + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + - description: The inspection mode. Use "build" to return only the query, or "execute" to run the query and include the response. + in: query + name: mode + required: false + schema: + default: build + enum: + - build + - execute + type: string + - description: The alert document ID. When provided, the query inspector uses the evaluation time range from the alert instead of the current time. + in: query + name: alert_id + required: false + schema: + type: string responses: '200': content: application/json: examples: - updateCaseCommentResponse: - $ref: '#/components/examples/Cases_update_comment_response' + getRuleQueryInspectorResponse: + summary: A query inspector response for a custom threshold rule + value: + queries: + - index: metrics-* + request: + aggs: + groupings: + composite: + size: 500 + sources: [] + query: + bool: + filter: + - range: + '@timestamp': + gte: '2026-01-01T00:00:00.000Z' + lte: '2026-01-01T00:05:00.000Z' + size: 0 schema: - $ref: '#/components/schemas/Cases_case_response_properties' + additionalProperties: false + type: object + properties: + queries: + items: + additionalProperties: false + type: object + properties: + index: + type: string + label: + type: string + request: + additionalProperties: + nullable: true + type: object + response: + additionalProperties: + nullable: true + type: object + required: + - index + - request + maxItems: 1000 + type: array + required: + - queries description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update a case comment or alert + '400': + description: Indicates the rule type is not supported or the request parameters are invalid. + '404': + description: Indicates a rule with the specified rule ID does not exist. + summary: Get the Elasticsearch query for a rule tags: - - cases + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/snooze_schedule: post: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're creating. - NOTE: Each case can have a maximum of 1,000 alerts. - operationId: addCaseCommentDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - createCaseCommentRequest: - $ref: '#/components/examples/Cases_add_comment_request' + snoozeRuleRecurringRequest: + description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences. + summary: Snooze a rule on a recurring weekly schedule + value: + schedule: + custom: + duration: 8h + recurring: + every: 1w + occurrences: 4 + onWeekDay: + - MO + start: '2025-03-17T09:00:00.000Z' + timezone: UTC + snoozeRuleRequest: + description: A request that snoozes a rule for 24 hours starting now. + summary: Snooze a rule for 24 hours + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC schema: - $ref: '#/components/schemas/Cases_add_case_comment_request' - required: true + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + required: + - schedule responses: '200': content: application/json: examples: - createCaseCommentResponse: - $ref: '#/components/examples/Cases_add_comment_response' + snoozeRuleResponse: + description: A response that contains the created snooze schedule. + summary: Snooze schedule response + value: + schedule: + custom: + duration: 24h + start: '2025-03-12T12:00:00.000Z' + timezone: UTC + id: 9ac67950-6737-11ec-8ded-d7f6e1581b26 schema: - $ref: '#/components/schemas/Cases_case_response_properties' + additionalProperties: false + type: object + properties: + body: + additionalProperties: false + type: object + properties: + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_schedule_request' + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + required: + - schedule + required: + - body description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add a case comment or alert + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule tags: - - cases - /api/cases/{caseId}/comments/_find: - get: - description: > - Retrieves a paginated list of comments for a case. You must have `read` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases with the comments you're - seeking. - operationId: findCaseCommentsDefaultSpace + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + - description: Whether to validate the existence of the alert. + in: query + name: validate_alerts_existence + required: false + schema: + type: boolean responses: - '200': - content: - application/json: - examples: - findCaseCommentsResponse: - $ref: '#/components/examples/Cases_find_case_comments_response' - schema: - $ref: '#/components/schemas/Cases_find_comments_response' + '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case comments + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert tags: - - cases - /api/cases/{caseId}/comments/{commentId}: - delete: - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're deleting. - operationId: deleteCaseCommentDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string responses: '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Delete a case comment or alert + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" - - label: Console - lang: console - source: > - DELETE - kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 - get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases with the - comments you're seeking. - operationId: getCaseCommentDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string responses: - '200': - content: - application/json: - examples: - getCaseCommentResponse: - $ref: '#/components/examples/Cases_get_comment_response' - schema: - oneOf: - - $ref: >- - #/components/schemas/Cases_alert_comment_response_properties - - $ref: >- - #/components/schemas/Cases_user_comment_response_properties + '204': description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get a case comment or alert + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule tags: - - cases - /api/cases/{caseId}/connector/{connectorId}/_push: - post: - description: > - You must have `all` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - You must also have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're pushing. - operationId: pushCaseDefaultSpace + - alerting + x-state: Generally available; added in 8.19.0 + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/_find: + get: + operationId: get-alerting-rules-find parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_connector_id' - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - content: - application/json: - examples: - pushCaseRequest: - summary: >- - Push a case to an external service. No request body is - required. - value: null - schema: - nullable: true - type: object + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + items: + type: string + type: array + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array responses: '200': content: application/json: examples: - pushCaseResponse: - $ref: '#/components/examples/Cases_push_case_response' + findConditionalActionRulesResponse: + description: A response that contains information about an index threshold rule. + summary: Index threshold rule + value: + data: + - actions: + - frequency: + notify_when: onActionGroupChange + summary: false + throttle: null + group: threshold met + id: 9dca3e00-74f5-11ed-9801-35303b735aef + params: + connector_type_id: .server-log + level: info + message: |- + Rule {{rule.name}} is active for group {{context.group}}: + + - Value: {{context.value}} + - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} + - Timestamp: {{context.date}} + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 48 + last_execution_date: '2022-12-06T01:44:23.983Z' + status: ok + id: 3583a470-74f6-11ed-9801-35303b735aef + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: null + warning: null + mute_all: false + muted_alert_ids: [] + name: my alert + next_run: '2022-12-06T01:45:23.912Z' + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 1 + rule_type_id: .index-threshold + schedule: + interval: 1m + scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef + tags: + - cpu + throttle: null + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + findRulesResponse: + description: A response that contains information about a security rule that has conditional actions. + summary: Security rule + value: + data: + - actions: + - alerts_filter: + query: + filters: + - $state: + store: appState + meta: + alias: null + disabled: false + field: client.geo.region_iso_code + index: c4bdca79-e69e-4d80-82a1-e5192c621bea + key: client.geo.region_iso_code + negate: false + params: + query: CA-QC + type: phrase + query: + match_phrase: + client.geo.region_iso_code: CA-QC + kql: '' + timeframe: + days: + - 7 + hours: + end: '17:00' + start: '08:00' + timezone: UTC + connector_type_id: .index + frequency: + notify_when: onActiveAlert + summary: true + throttle: null + group: default + id: 49eae970-f401-11ed-9f8e-399c75a2deeb + params: + documents: + - alert_id: + '[object Object]': null + context_message: + '[object Object]': null + rule_id: + '[object Object]': null + rule_name: + '[object Object]': null + uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 + api_key_created_by_user: false + api_key_owner: elastic + consumer: siem + created_at: '2023-05-16T15:50:28.358Z' + created_by: elastic + enabled: true + execution_status: + last_duration: 166 + last_execution_date: '2023-05-16T20:26:49.590Z' + status: ok + id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + last_run: + alerts_count: + active: 0 + ignored: 0 + new: 0 + recovered: 0 + outcome: succeeded + outcome_msg: + - Rule execution completed successfully + outcome_order: 0 + warning: null + mute_all: false + muted_alert_ids: [] + name: security_rule + next_run: '2023-05-16T20:27:49.507Z' + notify_when: null + params: + author: [] + description: A security threshold rule. + exceptionsList: [] + falsePositives: [] + filters: [] + from: now-3660s + immutable: false + index: + - kibana_sample_data_logs + language: kuery + license: '' + maxSignals: 100 + meta: + from: 1h + kibana_siem_app_url: https://localhost:5601/app/security + outputIndex: '' + query: '*' + references: [] + riskScore: 21 + riskScoreMapping: [] + ruleId: an_internal_rule_id + severity: low + severityMapping: [] + threat: [] + threshold: + cardinality: [] + field: + - bytes + value: 1 + to: now + type: threshold + version: 1 + revision: 1 + rule_type_id: siem.thresholdRule + running: false + schedule: + interval: 1m + scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb + tags: [] + throttle: null + updated_at: '2023-05-16T20:25:42.559Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 schema: - $ref: '#/components/schemas/Cases_case_response_properties' + additionalProperties: false + type: object + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Push a case to an external service + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules tags: - - cases - /api/cases/{caseId}/files: - post: - description: > - Attach a file to a case. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on the - owner of the case you're updating. The request must include: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** - - The `Content-Type: multipart/form-data` HTTP header. +
get /s/{space_id}/api/alerting/rules/_find
- - The location of the file that is being uploaded. - operationId: addCaseFileDefaultSpace + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_find: + post: + operationId: post-alerting-rules-backfill-find parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - content: - multipart/form-data: - examples: - addCaseFileRequest: - summary: Attach a plain text file named "my_attachment". - value: - filename: my_attachment - schema: - $ref: '#/components/schemas/Cases_add_case_file_request' - required: true - responses: - '200': - content: - application/json: - examples: - addCaseFileResponse: - $ref: '#/components/examples/Cases_add_comment_response' - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Attach a file to a case - tags: - - cases - x-codeSamples: - - label: curl - lang: curl - source: | - curl \ - --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ - --header "Authorization: $API_KEY" \ - --header "kbn-xsrf: true" \ - --form "file=@/path/to/my_attachment.txt" \ - --form "filename=my_attachment" - /api/cases/{caseId}/user_actions/_find: - get: - description: > - Retrieves a paginated list of user activity for a case. You must have - `read` privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the case you're seeking. - operationId: findCaseActivityDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_user_action_types' + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The end date for filtering backfills. + in: query + name: end + required: false + schema: + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: The number of backfills to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: A comma-separated list of rule identifiers. + in: query + name: rule_ids + required: false + schema: + type: string + - description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills. + in: query + name: initiator + required: false + schema: + enum: + - user + - system + type: string + - description: The start date for filtering backfills. + in: query + name: start + required: false + schema: + type: string + - description: The field to sort backfills by. + in: query + name: sort_field + required: false + schema: + enum: + - createdAt + - start + type: string + - description: The sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - findCaseActivityResponse: - $ref: '#/components/examples/Cases_find_case_activity_response' + findBackfillResponse: + summary: Find backfills response + value: + data: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + page: 1 + per_page: 10 + total: 1 schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_backfill_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Find backfills for rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/_schedule: + post: + operationId: post-alerting-rules-backfill-schedule + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + scheduleBackfillRequest: + summary: Schedule a backfill for an index threshold rule + value: + - ranges: + - end: '2024-01-02T00:00:00.000Z' + start: '2024-01-01T00:00:00.000Z' + rule_id: 3583a470-74f6-11ed-9801-35303b735aef + schema: + items: + additionalProperties: false type: object properties: - page: - type: integer - perPage: - type: integer - total: - type: integer - userActions: + ranges: items: - $ref: >- - #/components/schemas/Cases_user_actions_find_response_properties - maxItems: 10000 + additionalProperties: false + type: object + properties: + end: + type: string + start: + type: string + required: + - start + - end type: array - description: Indicates a successful call. - '401': + rule_id: + type: string + run_actions: + type: boolean + required: + - rule_id + - ranges + maxItems: 100 + minItems: 1 + type: array + responses: + '200': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + scheduleBackfillResponse: + summary: Schedule backfill response + value: + - created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Find case activity + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_error_response' + type: array + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Schedule a backfill for rules tags: - - cases - /api/cases/alerts/{alertId}: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rules/backfill/_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/alerting/rules/backfill/{id}: + delete: + operationId: delete-alerting-rules-backfill-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Delete a backfill by ID + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. get: - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - operationId: getCasesByAlertDefaultSpace + operationId: get-alerting-rules-backfill-id parameters: - - $ref: '#/components/parameters/Cases_alert_id' - - $ref: '#/components/parameters/Cases_owner_filter' + - description: The identifier for the backfill. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - getCasesByAlertResponse: - summary: Cases associated with a given alert. + getBackfillResponse: + summary: Get a backfill for an index threshold rule value: - - createdAt: '2020-02-19T23:06:33.798Z' - description: Investigating suspicious activity - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 - status: open - title: security_case - totals: - alerts: 1 - events: 0 - userComments: 0 - schema: - items: - $ref: '#/components/schemas/Cases_related_case' - maxItems: 10000 - type: array + created_at: '2024-01-30T00:00:00.000Z' + duration: 12h + enabled: true + id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6 + initiator: user + rule: + api_key_owner: elastic + consumer: alerts + created_at: '2022-12-05T23:40:33.132Z' + created_by: elastic + enabled: true + id: 3583a470-74f6-11ed-9801-35303b735aef + name: my alert + params: + aggField: sheet.version + aggType: avg + groupBy: top + index: + - test-index + termField: name.keyword + termSize: 6 + threshold: + - 1000 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 5 + timeWindowUnit: m + revision: 0 + rule_type_id: .index-threshold + schedule: + interval: 1m + tags: + - cpu + updated_at: '2022-12-05T23:40:33.132Z' + updated_by: elastic + schedule: + - interval: 12h + run_at: '2024-01-01T12:00:00.000Z' + status: pending + - interval: 12h + run_at: '2024-01-02T00:00:00.000Z' + status: pending + space_id: default + start: '2024-01-01T00:00:00.000Z' + status: pending + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' description: Indicates a successful call. - '401': - content: - application/json: - examples: - response401: - $ref: '#/components/examples/Cases_response_401' - schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get cases for an alert + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a backfill with the given ID does not exist. + summary: Get a backfill by ID tags: - - cases - x-state: Technical preview - /api/cases/configure: - get: - description: > - Get setting details such as the closure type, custom fields, templates, - and the default connector for cases. You must have `read` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the cases were created. - operationId: getCaseConfigurationDefaultSpace + - alerting + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/backfill/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey parameters: - - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createAgentKeyRequest1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true responses: '200': content: application/json: examples: - getConfigurationResponse: - $ref: '#/components/examples/Cases_get_case_configuration_response' + createAgentKeyResponse1: + $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' schema: - items: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are - not used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want - a default connector, use `none`. To retrieve - connector IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the - `type` is `text`, the default value must be a - string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If - `false`, the custom field can be set to null or - omitted when a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case settings + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '500': + content: + application/json: + examples: + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key tags: - - cases + - APM agent keys + x-metaTags: + - content: Kibana + name: product_name + /api/apm/fleet/apm_server_schema: post: - description: > - Case settings include external connection details, custom fields, and - templates. Connectors are used to interface with external systems. You - must create a connector before you can use it in your cases. If you set - a default connector, it is automatically selected when you create cases - in Kibana. If you use the create case API, however, you must still - specify all of the connector details. You must have `all` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where you are creating cases. - operationId: setCaseConfigurationDefaultSpace + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404. + operationId: saveApmServerSchema parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - setCaseConfigRequest: - $ref: '#/components/examples/Cases_set_case_configuration_request' + saveApmServerSchemaRequest: + description: An example request payload for `POST /api/apm/fleet/apm_server_schema`. + value: + schema: + foo: bar schema: - $ref: '#/components/schemas/Cases_set_case_configuration_request' + type: object + properties: + schema: + additionalProperties: true + description: Schema object + example: + foo: bar + type: object + required: true responses: '200': content: application/json: examples: - setCaseConfigResponse: - $ref: '#/components/examples/Cases_set_case_configuration_response' + saveApmServerSchemaResponseExample1: + $ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1' schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. + description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Add case settings + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema tags: - - cases - /api/cases/configure/{configurationId}: - patch: - description: > - Updates setting details such as the closure type, custom fields, - templates, and the default connector for cases. Connectors are used to - interface with external systems. You must create a connector before you - can use it in your cases. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the case was created. - operationId: updateCaseConfigurationDefaultSpace + - APM server schema + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_configuration_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string requestBody: content: application/json: examples: - updateCaseConfigurationRequest: - $ref: '#/components/examples/Cases_update_case_configuration_request' + createAnnotationRequest1: + $ref: '#/components/examples/APM_UI_annotation_object_post_request1' schema: - $ref: '#/components/schemas/Cases_update_case_configuration_request' + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true responses: '200': content: application/json: examples: - updateCaseConfigurationResponse: - $ref: >- - #/components/examples/Cases_update_case_configuration_response + createAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' schema: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - example: '2022-06-01T17:07:17.767Z' - format: date-time - type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - customFields: - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: >- - The custom field label that is displayed in the - case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean - type: array - error: - example: null - nullable: true - type: string - id: - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - type: string - mappings: - items: - type: object - properties: - action_type: - example: overwrite - type: string - source: - example: title - type: string - target: - example: summary - type: string - type: array - observableTypes: - description: Custom observable type configuration details. - items: - type: object - properties: - key: - description: The observable type key. - example: d312efda-ec2b-42ec-9e2c-84981795c581 - type: string - label: - description: The observable type label. - example: My observable type - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - example: '2022-06-01T19:58:48.169Z' - format: date-time - nullable: true - type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - version: - example: WzIwNzMsMV0= - type: string - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Update case settings - tags: - - cases - /api/cases/configure/connectors/_find: - get: - description: > - Get information about connectors that are supported for use in cases. - You must have `read` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - operationId: findCaseConnectorsDefaultSpace - responses: - '200': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - findConnectorResponse: - $ref: '#/components/examples/Cases_find_connector_response' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - items: - type: object - properties: - actionTypeId: - $ref: '#/components/schemas/Cases_connector_types' - config: - additionalProperties: true - type: object - properties: - apiUrl: - type: string - projectKey: - type: string - id: - type: string - isDeprecated: - type: boolean - isMissingSecrets: - type: boolean - isPreconfigured: - type: boolean - name: - type: string - referencedByCount: - type: integer - maxItems: 1000 - type: array - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case connectors + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation tags: - - cases - /api/cases/reporters: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation/search: get: - description: > - Returns information about the users who opened cases. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases. The API returns - information about the users as they existed at the time of the case - creation, including their name, full name, and email address. If any of - those details change thereafter or if a user is deleted, the information - returned by this API is unchanged. - operationId: getCaseReportersDefaultSpace + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation parameters: - - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + example: '2024-01-01T00:00:00.000Z' + in: query + name: start + required: false + schema: + format: date-time + type: string + - description: The end date for the search + example: '2024-01-31T23:59:59.999Z' + in: query + name: end + required: false + schema: + format: date-time + type: string responses: '200': content: application/json: examples: - getReportersResponse: - $ref: '#/components/examples/Cases_get_reporters_response' + getAnnotationResponse1: + $ref: '#/components/examples/APM_UI_annotation_search_get_200_response1' schema: - items: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + '400': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case creators - tags: - - cases - /api/cases/tags: - get: - description: > - Aggregates and returns a list of case tags. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're seeking. - operationId: getCaseTagsDefaultSpace - parameters: - - $ref: '#/components/parameters/Cases_owner_filter' - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - getTagsResponse: - $ref: '#/components/examples/Cases_get_tags_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - items: - type: string - maxItems: 10000 - type: array - description: Indicates a successful call. - '401': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': content: application/json: examples: - response401: - $ref: '#/components/examples/Cases_response_401' + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Cases_response_4xx' - description: Authorization information is missing or invalid. - summary: Get case tags + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations tags: - - cases - /api/data_views: - get: - description: > - Retrieve a list of all data views. Use this endpoint to identify - available data views in the current Kibana space. - operationId: getAllDataViewsDefault + - APM annotations + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + application/json: + examples: + deleteAgentConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true responses: '200': content: application/json: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + deleteAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_200_response1' schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response '400': content: application/json: examples: - getAllDataViewsBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views - /api/data_views/data_view: - post: - description: > - Create a data view. Data views identify the Elasticsearch data you want - to explore and visualize. They can point to one or more data streams, - indices, or index aliases, and use optional runtime fields to compute - values at query time. Note that data views are not required for - ES|QL-based visualizations. To learn more, refer to the [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - createDataViewResponse: - $ref: '#/components/examples/Data_views_create_data_view_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - createDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view - {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} - /api/data_views/data_view/{viewId}: - delete: - description: > - Delete a data view by its identifier. WARNING: When you delete a data - view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response '404': content: application/json: examples: - deleteDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: | - DELETE kbn://api/data_views/data_view/{viewId} + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieve a single data view by its identifier. Data views identify the - Elasticsearch data you want to explore and visualize. They can point to - one or more data streams, indices, or index aliases, and use optional - runtime fields to compute values at query time. Note that data views are - not required for ES|QL-based visualizations. To learn more, refer to the - [data views - documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). - operationId: getDataViewDefault + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404. + operationId: getAgentConfigurations parameters: - - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + getAgentConfigurationsResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + '400': content: application/json: examples: - getDataViewNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/data_view/{viewId} - post: - description: > - Update an existing data view. Only the fields provided in the request - body are updated. - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - updateDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': content: application/json: examples: - updateDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view":{"name":"Updated data view name"}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId} - {"data_view":{"name":"Updated data view name"}} - /api/data_views/data_view/{viewId}/fields: - post: - description: > - Update field metadata for a data view. Use this endpoint to set custom - labels, custom descriptions, and format overrides for individual fields. - operationId: updateFieldsMetadataDefault + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly. + operationId: createUpdateAgentConfiguration parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean requestBody: content: application/json: examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' + createUpdateAgentConfigurationRequestExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' required: true responses: '200': content: application/json: examples: - updateFieldsMetadataResponse: - $ref: >- - #/components/examples/Data_views_update_field_metadata_response + createUpdateAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1' schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. + description: Successful response '400': content: application/json: examples: - updateFieldsMetadataBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update field metadata - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' - - lang: Console - source: | - POST kbn://api/data_views/data_view/{viewId}/fields - {"fields":{"field_name":{"customLabel":"My custom label"}}} - /api/data_views/data_view/{viewId}/runtime_field: - post: - description: > - Create a runtime field for a data view. Runtime fields are computed at - query time using a [Painless - script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) - and do not require reindexing. If no `script` is provided, the runtime - field returns the corresponding value from the document `_source`. - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - createRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + '404': + content: + application/json: + examples: + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST kbn://api/data_views/data_view/{viewId}/runtime_field + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - put: - description: > - Create or update a runtime field for a data view. If the runtime field - already exists, it is replaced with the new definition. - operationId: createUpdateRuntimeFieldDefault +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + example: node + in: query + name: serviceName required: true schema: type: string - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true responses: '200': content: application/json: examples: - createUpdateRuntimeFieldResponse: - $ref: >- - #/components/examples/Data_views_create_runtime_field_response + getAgentNameForServiceResponse1: + $ref: '#/components/examples/APM_UI_service_agent_name_get_200_response1' schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response '400': content: application/json: examples: - createUpdateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - PUT kbn://api/data_views/data_view/{viewId}/runtime_field - - {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - delete: - description: | - Delete a runtime field from a data view. - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': + content: + application/json: + examples: + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '404': content: application/json: examples: - deleteRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" - - lang: Console - source: > - DELETE - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/environments: get: description: | - Retrieve a single runtime field by name from a data view. - operationId: getRuntimeFieldDefault + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned. + operationId: getEnvironmentsForService parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service. If omitted, environments across all services are returned. + example: opbeans-node + in: query + name: serviceName + schema: + type: string responses: '200': content: application/json: examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json: - examples: - getRuntimeFieldNotFound: - $ref: '#/components/examples/Data_views_error_404_response' + getEnvironmentsForServiceResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1' schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: > - GET - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - post: - description: > - Update an existing runtime field in a data view. Only the fields - provided in the request body are updated. - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response '400': content: application/json: examples: - updateRuntimeFieldBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' - - lang: Console - source: > - POST - kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} - - {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} - /api/data_views/default: - get: - description: > - Retrieve the identifier of the default data view for the current Kibana - space. - operationId: getDefaultDataViewDefault - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': content: application/json: examples: - getDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X GET "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" - - lang: Console - source: | - GET kbn://api/data_views/default + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/search: post: - description: > - Set the default data view for the current Kibana space. The default data - view is used as a fallback when no specific data view is selected. - operationId: setDefaultDatailViewDefault + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration. + operationId: searchSingleConfiguration parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' + searchSingleConfigurationRequest1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' required: true responses: '200': content: application/json: examples: - setDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_set_default_data_view_response + searchSingleConfigurationResponse1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response '400': content: application/json: examples: - setDefaultDataViewBadRequest: - $ref: '#/components/examples/Data_views_error_400_response' + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/default" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' - - lang: Console - source: | - POST kbn://api/data_views/default - {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} - /api/data_views/swap_references: - post: - description: > - Swap saved object references from one data view to another. Use this - endpoint to update dashboards, visualizations, and other saved objects - that reference a data view. WARNING: Misuse can break large numbers of - saved objects! Use the - [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) - endpoint to see which saved objects would be affected before making - changes. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - swapDataViewResponse: - $ref: '#/components/examples/Data_views_swap_data_view_response' + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references - {"fromId":"abcd-efg","toId":"xyz-123","delete":true} - /api/data_views/swap_references/_preview: - post: - description: > - Preview the effect of swapping saved object references from one data - view to another. Returns the list of affected saved objects without - making any changes. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '404': content: application/json: examples: - previewSwapDataViewResponse: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_response + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview swap references + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration tags: - - data views - x-codeSamples: - - lang: curl - source: | - curl \ - -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ - -H "Authorization: ApiKey ${API_KEY}" \ - -H "kbn-xsrf: true" \ - -H "Content-Type: application/json" \ - -d '{"fromId":"abcd-efg","toId":"xyz-123"}' - - lang: Console - source: | - POST kbn://api/data_views/swap_references/_preview - {"fromId":"abcd-efg","toId":"xyz-123"} - /api/detection_engine/index: - delete: - description: > - Permanently deletes the Elastic Security alerts backing index in the - current space, including the alerts + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: | + **Spaces method and path for this operation:** - stored in it. Use with caution; prefer lifecycle policies or the UI when - available. +
get /s/{space_id}/api/apm/settings/agent-configuration/view
- Call `GET /api/detection_engine/index` first to confirm the index that - will be removed. - operationId: DeleteAlertsIndex + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + example: node + in: query + name: name + schema: + type: string + - description: Service environment + example: prod + in: query + name: environment + schema: + type: string responses: '200': content: application/json: examples: - acknowledged: - value: - acknowledged: true + getSingleAgentConfigurationResponseExample1: + $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1' schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' description: Successful response - '401': + '400': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - forbidden: - value: - message: >- - API [DELETE /api/detection_engine/index] is unauthorized - for the current user. The user needs alerts management - permissions for the space. - status_code: 403 + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response '404': content: application/json: examples: - notFound: - value: - message: The Elastic Security alerts index to delete was not found. - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Index does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + notFoundResponse: + $ref: '#/components/examples/APM_UI_error_404_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an alerts index + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration tags: - - Security Detections API - - Alert index API + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps: get: - description: > - Returns the backing Elasticsearch index for Elastic Security detection - alerts in the current space, and + description: | + **Spaces method and path for this operation:** - whether its mapping is outdated. Use this to verify that an alert index - is provisioned before creating +
get /s/{space_id}/api/apm/sourcemaps
- or running rules that write alerts to it. - operationId: ReadAlertsIndex + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. + operationId: getSourceMaps + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page + schema: + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number responses: '200': content: application/json: examples: - success: - value: - index_mapping_outdated: false - name: .alerts-security.alerts-default + getSourceMapsResponse1: + $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' schema: - type: object - properties: - index_mapping_outdated: - nullable: true - type: boolean - name: - type: string - required: - - name - - index_mapping_outdated + $ref: '#/components/schemas/APM_UI_source_maps_response' description: Successful response - '401': + '400': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - forbidden: - value: - message: >- - API [GET /api/detection_engine/index] is unauthorized for - the current user. Check Security and Kibana feature - privileges (detection engine / alerts) for the space. - status_code: 403 + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '500': content: application/json: examples: - notFound: - value: - message: >- - Elastic Security alert index is not found for the current - space. - status_code: 404 + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found - '500': + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Reads the alert index name if it exists + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps tags: - - Security Detections API - - Alert index API + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name post: description: | - Creates an index for Elastic Security alerts. Calling this API is not - required for the detection engine to function properly. You can create - rules and alerts without calling this API. - operationId: CreateAlertsIndex + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. + The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + requestBody: + content: + multipart/form-data: + examples: + uploadSourceMapRequest: + $ref: '#/components/examples/APM_UI_source_maps_upload_request1' + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true responses: '200': content: application/json: examples: - acknowledged: - value: - acknowledged: true + uploadSourceMapResponse1: + $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' description: Successful response - '401': + '400': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + '401': content: application/json: examples: - forbidden: - value: - message: >- - API [POST /api/detection_engine/index] is unauthorized for - the current user. The user must be able to create indices - for the Elastic Security solution. - status_code: 403 + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not enough permissions response - '404': + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': content: application/json: examples: - notFound: - value: - message: >- - A prerequisite resource required to create the alerts - index was not found. - status_code: 404 + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Not found + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response '500': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Create an alerts index + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + examples: + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map tags: - - Security Detections API - - Alert index API - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: multipart/form-data' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ + -F 'service_name="foo"' \ + -F 'service_version="1.0.0"' \ + -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ + -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps/{id}: + delete: + description: | + **Spaces method and path for this operation:** - space and index privileges, which determine if the user can create an +
delete /s/{space_id}/api/apm/sourcemaps/{id}
- index for the Elastic Security alerts generated by + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - detection engine rules. - operationId: ReadPrivileges + Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. + operationId: deleteSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - $ref: '#/components/parameters/APM_UI_kbn_xsrf' + - description: Source map identifier + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - success: - value: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - has_encryption_key: true - index: - .alerts-security.alerts-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - is_authenticated: true - username: elastic + deleteSourceMapResponseExample1: + $ref: '#/components/examples/APM_UI_source_maps_delete_200_response1' schema: + additionalProperties: false + description: The response body is intentionally empty for this endpoint. type: object - properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean - required: - - is_authenticated - - has_encryption_key description: Successful response + '400': + content: + application/json: + examples: + badRequestResponse: + $ref: '#/components/examples/APM_UI_error_400_response' + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response '401': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + unauthorizedResponse: + $ref: '#/components/examples/APM_UI_error_401_response' schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + '403': + content: + application/json: + examples: + forbiddenResponse: + $ref: '#/components/examples/APM_UI_error_403_response' + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response '500': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + internalServerErrorResponse: + $ref: '#/components/examples/APM_UI_error_500_response' schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + '501': + content: + application/json: + examples: + notImplementedResponse: + $ref: '#/components/examples/APM_UI_error_501_response' + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality: delete: - description: > - Delete a detection rule using the `rule_id` or `id` field. - - - The URL query must include one of the following: - - - * `id` - `DELETE /api/detection_engine/rules?id=` + description: |- + **Spaces method and path for this operation:** - * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` +
delete /s/{space_id}/api/asset_criticality
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: DeleteRule + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord parameters: - - description: The rule's `id` value. + - description: The ID value of the asset. + example: my_host in: query - name: id - required: false + name: id_value + required: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + type: string + - description: The field representing the ID. + example: host.name in: query - name: rule_id + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh required: false schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + enum: + - wait_for + type: string responses: '200': content: application/json: - examples: - deletedRule: - summary: Response shape after a rule is deleted - value: - actions: [] - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - false_positives: [] - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: event.action:Process* - references: [] - risk_score: 50 - rule_id: process_started_by_ms_office_user_folder - severity: low - tags: - - tag - throttle: null - to: now - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 3 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule + type: object + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Retrieve a detection rule using the `rule_id` or `id` field. + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/asset_criticality
- The URL query must include one of the following: - - - * `id` - `GET /api/detection_engine/rules?id=` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * `rule_id` - `GET /api/detection_engine/rules?rule_id=` - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - operationId: ReadRule + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord parameters: - - description: The rule's `id` value. + - description: The ID value of the asset. + example: my_host in: query - name: id - required: false + name: id_value + required: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. + type: string + - description: The field representing the ID. + example: host.name in: query - name: rule_id - required: false + name: id_field + required: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: - examples: - example1: - summary: Example response for a retrieved rule - value: - created_at: '2020-02-03T11:19:04.259Z' - created_by: elastic - description: Process started by MS Office program in user folder - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from Elasticsearch - indices listed in the "Index pattern" section of the - rule definition, but no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-4200s - id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: process_started_by_ms_office_user_folder - setup: '' - severity: low - tags: - - child process - - ms office - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - to: now-300s - type: query - updated_at: '2020-02-03T11:19:04.462Z' - updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: > - Indicates a successful call. - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: Retrieve a detection rule + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: | - curl \ - --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ - --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" - patch: - description: > - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** - > warn +
post /s/{space_id}/api/asset_criticality
- > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Create or update an asset criticality record for a specific entity. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PatchRule + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord requestBody: content: application/json: - examples: - example1: - summary: Patch query rule - value: - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: New name - example2: - summary: Patch EQL rule - value: - rule_id: process_started_by_ms_office_program_possible_payload - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0001 - name: Initial Access - reference: https://attack.mitre.org/tactics/TA0001 - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193 - example3: - summary: Patch threshold rule - value: - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - threshold: - cardinality: [] - field: [] - value: 600 - example4: - summary: Patch new terms rule - value: - history_window_start: now-3d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - example5: - summary: Patch esql rule - value: - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - query: > - FROM logs-abc* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) - - | KEEP event_rate - example6: - summary: Patch indicator match rule - value: - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"false" - example7: - summary: Patch machine learning rule - value: - anomaly_threshold: 50 - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - description: | - > info - > You cannot modify the `id` or `rule_id` values. + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - type: object + properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + example: + criticality_level: high_impact + id_field: host.name + id_value: my_host required: true responses: '200': content: application/json: - examples: - example1: - summary: Example response for an updated rule - value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record tags: - - Security Detections API - - Rules API + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/bulk: post: - description: > - Create a new detection rule. + description: | + **Spaces method and path for this operation:** - > warn +
post /s/{space_id}/api/asset_criticality/bulk
- > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - - You can create the following types of rules: - - - * **Custom query**: Searches the defined indices and creates an alert - when a document matches the rule's KQL query. - - * **Event correlation**: Searches the defined indices and creates an - alert when results match an [Event Query Language - (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) - query. - - * **Threshold**: Searches the defined indices and creates an alert when - the number of times the specified field's value meets the threshold - during a single execution. When there are multiple values that meet the - threshold, an alert is generated for each value. - For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. - * **Indicator match**: Creates an alert when fields match values defined - in the specified [Elasticsearch - index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). - For example, you can create an index for IP addresses and use this index - to create an alert whenever an event's `destination.ip` equals a value - in the index. The index's field mappings should be - [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). - - * **New terms**: Generates an alert for each new term detected in source - documents within a specified time range. - - * **ES|QL**: Uses [Elasticsearch Query Language - (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) - to find events and aggregate search results. - - * **Machine learning rules**: Creates an alert when a machine learning - job discovers an anomaly above the defined threshold. - - > info - - > To create machine learning rules, you must have the [appropriate - license](https://www.elastic.co/subscriptions) or use a [cloud - deployment](https://cloud.elastic.co/registration). Additionally, for - the machine learning rule to function correctly, the associated machine - learning job must be running. - - - To retrieve machine learning job IDs, which are required to create - machine learning jobs, call the [Elasticsearch Get jobs - API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). - Machine learning jobs that contain `siem` in the `groups` field can be - used to create rules: - - - ```json - - ... - - "job_id": "linux_anomalous_network_activity_ecs", - - "job_type": "anomaly_detector", - - "job_version": "7.7.0", - - "groups": [ - "auditbeat", - "process", - "siem" - ], - - ... - - ``` - - - Additionally, you can set up notifications for when rules create alerts. - The notifications use the [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting). Each - action type requires a connector. Connectors store the information - required to send notifications via external systems. The following - connector types are supported for rule notifications: - - - * Slack - - * Email - - * PagerDuty - - * Webhook - - * Microsoft Teams - - * IBM Resilient - - * Jira - - * ServiceNow ITSM - - > info - - > For more information on PagerDuty fields, see [Send a v2 - Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + Bulk upsert up to 1000 asset criticality records. - To retrieve connector IDs, which are required to configure rule - notifications, call the [Find objects - API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) - with `"type": "action"` in the request payload. + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - type: object + properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/asset_criticality/list
- For detailed information on Kibana actions and alerting, and additional - API calls, see: + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + schema: + example: + page: 1 + per_page: 10 + records: + - '@timestamp': '2024-08-02T14:40:35.705Z' + asset: + criticality: medium_impact + criticality_level: medium_impact + host: + asset: + criticality: medium_impact + name: my_other_host + id_field: host.name + id_value: my_other_host + - '@timestamp': '2024-08-02T11:15:34.290Z' + asset: + criticality: high_impact + criticality_level: high_impact + host: + asset: + criticality: high_impact + name: my_host + id_field: host.name + id_value: my_host + total: 2 + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** - * [Alerting - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) +
post /s/{space_id}/api/attack_discovery/_bulk
- * [Alerting and Actions - framework](https://www.elastic.co/docs/explore-analyze/alerting) + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - * [Connectors - API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) - operationId: CreateRule + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. + operationId: PostAttackDiscoveryBulk requestBody: content: application/json: examples: - example1: - description: Query rule that searches for processes started by MS Office - summary: Query rule - value: - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query - example2: - description: >- - Threshold rule that detects multiple failed login attempts to - a Windows host from the same external source IP address - summary: Threshold rule - value: - description: >- - Detects when there are 20 or more failed login attempts from - the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - from: now-180s - index: - - winlogbeat-* - interval: 2m - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - required_fields: - - name: source.ip - type: ip - risk_score: 30 - rule_id: liv-win-ser-logins - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threshold: - field: source.ip - value: 20 - type: threshold - example3: - description: >- - Machine learning rule that creates alerts, and sends Slack - notifications, when the linux_anomalous_network_activity_ecs - machine learning job discovers anomalies with a threshold of - 70 or above. - summary: Machine learning rule - value: - actions: - - action_type_id: .slack - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - from: now-6m - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - name: Anomalous Linux network activity - note: Shut down the internet. - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: This rule requires data coming in from Elastic Defend. - severity: high - tags: - - machine learning - - Linux - type: machine_learning - example4: - description: >- - Event correlation rule that creates alerts when the Windows - rundll32.exe process makes unusual network connections - summary: EQL rule - value: - description: Unusual rundll32.exe network connection - language: eql - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process where - event.type in ("start", "process_started") and (process.name - == "rundll32.exe" or process.pe.original_file_name == - "rundll32.exe") and ((process.args == "rundll32.exe" and - process.args_count == 1) or (process.args != "rundll32.exe" - and process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - required_fields: - - name: event.type - type: keyword - - name: process.args - type: keyword - - name: process.args_count - type: long - - name: process.entity_id - type: keyword - - name: process.name - type: keyword - - name: process.pe.original_file_name - type: keyword - risk_score: 21 - rule_id: eql-outbound-rundll32-connections - severity: low - tags: - - EQL - - Windows - - rundll32.exe - type: eql - example5: - description: > - Indicator match rule that creates an alert when one of the - following is true: The event's destination IP address and port - number matches destination IP and port values in the - threat_index index; The event's source IP address matches a - host IP address value in the threat_index index. - summary: Indicator match rule - value: - actions: [] - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - index: - - packetbeat-* - name: Bad IP threat match - query: destination.ip:* or host.ip:* - required_fields: - - name: destination.ip - type: ip - - name: destination.port - type: long - - name: host.ip - type: ip - risk_score: 50 - severity: medium - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - type: threat_match - example6: - description: >- - New terms rule that creates alerts a new IP address is - detected for a user - summary: New terms rule - value: - description: Detects a user associated with a new IP address - history_window_start: now-30d - index: - - auditbeat* - language: kuery - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - required_fields: - - name: user.id - type: keyword - - name: source.ip - type: ip - risk_score: 21 - severity: medium - type: new_terms - example7: - description: >- - esql rule that creates alerts from events that match an Excel - parent process - summary: Esql rule - value: - description: Find Excel events - enabled: false - from: now-360s - interval: 5m - language: esql - name: Find Excel events - query: >- - from auditbeat-8.10.2 METADATA _id, _version, _index | where - process.parent.name == "EXCEL.EXE" - required_fields: - - name: process.parent.name - type: keyword - risk_score: 21 - severity: low - tags: [] - to: now - type: esql - example8: - description: >- - Query rule that searches for processes started by MS Office - and suppresses alerts by the process.parent.name field within - a 5-hour time period - summary: Query rule 2 + PostAttackDiscoveryBulkRequestBodyExample: + summary: Acknowledge two Attack discoveries in bulk. value: - alert_suppression: - duration: - unit: h - value: 5 - group_by: - - process.parent.name - missing_fields_strategy: suppress - description: Process started by MS Office program - possible payload - enabled: false - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - interval: 1h - language: kuery - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - risk_score: 50 - rule_id: process_started_by_ms_office_program - severity: low - tags: - - child process - - ms office - type: query + update: + enable_field_rendering: false + ids: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + kibana_alert_workflow_status: acknowledged + with_replacements: true schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + type: object + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + type: object + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + type: boolean + ids: + description: Array of Attack Discovery IDs to update + example: + - c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + - 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7 + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + example: acknowledged + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + example: shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + example: true + type: boolean + required: + - ids + required: + - update + description: Bulk update parameters for Attack discoveries required: true responses: '200': content: application/json: examples: - example1: - description: Example response for a query rule - summary: Query rule response + PostAttackDiscoveryBulkResponse200Example: + summary: A successful bulk update response containing the modified Attack discoveries. value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Process started by MS Office program - possible payload - enabled: false - false_positives: [] - filters: - - query: - match: - event.action: - query: 'Process Create (rule: ProcessCreate)' - type: phrase - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: MS Office child process - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - - integration: graphactivitylogs - package: azure - version: ^1.11.4 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 1 - example2: - description: Example response for a machine learning job rule - summary: Machine learning response - value: - actions: - - action_type_id: .slack - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 - params: - message: 'Urgent: {{context.rule.description}}' - anomaly_threshold: 70 - created_at: '2020-04-07T14:45:15.679Z' - created_by: elastic - description: Generates alerts when the job discovers anomalies over 70 - enabled: true - false_positives: [] - from: now-6m - id: 83876f66-3a57-4a99-bf37-416494c80f3b - immutable: false - interval: 5m - machine_learning_job_id: linux_anomalous_network_activity_ecs - max_signals: 100 - name: Anomalous Linux network activity - note: Shut down the internet. - references: [] - related_integrations: [] - required_fields: [] - risk_score: 70 - rule_id: ml_linux_network_high_threshold - setup: '' - severity: high - status: going to run - status_date: '2020-04-07T14:45:21.685Z' - tags: - - machine learning - - Linux - threat: [] - to: now - type: machine_learning - updated_at: '2020-04-07T14:45:15.892Z' - updated_by: elastic - version: 1 - example3: - description: Example response for a threshold rule - summary: Threshold rule response - value: - actions: [] - author: [] - created_at: '2020-07-22T10:27:23.486Z' - created_by: elastic - description: >- - Detects when there are 20 or more failed login attempts - from the same IP address with a 2 minute time frame. - enabled: true - exceptions_list: - - id: int-ips - namespace_type: single - type: detection - false_positives: [] - from: now-180s - id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 - immutable: false - index: - - winlogbeat-* - interval: 2m - language: kuery - max_signals: 100 - name: Windows server prml-19 - query: >- - host.name:prml-19 and event.category:authentication and - event.outcome:failure - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: source.ip - type: ip - risk_score: 30 - risk_score_mapping: [] - rule_id: liv-win-ser-logins - setup: '' - severity: low - severity_mapping: - - field: source.geo.city_name - operator: equals - severity: low - value: Manchester - - field: source.geo.city_name - operator: equals - severity: medium - value: London - - field: source.geo.city_name - operator: equals - severity: high - value: Birmingham - - field: source.geo.city_name - operator: equals - severity: critical - value: Wallingford - tags: - - Brute force - threat: [] - threshold: - field: source.ip - value: 20 - to: now - type: threshold - updated_at: '2020-07-22T10:27:23.673Z' - updated_by: elastic - version: 1 - example4: - description: Example response for an EQL rule - summary: EQL rule response - value: - author: [] - created_at: '2020-10-05T09:06:16.392Z' - created_by: elastic - description: Unusual rundll32.exe network connection - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: 93808cae-b05b-4dc9-8479-73574b50f8b1 - immutable: false - interval: 5m - language: eql - max_signals: 100 - name: rundll32.exe network connection - query: >- - sequence by process.entity_id with maxspan=2h [process - where event.type in ("start", "process_started") and - (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe") and - ((process.args == "rundll32.exe" and process.args_count == - 1) or (process.args != "rundll32.exe" and - process.args_count == 0))] [network where event.type == - "connection" and (process.name == "rundll32.exe" or - process.pe.original_file_name == "rundll32.exe")] - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.type - type: keyword - - ecs: true - name: process.args - type: keyword - - ecs: true - name: process.args_count - type: long - - ecs: true - name: process.entity_id - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.pe.original_file_name - type: keyword - risk_score: 21 - risk_score_mapping: [] - rule_id: eql-outbound-rundll32-connections - setup: '' - severity: low - severity_mapping: [] - tags: - - EQL - - Windows - - rundll32.exe - threat: [] - throttle: no_actions - to: now - type: eql - updated_at: '2020-10-05T09:06:16.403Z' - updated_by: elastic - version: 1 - example5: - description: Example response for an indicator match rule - summary: Indicator match rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: >- - Checks for bad IP addresses listed in the ip-threat-list - index - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 - immutable: false - index: - - packetbeat-* - interval: 5m - language: kuery - max_signals: 100 - name: Bad IP threat match - query: destination.ip:* or host.ip:* - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: destination.ip - type: ip - - ecs: true - name: destination.port - type: long - - ecs: true - name: host.ip - type: ip - risk_score: 50 - risk_score_mapping: [] - rule_id: 608501e4-c768-4f64-9326-cec55b5d439b - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - threat_index: - - ip-threat-list - threat_mapping: - - entries: - - field: destination.ip - type: mapping - value: destination.ip - - field: destination.port - type: mapping - value: destination.port - - entries: - - field: source.ip - type: mapping - value: host.ip - threat_query: '*:*' - to: now - type: threat_match - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example6: - description: Example response for a new terms rule - summary: New terms rule response - value: - author: [] - created_at: '2020-10-06T07:07:58.227Z' - created_by: elastic - description: Detects a user associated with a new IP address - enabled: true - exceptions_list: [] - false_positives: [] - from: now-6m - history_window_start: now-30d - id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 - immutable: false - index: - - auditbeat* - interval: 5m - language: kuery - max_signals: 100 - name: New User IP Detected - new_terms_fields: - - user.id - - source.ip - query: '*' - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: user.id - type: keyword - - ecs: true - name: source.ip - type: ip - risk_score: 21 - risk_score_mapping: [] - rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 - setup: '' - severity: medium - severity_mapping: [] - tags: [] - threat: [] - to: now - type: new_terms - updated_at: '2020-10-06T07:07:58.237Z' - updated_by: elastic - version: 1 - example7: - description: Example response for an Esql rule - summary: Esql rule response - value: - actions: [] - author: [] - created_at: '2023-10-18T10:55:14.269Z' - created_by: elastic - description: Find Excel events - enabled: false - exceptions_list: [] - false_positives: [] - from: now-360s - id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 - immutable: false - interval: 5m - language: esql - max_signals: 100 - name: Find Excel events - output_index: '' - query: >- - from auditbeat-8.10.2 METADATA _id | where - process.parent.name == "EXCEL.EXE" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: process.parent.name - type: keyword - revision: 0 - risk_score: 21 - risk_score_mapping: [] - rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: esql - updated_at: '2023-10-18T10:55:14.269Z' - updated_by: elastic - version: 1 + data: + - alert_ids: + - alert-abc-1 + alert_workflow_status: acknowledged + connector_id: gen-ai-connector + connector_name: OpenAI GPT-4 + details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.' + generation_uuid: 550e8400-e29b-41d4-a716-446655440000 + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + summary_markdown: A user account was compromised using mimikatz to dump credentials. + timestamp: '2024-01-15T10:00:00.000Z' + title: Credential theft via mimikatz schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: object + properties: + data: + description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data description: Indicates a successful call. - summary: Create a detection rule - tags: - - Security Detections API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. - - - The difference between the `id` and `rule_id` is that the `id` is a - unique rule identifier that is randomly generated when a rule is created - and cannot be set, whereas `rule_id` is a stable rule identifier that - can be assigned during rule creation. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: UpdateRule - requestBody: - content: - application/json: - examples: - example1: - summary: Update query rule - value: - description: A new description - id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 - name: A new name for the rule - risk_score: 22 - severity: medium - type: query - example2: - summary: Update EQL rule - value: - description: eql rule test - id: 9b684efb-acf9-4323-9bff-8335b3867d14 - index: - - apm-*-transaction* - language: eql - name: New name for EQL rule - query: process where process.name == "regsvr32.exe" - risk_score: 21 - severity: low - type: eql - example3: - summary: Update threshold rule - value: - description: Description of threat rule test - id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 - language: kuery - name: New name for threat rule - query: >- - agent.version : * and agent.id : - "243d9b4f-ca01-4311-8e5c-9abbee91afd8" - risk_score: 21 - severity: low - tags: - - new_tag - threshold: - cardinality: [] - field: [] - value: 400 - type: threshold - example4: - summary: Update new terms rule - value: - description: New description - history_window_start: now-7d - id: 569aac91-40dc-4807-a8ae-a2c8698089c4 - interval: 5m - name: New terms rule name - new_terms_fields: - - Endpoint.policy.applied.artifacts.global.identifiers.name - query: 'agent.version : "9.1.0"' - risk_score: 21 - severity: low - type: new_terms - example5: - summary: Update esql rule - value: - description: New description for esql rule - id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd - language: esql - name: New name for esql rule - query: > - FROM logs* - - | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* - MIN(dateField) finds the earliest timestamp in the dataset. - */ - - | EVAL event_rate = count / DATE_DIFF("seconds", - min_timestamp, NOW()) /* Calculates the event rate by - dividing the total count of events by the time difference - (in seconds) between the earliest event and the current - time. */ - - | KEEP event_rate - risk_score: 21 - severity: low - type: esql - example6: - summary: Update indicator match rule - value: - description: New description - id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd - name: New name for Indicator Match rule - query: source.ip:* or destination.ip:*\n - risk_score: 99 - severity: critical - threat_index: - - filebeat-* - - logs-ti_* - threat_mapping: - - entries: - - field: source.ip - type: mapping - value: threat.indicator.ip - - entries: - - field: destination.ip - type: mapping - value: threat.indicator.ip - threat_query: >- - @timestamp >= "now-30d/d" and event.module:(threatintel or - ti_*) and threat.indicator.ip:* and not - labels.is_ioc_transform_source:"true" - type: threat_match - example7: - summary: Update machine learning rule - value: - anomaly_threshold: 50 - description: New description of ml rule - id: 60b13926-289b-41b1-a537-197ef1fa5059 - machine_learning_job_id: - - auth_high_count_logon_events_ea - name: New name of ml rule - risk_score: 21 - severity: low - type: machine_learning - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - description: > - > info - - > All unspecified fields are deleted. You cannot modify the `id` or - `rule_id` values. - required: true - responses: - '200': + '400': content: application/json: examples: - example1: - summary: Example response for an updated rule + PostAttackDiscoveryBulkResponse400Example: + summary: Bad Request error returned when the bulk update payload is invalid. value: - actions: [] - created_at: '2020-04-07T14:51:09.755Z' - created_by: elastic - description: Updated description for the rule. - enabled: false - false_positives: [] - filters: - - query: null - from: now-70m - id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 - immutable: false - interval: 1h - language: kuery - max_signals: 100 - name: Updated Rule Name - query: >- - process.parent.name:EXCEL.EXE or - process.parent.name:MSPUB.EXE or - process.parent.name:OUTLOOK.EXE or - process.parent.name:POWERPNT.EXE or - process.parent.name:VISIO.EXE or - process.parent.name:WINWORD.EXE - references: [] - related_integrations: - - package: o365 - required_fields: - - name: process.parent.name - risk_score: 50 - rule_id: process_started_by_ms_office_program - setup: '' - severity: low - tags: - - child process - - ms office - threat: [] - to: now - type: query - updated_at: '2020-04-07T14:51:09.970Z' - updated_by: elastic - version: 2 + error: Bad Request + message: Invalid request parameters. + status_code: 400 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Bulk update Attack discoveries tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: > - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - - - The edit action allows you to add, delete, or set tags, index patterns, - investigation fields, rule actions and schedules for multiple rules at - once. - - The edit action is idempotent, meaning that if you add a tag to a rule - that already has that tag, no changes are made. The same is true for - other edit actions, for example removing an index pattern that is not - specified in a rule will not result in any changes. The only exception - is the `add_rule_actions` and `set_rule_actions` action, which is - non-idempotent. This means that if you add or set a rule action to a - rule that already has that action, a new action is created with a new - unique ID. - - > warn + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. +
get /s/{space_id}/api/attack_discovery/_find
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - operationId: PerformRulesBulkAction + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. + operationId: AttackDiscoveryFind parameters: - - description: > - Enables dry run mode for the request call. - - - Enable dry run mode to verify that bulk actions can be applied to - specified rules. Certain rules, such as prebuilt Elastic rules on a - Basic subscription, can’t be edited and will return errors in the - request response. Error details will contain an explanation, the - rule name and/or ID, and additional troubleshooting information. - - - To enable dry run mode on a request, add the query parameter - `dry_run=true` to the end of the request URL. Rules specified in the - request will be temporarily updated. These updates won’t be written - to Elasticsearch. - - > info - - > Dry run mode is not supported for the `export` bulk action. A 400 - error will be returned in the request response. + - description: Filter results to Attack discoveries that include any of the provided alert IDs in: query - name: dry_run + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + example: false + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + example: '' + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries. + in: query + name: scheduled + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + example: '@timestamp' + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + example: desc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + example: + - open + - acknowledged + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements required: false schema: + default: true type: boolean + responses: + '200': + content: + application/json: + examples: + AttackDiscoveryFindResponse200Example: + summary: Paginated list of Attack discoveries matching the search criteria. + value: + connector_names: + - GPT-5 Chat + data: + - connector_name: GPT-5 Chat + id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + page: 1 + per_page: 10 + total: 1 + unique_alert_ids_count: 0 + schema: + type: object + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + description: Indicates a successful call. + '400': + content: + application/json: + examples: + AttackDiscoveryFindResponse400Example: + summary: Bad Request error returned when find query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. + operationId: PostAttackDiscoveryGenerate requestBody: content: application/json: examples: - example01: - description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag - value: - action: enable - query: 'alert.attributes.tags: "test"' - example02: - description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example03: - description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example04: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example05: - description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example06: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: Run - Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example07: - description: >- - The following request exports the rules with the specified - IDs. - summary: Export - Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example08: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example09: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: Edit - Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example10: - description: >- - The following request adds two tags at the same time, tag-1 - and tag-2, to the rules that have the IDs sent in the payload. - If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example11: - description: >- - The following request removes the tag "tag-1" from the rules - with the specified IDs. If the tag does not exist for a rule, - no changes are made. - summary: Edit - Delete a tag from rules (idempotent) - value: - action: edit - edit: - - type: delete_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example12: - description: >- - The following request sets the tags "tag-1" and "tag-2" for - the rules with the specified IDs, overwriting any existing - tags. If the set of tags is the same as the existing tags, no - changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) - value: - action: edit - edit: - - type: set_tags - value: - - tag-1 - - tag-2 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d - example13: - description: >- - The following request adds the index pattern "test-*" to the - rules with the specified IDs. If the index pattern already - exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example14: - description: >- - The following request removes the index pattern "test-*" from - the rules with the specified IDs. If the index pattern does - not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) - value: - action: edit - edit: - - type: delete_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example15: - description: >- - The following request sets the index patterns "test-*" and - "prod-*" for the rules with the specified IDs, overwriting any - existing index patterns. If the set of index patterns is the - same as the existing index patterns, no changes are made. - summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) - value: - action: edit - edit: - - type: set_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - example16: - description: >- - The following request adds investigation field to the rules - with the specified IDs. - summary: Edit - Add investigation field to rules - value: - action: edit - edit: - - type: add_investigation_fields - value: - field_names: - - alert.status - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example17: - description: >- - The following request deletes investigation fields from the - rules with the specified IDs. If the field does not exist for - a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) + PostAttackDiscoveryGenerateRequestBodyExample: + summary: Generate Attack discoveries from alerts in the last 24 hours. value: - action: edit - edit: - - type: delete_investigation_fields - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba + alertsIndexPattern: .alerts-security.alerts-default + anonymizationFields: + - allowed: true + anonymized: true + field: host.name + - allowed: true + anonymized: true + field: user.name + - allowed: true + anonymized: false + field: process.name + apiConfig: + actionTypeId: .gen-ai + connectorId: 12345678-1234-1234-1234-123456789012 + connectorName: GPT-5 Chat + end: now + replacements: {} + size: 100 + start: now-24h + subAction: invokeAI + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerateResponse200Example: + summary: Generation started; use the returned execution UUID to track progress. value: - - field1 - - field2 - example18: - description: >- - The following request sets investigation fields for the rules - with the specified IDs, overwriting any existing investigation - fields. If the set of investigation fields is the same as the - existing investigation fields, no changes are made. - summary: >- - Edit - Set (overwrite existing) investigation fields for rules - (idempotent) - value: - action: edit - edit: - - type: set_investigation_fields - value: - - field1 - - field2 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example19: - description: >- - The following request sets a timeline template for the rules - with the specified IDs. If the same timeline template is - already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) timeline template for rules - (idempotent) - value: - action: edit - edit: - - type: set_timeline - value: - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - ids: - - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example20: - description: >- - The following request sets a schedule for the rules with the - specified IDs. If the same schedule is already set for a rule, - no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) - value: - action: edit - edit: - - type: set_schedule - value: - interval: 1h - lookback: 30m - ids: - - 99887766-5544-3322-1100-aabbccddeeff - example21: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example22: - description: >- - The following request sets rule actions for the rules with the - specified IDs. Each action receives its own unique ID. - summary: >- - Edit - Set (overwrite existing) rule actions for rules - (non-idempotent) - value: - action: edit - edit: - - type: set_rule_actions - value: - actions: - - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191928 - example23: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: The message body - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example24: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The message body - subject: Subject - to: address@domain.com - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example25: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - message: The content of the message - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example26: - description: >- - The following request adds rule actions to the rules with the - specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector - value: - action: edit - edit: - - type: add_rule_actions - value: - actions: - - group: default3 - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - eventAction: trigger - severity: critical - summary: The message body - timestamp: 2023-10-31T00:00:00.000Z - ids: - - 9e946bfc-3118-4c77-bb25-67d781191921 - example27: - description: >- - The following request set alert suppression to the rules with - the specified IDs. - summary: Edit - Set alert suppression to rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression - value: - duration: - unit: h - value: 1 - group_by: - - source.ip - missing_fields_strategy: suppress - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example28: - description: >- - The following request set alert suppression to threshold rules - with the specified IDs. - summary: Edit - Set alert suppression to threshold rules (idempotent) - value: - action: edit - edit: - - type: set_alert_suppression_for_threshold - value: - duration: - unit: h - value: 1 - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example29: - description: >- - The following request removes alert suppression from the rules - with the specified IDs. If the rules do not have alert - suppression, no changes are made. - summary: Edit - Removes alert suppression from rules (idempotent) - value: - action: edit - edit: - - type: delete_alert_suppression - ids: - - 12345678-1234-1234-1234-1234567890ab - - 87654321-4321-4321-4321-0987654321ba - example30: - description: >- - The following request triggers the filling of gaps for the - specified rule ids and time range - summary: >- - Fill Gaps - Manually trigger the filling of gaps for specified - rules - value: - action: fill_gaps - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 164d0918-f720-4c9f-9f5c-c5122587cf19 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleFillGaps - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' - responses: - '200': + execution_uuid: edd26039-0990-4d9f-9829-2a1fcacb77b5 + schema: + type: object + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + example: edd26039-0990-4d9f-9829-2a1fcacb77b5 + required: + - execution_uuid + description: Indicates a successful call. + '400': content: application/json: examples: - example01: - description: >- - In this response one rule was updated and one was skipped. - Objects returned in attributes.results.skipped will only - include rules' id, name, and skip_reason. - summary: Successful response - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 51658332-a15e-4c9e-912a-67214e2e2359 - name: Skipped rule - skip_reason: RULE_NOT_MODIFIED - updated: - - anomaly_threshold: 50 - author: - - Elastic - created_at: '2022-02-21T14:14:13.801Z' - created_by: elastic - description: >- - A machine learning job detected unusually large - numbers of DNS queries for a single top-level DNS - domain, which is often used for DNS tunneling. DNS - tunneling can be used for command-and-control, - persistence, or data exfiltration activity. For - example, dnscat tends to generate many DNS - questions for a top-level domain as it uses the - DNS protocol to tunnel data. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: - - >- - DNS domains that use large numbers of child - domains, such as software or content - distribution networks, can trigger this alert - and such parent domains can be excluded. - from: now-45m - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - immutable: false - interval: 15m - license: Elastic License v2 - machine_learning_job_id: - - packetbeat_dns_tunneling_ea - max_signals: 100 - name: DNS Tunneling [Duplicate] - references: - - >- - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem - related_integrations: [] - required_fields: [] - risk_score: 21 - risk_score_mapping: [] - rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 - setup: '' - severity: low - severity_mapping: [] - tags: - - Elastic - - Network - - Threat Detection - - ML - threat: [] - to: now - type: machine_learning - updated_at: '2022-02-21T17:05:50.883Z' - updated_by: elastic - version: 6 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 1 - success: true - example02: - description: >- - If processing of any rule fails, a partial error outputs the - ID and/or name of the affected rule and the corresponding - error, as well as successfully processed rules (in the same - format as a successful 200 request). - summary: Partial failure - value: - value: - attributes: - errors: - - message: >- - Index patterns can't be added. Machine learning - rule doesn't have index patterns property - rules: - - id: 8bc7dad0-9320-11ec-9265-8b772383a08d - name: DNS Tunneling [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: - - Elastic - created_at: '2022-02-21T14:14:17.883Z' - created_by: elastic - description: >- - Generates a detection alert for each external - alert written to the configured indices. - Enabling this rule allows you to immediately - begin investigating external alerts in the app. - enabled: true - exceptions_list: [] - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but - no matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 8e5c1a40-9320-11ec-9265-8b772383a08d - immutable: false - index: - - apm-*-transaction* - - traces-apm* - - auditbeat-* - - filebeat-* - - logs-* - - packetbeat-* - - winlogbeat-* - - added-by-id-* - interval: 5m - language: kuery - license: Elastic License v2 - max_signals: 10000 - name: External Alerts [Duplicate] - query: > - event.kind:alert and not event.module:(endgame - or endpoint) - references: [] - related_integrations: [] - required_fields: [] - risk_score: 47 - risk_score_mapping: - - field: event.risk_score - operator: equals - value: '' - rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 - rule_name_override: message - setup: '' - severity: medium - severity_mapping: - - field: event.severity - operator: equals - severity: low - value: '21' - - field: event.severity - operator: equals - severity: medium - value: '47' - - field: event.severity - operator: equals - severity: high - value: '73' - - field: event.severity - operator: equals - severity: critical - value: '99' - tags: - - Elastic - - Network - - Windows - - APM - - macOS - - Linux - threat: [] - timestamp_override: event.ingested - to: now - type: query - updated_at: '2022-02-21T16:56:22.818Z' - updated_by: elastic - version: 5 - summary: - failed: 1 - skipped: 0 - succeeded: 1 - total: 2 - message: Bulk edit partially failed - rules_count: 2 - status_code: 500 - success: false - example03: - description: >- - The attributes.errors section of the response shows that two - rules failed to update and one succeeded. The same results - would be returned if you ran the request without dry run - mode enabled. Notice that there are no arrays in - attributes.results. In dry run mode, rule updates are not - applied and saved to Elasticsearch, so the endpoint wouldn’t - return results for rules that have been updated, created, or - deleted. - summary: Dry run - value: - attributes: - errors: - - err_code: IMMUTABLE - message: Elastic rule can't be edited - rules: - - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - name: Unusual AWS Command for a User - status_code: 500 - - err_code: MACHINE_LEARNING_INDEX_PATTERN - message: Machine learning rule doesn't have index patterns - rules: - - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a - name: Suspicious Powershell Script [Duplicate] - status_code: 500 - results: - created: [] - deleted: [] - skipped: [] - updated: [] - summary: - failed: 2 - skipped: 0 - succeeded: 1 - total: 3 - message: Bulk edit partially failed - status_code: 500 - example04: - description: >- - This example presents the successful setting of tags for 2 - rules. There was a difference between the set of tags that - were being added and the tags that were already set in the - rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: [] - author: [] - created_at: '2025-03-25T11:46:41.899Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 738112cd-6cfa-414a-8457-2a658845d6ba - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 1 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 1 - risk_score: 21 - risk_score_mapping: [] - rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - to: now - type: query - updated_at: '2025-03-25T11:47:11.350Z' - updated_by: elastic - version: 2 - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Rule 2 - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 33 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:47:11.357Z' - updated_by: elastic - version: 24 - summary: - failed: 0 - skipped: 0 - succeeded: 2 - total: 2 - rules_count: 2 - success: true - example05: - description: >- - This example presents the idempotent behavior of the edit - action with set_tags request. Both rules already had exactly - the same tags that were being added, so no changes were made - in any of them. - summary: Idempotent behavior of set_tags - value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - name: Rule 1 - skip_reason: RULE_NOT_MODIFIED - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: [] - summary: - failed: 0 - skipped: 2 - succeeded: 0 - total: 2 - rules_count: 2 - success: true - example06: - description: >- - This example presents the idempotent behavior of the edit - action with add_tags request. One rule was updated and one - was skipped. The rule that was skipped already had all the - tags that were being added. - summary: Idempotent behavior of add_tags + PostAttackDiscoveryGenerateResponse400Example: + summary: Bad Request error returned when the generate payload is invalid. value: - attributes: - results: - created: [] - deleted: [] - skipped: - - id: 738112cd-6cfa-414a-8457-2a658845d6ba - name: Test Rule 2 - skip_reason: RULE_NOT_MODIFIED - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 34 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T11:55:12.752Z' - updated_by: elastic - version: 25 - summary: - failed: 0 - skipped: 1 - succeeded: 1 - total: 2 - rules_count: 2 - success: true - example07: - description: >- - This example shows a non-idempotent nature of the - set_rule_actions requests. Regardless if the actions are the - same as the existing actions for a rule, the actions are - always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 20fbf986-a270-460e-80f3-7b83c08b430f - params: - body: Hello - uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 - author: [] - created_at: '2025-03-25T09:49:08.343Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-360s - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 3m - investigation_fields: - field_names: - - alert.status - - >- - Endpoint.policy.applied.artifacts.global.channel - language: kuery - license: '' - max_signals: 100 - meta: - from: 3m - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 39 - risk_score: 21 - risk_score_mapping: [] - rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: - - tag-1 - - tag-2 - - tag-4 - threat: [] - timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd - timeline_title: Alerts Involving a Single User Timeline - to: now - type: query - updated_at: '2025-03-25T12:17:40.528Z' - updated_by: elastic - version: 30 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - example08: - description: >- - This example shows a non-idempotent nature of the - add_rule_actions requests. Regardless if the added action is - the same as another existing action for a rule, the new - action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions - value: - attributes: - results: - created: [] - deleted: [] - skipped: [] - updated: - - actions: - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 0309347e-3954-429c-9168-5da2663389af - - action_type_id: .webhook - frequency: - notifyWhen: onActiveAlert - summary: true - throttle: null - group: default - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 - params: - body: Message body - uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd - author: [] - created_at: '2025-04-02T12:42:03.400Z' - created_by: elastic - description: test - enabled: false - exceptions_list: [] - false_positives: [] - filters: [] - from: now-6m - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 - immutable: false - index: - - apm-*-transaction* - - auditbeat-* - - endgame-* - - filebeat-* - - logs-* - - packetbeat-* - - traces-apm* - - winlogbeat-* - - '-*elastic-cloud-logs-*' - interval: 5m - language: kuery - license: '' - max_signals: 100 - meta: - kibana_siem_app_url: http://localhost:5601/kbn/app/security - name: Jacek test rule - output_index: '' - query: '*' - references: [] - related_integrations: [] - required_fields: [] - revision: 2 - risk_score: 21 - risk_score_mapping: [] - rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 - rule_source: - type: internal - setup: '' - severity: low - severity_mapping: [] - tags: [] - threat: [] - to: now - type: query - updated_at: '2025-04-02T12:51:40.215Z' - updated_by: elastic - version: 2 - summary: - failed: 0 - skipped: 0 - succeeded: 1 - total: 1 - rules_count: 1 - success: true - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules - tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - - - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: > - File name for saving the exported rules. - - > info - - > When using cURL to export rules to a file, use the -O and -J - options to save the rules to the file name specified in the URL. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json: - examples: - exportByRuleIds: - summary: Request body to export a subset of rules - value: - objects: - - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 - - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d - schema: - nullable: true - type: object - properties: - objects: - description: >- - Array of objects with a rule's `rule_id` field. Do not use - rule's `id` here. Exports all rules when unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array - required: - - objects - required: false - responses: - '200': - content: - application/ndjson: - examples: - sampleNdjson: - value: > - {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example - rule","type":"query","enabled":true} - - {"exception_list":true} - - {"export_summary":{"total_rules":1,"exceptions_count":0}} - schema: - description: > - An `.ndjson` file containing the returned rules. - - - Each line in the file represents an object (a rule, exception - list parent container, or exception list item), and the last - line includes a summary of what was exported. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules - tags: - - Security Detections API - - Import/Export API - x-codeSamples: - - lang: cURL - source: > - curl -X POST - "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" - -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' - - { - "objects": [ - { - "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" - }, - { - "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" - } - ] - } - /api/detection_engine/rules/_find: - get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - description: > - List of `alert.attributes` field names to return for each rule (for - example `name`, `enabled`). - - If omitted, the default field set is returned. Repeat the parameter - to pass multiple field names, or - - use comma-separated values when supported by your client. - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: > - Search query - - - Filters the returned results according to the value of the specified - field, using the alert.attributes.: syntax, - where can be: - - - name - - - enabled - - - tags - - - createdBy - - - interval - - - updatedBy - - > info - - > Even though the JSON rule object uses created_by and updated_by - fields, you must use createdBy and updatedBy fields in the filter. - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - - description: Gaps range start - in: query - name: gaps_range_start - required: false - schema: - type: string - - description: Gaps range end - in: query - name: gaps_range_end - required: false - schema: - type: string - - description: Gap fill statuses - in: query - name: gap_fill_statuses - required: false - schema: - items: - $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' - type: array - - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules - in: query - name: gap_auto_fill_scheduler_id - required: false - schema: - type: string - responses: - '200': - content: - application/json: - examples: - example1: - value: - data: - - created_at: '2020-02-02T10:05:19.613Z' - created_by: elastic - description: >- - Identifies a PowerShell process launched by either - cscript.exe or wscript.exe. Observing Windows - scripting processes executing a PowerShell script, may - be indicative of malicious activity. - enabled: false - execution_summary: - last_execution: - date: '2022-03-23T16:06:12.787Z' - message: >- - This rule attempted to query data from - Elasticsearch indices listed in the "Index - pattern" section of the rule definition, but no - matching index was found. - metrics: - execution_gap_duration_s: 0 - total_indexing_duration_ms: 15 - total_search_duration_ms: 135 - status: partial failure - status_order: 20 - false_positives: [] - from: now-6m - id: 89761517-fdb0-4223-b67b-7621acc48f9e - immutable: true - index: - - winlogbeat-* - interval: 5m - language: kuery - max_signals: 33 - name: Windows Script Executing PowerShell - query: >- - event.action:"Process Create (rule: ProcessCreate)" - and process.parent.name:("wscript.exe" or - "cscript.exe") and process.name:"powershell.exe" - references: [] - related_integrations: - - package: o365 - version: ^2.3.2 - required_fields: - - ecs: true - name: event.action - type: keyword - - ecs: true - name: process.name - type: keyword - - ecs: true - name: process.parent.name - type: keyword - risk_score: 21 - rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc - setup: '' - severity: low - tags: - - Elastic - - Windows - threat: - - framework: MITRE ATT&CK - tactic: - id: TA0002 - name: Execution - reference: https://attack.mitre.org/tactics/TA0002/ - technique: - - id: T1193 - name: Spearphishing Attachment - reference: https://attack.mitre.org/techniques/T1193/ - to: now - type: query - updated_at: '2020-02-02T10:05:19.830Z' - updated_by: elastic - page: 1 - perPage: 5 - total: 4 + error: Bad Request + message: Invalid request parameters. + status_code: 400 schema: type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - required: - - page - - perPage - - total - - data - description: > - Successful response - - > info - - > These fields are under development and their usage or schema may - change: execution_summary. - summary: List all detection rules - tags: - - Security Detections API - - Rules API - x-codeSamples: - - lang: cURL - source: > - curl -X GET - "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" - -H 'kbn-xsrf: true' - /api/detection_engine/rules/_import: - post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - - > warn - - > When used with [API - key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, - the user's key gets assigned to the affected rules. If the user's key - gets deleted or the user becomes inactive, the rules will stop running. - - - > If the API key that is used for authorization has different privileges - than the key that created or most recently updated the rule, the rule - behavior might change. - - > info - - > To import rules with actions, you need at least Read privileges for - the Action and Connectors feature. To overwrite or add new connectors, - you need All privileges for the Actions and Connectors feature. To - import rules without actions, you don’t need Actions and Connectors - privileges. Refer to [Enable and access - detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) - for more information. - - - > info - - > Rule actions and connectors are included in the exported file, but - sensitive information about the connector (such as authentication - credentials) is not included. You must re-add missing connector details - after importing detection rules. - - - > You can use Kibana’s [Saved - Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) - UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs - (experimental) to - [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) - and - [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) - any necessary connectors before importing detection rules. - - - > Similarly, any value lists used for rule exceptions are not included - in rule exports or imports. Use the [Manage value - lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) - UI (Rules → Detection rules (SIEM) → Manage value lists) to export and - import value lists separately. - operationId: ImportRules - parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. Both the exception list container and its items are - overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data: - examples: - rulesFile: - summary: Multipart part containing a rule export - value: - file: rules_import.ndjson - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - example1: - summary: Import rules with success - value: - errors: [] - exceptions_errors: [] - exceptions_success: true - exceptions_success_count: 0 - rules_count: 1 - success: true - success_count: 1 - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules + - status_code + - error + - message + description: Bad Request response. + summary: Generate attack discoveries from alerts tags: - - Security Detections API - - Import/Export API + - Security Attack discovery API x-codeSamples: - - lang: cURL + - label: Example request + lang: curl source: | - curl -X POST "/api/detection_engine/rules/_import" - -u : -H 'kbn-xsrf: true' - -H 'Content-Type: multipart/form-data' - --form "file=@" - /api/detection_engine/rules/{id}/exceptions: - post: - description: Create exception items that apply to a single detection rule. - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - examples: - id: - value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' - requestBody: - content: - application/json: - examples: - addItems: - value: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - schema: - example: - items: - - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception items. - required: true - responses: - '200': - content: - application/json: - examples: - ruleExceptionItems: - value: - - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - description: Successful response - '400': - content: - application/json: - examples: - badPayload: - value: - error: Bad Request - message: Invalid request payload JSON format - statusCode: 400 - badRequest: - value: - error: Bad Request - message: '[request params]: id: Invalid uuid' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create rule exception items - tags: - - Security Exceptions API - /api/detection_engine/rules/prepackaged: - put: - description: > - Install and update all Elastic prebuilt detection rules and Timelines. - - - This endpoint allows you to install and update prebuilt detection rules - and Timelines provided by Elastic. - - When you call this endpoint, it will: - - - Install any new prebuilt detection rules that are not currently - installed in your system. - - - Update any existing prebuilt detection rules that have been modified - or improved by Elastic. - - - Install any new prebuilt Timelines that are not currently installed in - your system. - - - Update any existing prebuilt Timelines that have been modified or - improved by Elastic. - - - This ensures that your detection engine is always up-to-date with the - latest rules and Timelines, - - providing you with the most current and effective threat detection - capabilities. - operationId: InstallPrebuiltRulesAndTimelines - responses: - '200': - content: - application/json: - examples: - example1: - value: - rules_installed: 112 - rules_updated: 0 - timelines_installed: 5 - timelines_updated: 2 - schema: - additionalProperties: false - type: object - properties: - rules_installed: - description: The number of rules installed - minimum: 0 - type: integer - rules_updated: - description: The number of rules updated - minimum: 0 - type: integer - timelines_installed: - description: The number of timelines installed - minimum: 0 - type: integer - timelines_updated: - description: The number of timelines updated - minimum: 0 - type: integer - required: - - rules_installed - - rules_updated - - timelines_installed - - timelines_updated - description: Indicates a successful call - summary: Install prebuilt detection rules and Timelines - tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/prepackaged/_status: - get: - description: > - Retrieve the status of all Elastic prebuilt detection rules and - Timelines. - - - This endpoint provides detailed information about the number of custom - rules, installed prebuilt rules, available prebuilt rules that are not - installed, outdated prebuilt rules, installed prebuilt timelines, - available prebuilt timelines that are not installed, and outdated - prebuilt timelines. - operationId: ReadPrebuiltRulesAndTimelinesStatus - responses: - '200': - content: - application/json: - examples: - example1: - value: - rules_custom_installed: 0 - rules_installed: 0 - rules_not_installed: 112 - rules_not_updated: 0 - timelines_installed: 0 - timelines_not_installed: 0 - timelines_not_updated: 0 - schema: - additionalProperties: false - type: object - properties: - rules_custom_installed: - description: The total number of custom rules - minimum: 0 - type: integer - rules_installed: - description: The total number of installed prebuilt rules - minimum: 0 - type: integer - rules_not_installed: - description: >- - The total number of available prebuilt rules that are not - installed - minimum: 0 - type: integer - rules_not_updated: - description: The total number of outdated prebuilt rules - minimum: 0 - type: integer - timelines_installed: - description: The total number of installed prebuilt timelines - minimum: 0 - type: integer - timelines_not_installed: - description: >- - The total number of available prebuilt timelines that are - not installed - minimum: 0 - type: integer - timelines_not_updated: - description: The total number of outdated prebuilt timelines - minimum: 0 - type: integer - required: - - rules_custom_installed - - rules_installed - - rules_not_installed - - rules_not_updated - - timelines_installed - - timelines_not_installed - - timelines_not_updated - description: Indicates a successful call - summary: Retrieve the status of prebuilt detection rules and Timelines - tags: - - Security Detections API - - Prebuilt Rules API - /api/detection_engine/rules/preview: - post: - description: > - Simulates a detection rule using the same rule type and query logic as a - persisted rule, over a short - - time window, without persisting a rule or writing alerts. Use the - response to validate queries, see sample - - matching documents, and inspect execution logs. Pair `invocationCount` - and `timeframeEnd` to cap run time. - operationId: RulePreview - parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution - in: query - name: enable_logged_requests - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - queryRule: - value: - description: Find matching events - from: now-24h - index: - - logs-* - invocationCount: 1 - language: kuery - max_signals: 20 - name: Rule preview - query: 'process.name : *' - risk_score: 25 - severity: low - timeframeEnd: '2025-01-20T12:00:00.000Z' - to: now - type: query - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: > - Rule create payload (same shape as `POST /api/detection_engine/rules` - for a given `type`) plus - - `invocationCount` and `timeframeEnd` to control how the preview is - executed. Optional - - `enable_logged_requests` surfaces Elasticsearch request logging for - debugging. - required: true - responses: - '200': - content: - application/json: - examples: - success: - value: - isAborted: false - logs: - - duration: 45 - errors: [] - requests: [] - startedAt: 2025-01-20T10:00:00.000Z - warnings: [] - previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 - schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString - required: - - logs + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "naiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.matches", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.signature.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "n6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.token.integrity_level_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "k6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.signing_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "laiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "l6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "maiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.exit_code", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "m6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.md5", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha1", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "o6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "paiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args_count", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "p6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "q6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "raiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pe.original_file_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pid", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "r6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.working_directory", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "u6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "source.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "v6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "waiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "w6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "x6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.domain", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "yaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "y6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "12345678-1234-1234-1234-123456789012", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations. + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + example: now + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + example: 50 + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + example: now-24h + in: query + name: start + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse200Example: + summary: Latest Attack Discovery generation metadata for the current user. + value: + generations: + - alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + generations: + description: List of Attack Discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationsResponse400Example: + summary: Bad Request error returned when the size parameter is invalid. + value: + error: Bad Request + message: Invalid size parameter. Must be a positive number. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid size parameter. Must be a positive number. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Get the latest Attack Discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. + example: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`. + example: false + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + example: true + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse200Example: + summary: Single Attack Discovery generation with its discoveries and metadata. + value: + data: + - id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f + title: Suspicious process execution on host-01 + generation: + alerts_context_count: 50 + discoveries: 1 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5 + start: '2025-09-29T06:42:08.962Z' + status: succeeded + schema: + type: object + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + GetAttackDiscoveryGenerationResponse400Example: + summary: Bad Request error returned when the get-generation request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse200Example: + summary: Successfully dismissed an Attack Discovery generation. + value: + alerts_context_count: 75 + connector_id: chatGpt5_0ChatAzure + discoveries: 3 + end: '2025-09-29T06:42:44.810Z' + execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7 + loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + start: '2025-09-29T06:42:08.962Z' + status: dismissed + schema: + type: object + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + example: 75 + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + example: chatGpt5_0ChatAzure + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + type: object + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + example: 47958500000 + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + example: 2 + type: number + discoveries: + description: The number of attack discoveries that were generated during this execution. + example: 3 + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + example: '2025-09-29T06:42:44.810Z' + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + example: 46b218d5-535d-4329-be56-d0f6af6986b7 + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + example: Connection timeout to AI service + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + example: '2025-09-29T06:42:08.962Z' + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + example: dismissed + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + description: Indicates a successful call. + '400': + content: + application/json: + examples: + PostAttackDiscoveryGenerationsDismissResponse400Example: + summary: Bad Request error returned when the dismiss request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type or category + example: Bad Request + type: string + message: + description: Human-readable error message describing what went wrong with the request. + example: Invalid request parameters. + type: string + status_code: + description: HTTP status code indicating the type of client error + example: 400 + type: number + required: + - status_code + - error + - message + description: Bad Request response. + summary: Dismiss an Attack Discovery generation + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + CreateAttackDiscoverySchedulesRequestBodyExample: + summary: Create a daily Attack Discovery schedule that runs every 24 hours. + value: + actions: [] + enabled: true + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + '200': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse200Example: + summary: A newly created Attack Discovery schedule. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: The Attack Discovery schedule was successfully created. + '400': + content: + application/json: + examples: + CreateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the create schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Create Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Create an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes multiple Attack Discovery schedules by ID. + operationId: BulkDeleteAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesRequestBodyExample: + summary: Delete two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse200Example: + summary: Bulk delete response for two successfully deleted schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk delete request. + '400': + content: + application/json: + examples: + BulkDeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk delete payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk delete Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables multiple Attack Discovery schedules by ID. + operationId: BulkDisableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesRequestBodyExample: + summary: Disable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse200Example: + summary: Bulk disable response for two successfully disabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk disable request. + '400': + content: + application/json: + examples: + BulkDisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk disable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk disable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_bulk_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/_bulk_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables multiple Attack Discovery schedules by ID. + operationId: BulkEnableAttackDiscoverySchedules + requestBody: + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesRequestBodyExample: + summary: Enable two Attack Discovery schedules. + value: + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse200Example: + summary: Bulk enable response for two successfully enabled schedules. + value: + errors: [] + ids: + - 12345678-1234-1234-1234-123456789012 + - 98765432-1234-1234-1234-123456789012 + total: 2 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesResponse' + description: Successfully processed the bulk enable request. + '400': + content: + application/json: + examples: + BulkEnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the bulk enable payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Bulk enable Attack Discovery schedules + tags: + - Security Attack discovery API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields. + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + example: 1 + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. + example: 10 + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + example: asc + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse200Example: + summary: Paginated list of Attack Discovery schedules matching the search criteria. + value: + data: + - actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 1 + schema: + type: object + properties: + data: + description: Array of matched Attack Discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack Discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + description: Indicates a successful call. + '400': + content: + application/json: + examples: + FindAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when find-schedules query parameters are invalid. + value: + error: Bad Request + message: Invalid request payload. + status_code: 400 + schema: + type: object + properties: + error: + description: Error type + example: Bad Request + type: string + message: + description: Human-readable error message + example: Invalid request payload. + type: string + status_code: + description: HTTP status code + example: 400 + type: number + description: Bad Request response. + summary: Find Attack Discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack Discovery schedule and all associated configuration. + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after deleting an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + '400': + content: + application/json: + examples: + DeleteAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the delete schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Delete Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Delete an Attack Discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule retrieved by ID, including last execution metadata. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + last_execution: + date: '2023-10-31T10:00:00.000Z' + last_duration: 45.2 + status: ok + name: Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 100 + start: now-24h + schedule: + interval: 24h + updated_at: '2023-10-31T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + '400': + content: + application/json: + examples: + GetAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the get-schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Get Attack Discovery schedule by ID + tags: + - Security Attack discovery API + x-codeSamples: + - label: Get an Attack Discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesRequestBodyExample: + summary: Update an Attack Discovery schedule to run every 12 hours over a 48-hour window. + value: + actions: [] + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + '200': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse200Example: + summary: An Attack Discovery schedule after being updated. + value: + actions: [] + created_at: '2023-10-31T10:00:00.000Z' + created_by: elastic + enabled: true + id: 12345678-1234-1234-1234-123456789012 + name: Updated Daily Security Analysis + params: + alerts_index_pattern: .alerts-security.alerts-default + api_config: + actionTypeId: bedrock + connectorId: my-bedrock-connector + name: Claude 3.5 Sonnet + end: now + size: 200 + start: now-48h + schedule: + interval: 12h + updated_at: '2023-10-31T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + '400': + content: + application/json: + examples: + UpdateAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the update schedule payload is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Update Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Update an Attack Discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after disabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + DisableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the disable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Disable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Disable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + example: 12345678-1234-1234-1234-123456789012 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + '200': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse200Example: + summary: Confirmation returned after enabling an Attack Discovery schedule. + value: + id: 12345678-1234-1234-1234-123456789012 + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + '400': + content: + application/json: + examples: + EnableAttackDiscoverySchedulesResponse400Example: + summary: Bad Request error returned when the enable schedule request is invalid. + value: + error: Bad Request + message: Invalid request parameters. + status_code: 400 + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Bad Request response. + summary: Enable Attack Discovery schedule + tags: + - Security Attack discovery API + x-codeSamples: + - label: Enable an Attack Discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + /api/cases: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_ids' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"] + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. + operationId: updateCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + updateCaseRequest: + $ref: '#/components/examples/Cases_update_case_request' + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + '200': + content: + application/json: + examples: + updateCaseResponse: + $ref: '#/components/examples/Cases_update_case_response' + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. + operationId: createCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createCaseRequest: + $ref: '#/components/examples/Cases_create_case_request' + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseResponse: + $ref: '#/components/examples/Cases_create_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees_filter' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + '200': + content: + application/json: + examples: + findCaseResponse: + $ref: '#/components/examples/Cases_find_case_response' + schema: + type: object + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getDefaultCaseResponse: + $ref: '#/components/examples/Cases_get_case_response' + getDefaultObservabilityCaseResponse: + $ref: '#/components/examples/Cases_get_case_observability_response' + schema: + $ref: '#/components/schemas/Cases_case_response_get_case' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/alerts: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/alerts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json: + examples: + getCaseAlertsResponse: + $ref: '#/components/examples/Cases_get_case_alerts_response' + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + updateCaseCommentRequest: + $ref: '#/components/examples/Cases_update_comment_request' + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + updateCaseCommentResponse: + $ref: '#/components/examples/Cases_update_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + examples: + createCaseCommentRequest: + $ref: '#/components/examples/Cases_add_comment_request' + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + '200': + content: + application/json: + examples: + createCaseCommentResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + '200': + content: + application/json: + examples: + findCaseCommentsResponse: + $ref: '#/components/examples/Cases_find_case_comments_response' + schema: + $ref: '#/components/schemas/Cases_find_comments_response' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case comments + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/{commentId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" + - label: Console + lang: console + source: | + DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '200': + content: + application/json: + examples: + getCaseCommentResponse: + $ref: '#/components/examples/Cases_get_comment_response' + schema: + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + pushCaseRequest: + summary: Push a case to an external service. No request body is required. + value: null + schema: + nullable: true + type: object + responses: + '200': + content: + application/json: + examples: + pushCaseResponse: + $ref: '#/components/examples/Cases_push_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/files: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/files
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - The location of the file that is being uploaded. + operationId: addCaseFileDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + multipart/form-data: + examples: + addCaseFileRequest: + summary: Attach a plain text file named "my_attachment". + value: + filename: my_attachment + schema: + $ref: '#/components/schemas/Cases_add_case_file_request' + required: true + responses: + '200': + content: + application/json: + examples: + addCaseFileResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Attach a file to a case + tags: + - cases + x-codeSamples: + - label: curl + lang: curl + source: | + curl \ + --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \ + --header "Authorization: $API_KEY" \ + --header "kbn-xsrf: true" \ + --form "file=@/path/to/my_attachment.txt" \ + --form "filename=my_attachment" + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/user_actions/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + '200': + content: + application/json: + examples: + findCaseActivityResponse: + $ref: '#/components/examples/Cases_find_case_activity_response' + schema: + type: object + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: '#/components/schemas/Cases_user_actions_find_response_properties' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/alerts/{alertId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/alerts/{alertId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getCasesByAlertResponse: + summary: Cases associated with a given alert. + value: + - createdAt: '2020-02-19T23:06:33.798Z' + description: Investigating suspicious activity + id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + status: open + title: security_case + totals: + alerts: 1 + events: 0 + userComments: 0 + schema: + items: + $ref: '#/components/schemas/Cases_related_case' + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-state: Technical preview + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getConfigurationResponse: + $ref: '#/components/examples/Cases_get_case_configuration_response' + schema: + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setCaseConfigRequest: + $ref: '#/components/examples/Cases_set_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + setCaseConfigResponse: + $ref: '#/components/examples/Cases_set_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/{configurationId}: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/configure/{configurationId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json: + examples: + updateCaseConfigurationRequest: + $ref: '#/components/examples/Cases_update_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + '200': + content: + application/json: + examples: + updateCaseConfigurationResponse: + $ref: '#/components/examples/Cases_update_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + observableTypes: + description: Custom observable type configuration details. + items: + type: object + properties: + key: + description: The observable type key. + example: d312efda-ec2b-42ec-9e2c-84981795c581 + type: string + label: + description: The observable type label. + example: My observable type + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/connectors/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure/connectors/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + '200': + content: + application/json: + examples: + findConnectorResponse: + $ref: '#/components/examples/Cases_find_connector_response' + schema: + items: + type: object + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + type: object + properties: + apiUrl: + type: string + projectKey: + type: string + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + maxItems: 1000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/reporters: + get: + description: | + Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getReportersResponse: + $ref: '#/components/examples/Cases_get_reporters_response' + schema: + items: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/tags: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + '200': + content: + application/json: + examples: + getTagsResponse: + $ref: '#/components/examples/Cases_get_tags_response' + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json: + examples: + response401: + $ref: '#/components/examples/Cases_response_401' + schema: + $ref: '#/components/schemas/Cases_response_4xx' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/dashboards: + get: + tags: + - Dashboards + summary: Get dashboards + operationId: get-dashboards-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + post: + tags: + - Dashboards + summary: Create a dashboard + operationId: create-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/dashboards/{id}: + get: + tags: + - Dashboards + summary: Get a dashboard + operationId: get-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + put: + tags: + - Dashboards + summary: Update a dashboard + operationId: update-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + delete: + tags: + - Dashboards + summary: Delete a dashboard + operationId: delete-dashboard-redirect + description: | + > **Technical preview** — The Dashboards API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Dashboards API reference →](https://elastic.github.io/dashboards-api-spec/dashboards#tag/Dashboards)** + responses: + '200': + description: See the full Dashboards API reference for detailed response schemas. + /api/data_views: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space. + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getAllDataViewsBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + createDataViewResponse: + $ref: '#/components/examples/Data_views_create_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view + {"data_view":{"title":"logstash-*","name":"My Logstash data view"}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views). + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getDataViewNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId} + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing data view. Only the fields provided in the request body are updated. + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + updateDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view":{"name":"Updated data view name"}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId} + {"data_view":{"name":"Updated data view name"}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json: + examples: + updateFieldsMetadataResponse: + $ref: '#/components/examples/Data_views_update_field_metadata_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateFieldsMetadataBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update field metadata + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/fields" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fields":{"field_name":{"customLabel":"My custom label"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/fields + {"fields":{"field_name":{"customLabel":"My custom label"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition. + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json: + examples: + createUpdateRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_create_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json: + examples: + createUpdateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + PUT kbn://api/data_views/data_view/{viewId}/runtime_field + {"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a runtime field from a data view. + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json: + examples: + deleteRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single runtime field by name from a data view. + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json: + examples: + getRuntimeFieldNotFound: + $ref: '#/components/examples/Data_views_error_404_response' + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing runtime field in a data view. Only the fields provided in the request body are updated. + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json: + examples: + updateRuntimeFieldBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}' + - lang: Console + source: | + POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName} + {"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/default: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the identifier of the default data view for the current Kibana space. + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json: + examples: + getDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_get_default_data_view_response' + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json: + examples: + getDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/data_views/default + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected. + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json: + examples: + setDefaultDataViewResponse: + $ref: '#/components/examples/Data_views_set_default_data_view_response' + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json: + examples: + setDefaultDataViewBadRequest: + $ref: '#/components/examples/Data_views_error_400_response' + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/default" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}' + - lang: Console + source: | + POST kbn://api/data_views/default + {"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + swapDataViewResponse: + $ref: '#/components/examples/Data_views_swap_data_view_response' + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references + {"fromId":"abcd-efg","toId":"xyz-123","delete":true} + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json: + examples: + previewSwapDataViewRequest: + $ref: '#/components/examples/Data_views_preview_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json: + examples: + previewSwapDataViewResponse: + $ref: '#/components/examples/Data_views_preview_swap_data_view_response' + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview swap references + tags: + - data views + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"fromId":"abcd-efg","toId":"xyz-123"}' + - lang: Console + source: | + POST kbn://api/data_views/swap_references/_preview + {"fromId":"abcd-efg","toId":"xyz-123"} + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/index: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts + stored in it. Use with caution; prefer lifecycle policies or the UI when available. + Call `GET /api/detection_engine/index` first to confirm the index that will be removed. + operationId: DeleteAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [DELETE /api/detection_engine/index] is unauthorized for the current user. The user needs alerts management permissions for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: The Elastic Security alerts index to delete was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Index does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and + whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating + or running rules that write alerts to it. + operationId: ReadAlertsIndex + responses: + '200': + content: + application/json: + examples: + success: + value: + index_mapping_outdated: false + name: .alerts-security.alerts-default + schema: + type: object + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [GET /api/detection_engine/index] is unauthorized for the current user. Check Security and Kibana feature privileges (detection engine / alerts) for the space. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: Elastic Security alert index is not found for the current space. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates an index for Elastic Security alerts. Calling this API is not + required for the detection engine to function properly. You can create + rules and alerts without calling this API. + operationId: CreateAlertsIndex + responses: + '200': + content: + application/json: + examples: + acknowledged: + value: + acknowledged: true + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: API [POST /api/detection_engine/index] is unauthorized for the current user. The user must be able to create indices for the Elastic Security solution. + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json: + examples: + notFound: + value: + message: A prerequisite resource required to create the alerts index was not found. + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json: + examples: + success: + value: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + has_encryption_key: true + index: + .alerts-security.alerts-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + is_authenticated: true + username: elastic + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + deletedRule: + summary: Response shape after a rule is deleted + value: + actions: [] + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + false_positives: [] + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: event.action:Process* + references: [] + risk_score: 50 + rule_id: process_started_by_ms_office_user_folder + severity: low + tags: + - tag + throttle: null + to: now + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 3 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_UUID' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for a retrieved rule + value: + created_at: '2020-02-03T11:19:04.259Z' + created_by: elastic + description: Process started by MS Office program in user folder + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-4200s + id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: process_started_by_ms_office_user_folder + setup: '' + severity: low + tags: + - child process + - ms office + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + to: now-300s + type: query + updated_at: '2020-02-03T11:19:04.462Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + requestBody: + content: + application/json: + examples: + example1: + summary: Patch query rule + value: + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: New name + example2: + summary: Patch EQL rule + value: + rule_id: process_started_by_ms_office_program_possible_payload + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0001 + name: Initial Access + reference: https://attack.mitre.org/tactics/TA0001 + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193 + example3: + summary: Patch threshold rule + value: + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + threshold: + cardinality: [] + field: [] + value: 600 + example4: + summary: Patch new terms rule + value: + history_window_start: now-3d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + example5: + summary: Patch esql rule + value: + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + query: | + FROM logs-abc* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) + | KEEP event_rate + example6: + summary: Patch indicator match rule + value: + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' + example7: + summary: Patch machine learning rule + value: + anomaly_threshold: 50 + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + requestBody: + content: + application/json: + examples: + example1: + description: Query rule that searches for processes started by MS Office + summary: Query rule + value: + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + example2: + description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address + summary: Threshold rule + value: + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + from: now-180s + index: + - winlogbeat-* + interval: 2m + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + required_fields: + - name: source.ip + type: ip + risk_score: 30 + rule_id: liv-win-ser-logins + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threshold: + field: source.ip + value: 20 + type: threshold + example3: + description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. + summary: Machine learning rule + value: + actions: + - action_type_id: .slack + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + from: now-6m + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + name: Anomalous Linux network activity + note: Shut down the internet. + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: This rule requires data coming in from Elastic Defend. + severity: high + tags: + - machine learning + - Linux + type: machine_learning + example4: + description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections + summary: EQL rule + value: + description: Unusual rundll32.exe network connection + language: eql + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + required_fields: + - name: event.type + type: keyword + - name: process.args + type: keyword + - name: process.args_count + type: long + - name: process.entity_id + type: keyword + - name: process.name + type: keyword + - name: process.pe.original_file_name + type: keyword + risk_score: 21 + rule_id: eql-outbound-rundll32-connections + severity: low + tags: + - EQL + - Windows + - rundll32.exe + type: eql + example5: + description: | + Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. + summary: Indicator match rule + value: + actions: [] + description: Checks for bad IP addresses listed in the ip-threat-list index + index: + - packetbeat-* + name: Bad IP threat match + query: destination.ip:* or host.ip:* + required_fields: + - name: destination.ip + type: ip + - name: destination.port + type: long + - name: host.ip + type: ip + risk_score: 50 + severity: medium + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + type: threat_match + example6: + description: New terms rule that creates alerts a new IP address is detected for a user + summary: New terms rule + value: + description: Detects a user associated with a new IP address + history_window_start: now-30d + index: + - auditbeat* + language: kuery + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + required_fields: + - name: user.id + type: keyword + - name: source.ip + type: ip + risk_score: 21 + severity: medium + type: new_terms + example7: + description: esql rule that creates alerts from events that match an Excel parent process + summary: Esql rule + value: + description: Find Excel events + enabled: false + from: now-360s + interval: 5m + language: esql + name: Find Excel events + query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" + required_fields: + - name: process.parent.name + type: keyword + risk_score: 21 + severity: low + tags: [] + to: now + type: esql + example8: + description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period + summary: Query rule 2 + value: + alert_suppression: + duration: + unit: h + value: 5 + group_by: + - process.parent.name + missing_fields_strategy: suppress + description: Process started by MS Office program - possible payload + enabled: false + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + interval: 1h + language: kuery + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + risk_score: 50 + rule_id: process_started_by_ms_office_program + severity: low + tags: + - child process + - ms office + type: query + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + '200': + content: + application/json: + examples: + example1: + description: Example response for a query rule + summary: Query rule response + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Process started by MS Office program - possible payload + enabled: false + false_positives: [] + filters: + - query: + match: + event.action: + query: 'Process Create (rule: ProcessCreate)' + type: phrase + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: MS Office child process + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + - integration: graphactivitylogs + package: azure + version: ^1.11.4 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 1 + example2: + description: Example response for a machine learning job rule + summary: Machine learning response + value: + actions: + - action_type_id: .slack + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 + params: + message: 'Urgent: {{context.rule.description}}' + anomaly_threshold: 70 + created_at: '2020-04-07T14:45:15.679Z' + created_by: elastic + description: Generates alerts when the job discovers anomalies over 70 + enabled: true + false_positives: [] + from: now-6m + id: 83876f66-3a57-4a99-bf37-416494c80f3b + immutable: false + interval: 5m + machine_learning_job_id: linux_anomalous_network_activity_ecs + max_signals: 100 + name: Anomalous Linux network activity + note: Shut down the internet. + references: [] + related_integrations: [] + required_fields: [] + risk_score: 70 + rule_id: ml_linux_network_high_threshold + setup: '' + severity: high + status: going to run + status_date: '2020-04-07T14:45:21.685Z' + tags: + - machine learning + - Linux + threat: [] + to: now + type: machine_learning + updated_at: '2020-04-07T14:45:15.892Z' + updated_by: elastic + version: 1 + example3: + description: Example response for a threshold rule + summary: Threshold rule response + value: + actions: [] + author: [] + created_at: '2020-07-22T10:27:23.486Z' + created_by: elastic + description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. + enabled: true + exceptions_list: + - id: int-ips + namespace_type: single + type: detection + false_positives: [] + from: now-180s + id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 + immutable: false + index: + - winlogbeat-* + interval: 2m + language: kuery + max_signals: 100 + name: Windows server prml-19 + query: host.name:prml-19 and event.category:authentication and event.outcome:failure + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: source.ip + type: ip + risk_score: 30 + risk_score_mapping: [] + rule_id: liv-win-ser-logins + setup: '' + severity: low + severity_mapping: + - field: source.geo.city_name + operator: equals + severity: low + value: Manchester + - field: source.geo.city_name + operator: equals + severity: medium + value: London + - field: source.geo.city_name + operator: equals + severity: high + value: Birmingham + - field: source.geo.city_name + operator: equals + severity: critical + value: Wallingford + tags: + - Brute force + threat: [] + threshold: + field: source.ip + value: 20 + to: now + type: threshold + updated_at: '2020-07-22T10:27:23.673Z' + updated_by: elastic + version: 1 + example4: + description: Example response for an EQL rule + summary: EQL rule response + value: + author: [] + created_at: '2020-10-05T09:06:16.392Z' + created_by: elastic + description: Unusual rundll32.exe network connection + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: 93808cae-b05b-4dc9-8479-73574b50f8b1 + immutable: false + interval: 5m + language: eql + max_signals: 100 + name: rundll32.exe network connection + query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.type + type: keyword + - ecs: true + name: process.args + type: keyword + - ecs: true + name: process.args_count + type: long + - ecs: true + name: process.entity_id + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.pe.original_file_name + type: keyword + risk_score: 21 + risk_score_mapping: [] + rule_id: eql-outbound-rundll32-connections + setup: '' + severity: low + severity_mapping: [] + tags: + - EQL + - Windows + - rundll32.exe + threat: [] + throttle: no_actions + to: now + type: eql + updated_at: '2020-10-05T09:06:16.403Z' + updated_by: elastic + version: 1 + example5: + description: Example response for an indicator match rule + summary: Indicator match rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Checks for bad IP addresses listed in the ip-threat-list index + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 + immutable: false + index: + - packetbeat-* + interval: 5m + language: kuery + max_signals: 100 + name: Bad IP threat match + query: destination.ip:* or host.ip:* + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: destination.ip + type: ip + - ecs: true + name: destination.port + type: long + - ecs: true + name: host.ip + type: ip + risk_score: 50 + risk_score_mapping: [] + rule_id: 608501e4-c768-4f64-9326-cec55b5d439b + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + threat_index: + - ip-threat-list + threat_mapping: + - entries: + - field: destination.ip + type: mapping + value: destination.ip + - field: destination.port + type: mapping + value: destination.port + - entries: + - field: source.ip + type: mapping + value: host.ip + threat_query: '*:*' + to: now + type: threat_match + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example6: + description: Example response for a new terms rule + summary: New terms rule response + value: + author: [] + created_at: '2020-10-06T07:07:58.227Z' + created_by: elastic + description: Detects a user associated with a new IP address + enabled: true + exceptions_list: [] + false_positives: [] + from: now-6m + history_window_start: now-30d + id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 + immutable: false + index: + - auditbeat* + interval: 5m + language: kuery + max_signals: 100 + name: New User IP Detected + new_terms_fields: + - user.id + - source.ip + query: '*' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: user.id + type: keyword + - ecs: true + name: source.ip + type: ip + risk_score: 21 + risk_score_mapping: [] + rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 + setup: '' + severity: medium + severity_mapping: [] + tags: [] + threat: [] + to: now + type: new_terms + updated_at: '2020-10-06T07:07:58.237Z' + updated_by: elastic + version: 1 + example7: + description: Example response for an Esql rule + summary: Esql rule response + value: + actions: [] + author: [] + created_at: '2023-10-18T10:55:14.269Z' + created_by: elastic + description: Find Excel events + enabled: false + exceptions_list: [] + false_positives: [] + from: now-360s + id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 + immutable: false + interval: 5m + language: esql + max_signals: 100 + name: Find Excel events + output_index: '' + query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: process.parent.name + type: keyword + revision: 0 + risk_score: 21 + risk_score_mapping: [] + rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: esql + updated_at: '2023-10-18T10:55:14.269Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + requestBody: + content: + application/json: + examples: + example1: + summary: Update query rule + value: + description: A new description + id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 + name: A new name for the rule + risk_score: 22 + severity: medium + type: query + example2: + summary: Update EQL rule + value: + description: eql rule test + id: 9b684efb-acf9-4323-9bff-8335b3867d14 + index: + - apm-*-transaction* + language: eql + name: New name for EQL rule + query: process where process.name == "regsvr32.exe" + risk_score: 21 + severity: low + type: eql + example3: + summary: Update threshold rule + value: + description: Description of threat rule test + id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 + language: kuery + name: New name for threat rule + query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' + risk_score: 21 + severity: low + tags: + - new_tag + threshold: + cardinality: [] + field: [] + value: 400 + type: threshold + example4: + summary: Update new terms rule + value: + description: New description + history_window_start: now-7d + id: 569aac91-40dc-4807-a8ae-a2c8698089c4 + interval: 5m + name: New terms rule name + new_terms_fields: + - Endpoint.policy.applied.artifacts.global.identifiers.name + query: 'agent.version : "9.1.0"' + risk_score: 21 + severity: low + type: new_terms + example5: + summary: Update esql rule + value: + description: New description for esql rule + id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd + language: esql + name: New name for esql rule + query: | + FROM logs* + | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ + | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ + | KEEP event_rate + risk_score: 21 + severity: low + type: esql + example6: + summary: Update indicator match rule + value: + description: New description + id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd + name: New name for Indicator Match rule + query: source.ip:* or destination.ip:*\n + risk_score: 99 + severity: critical + threat_index: + - filebeat-* + - logs-ti_* + threat_mapping: + - entries: + - field: source.ip + type: mapping + value: threat.indicator.ip + - entries: + - field: destination.ip + type: mapping + value: threat.indicator.ip + threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' + type: threat_match + example7: + summary: Update machine learning rule + value: + anomaly_threshold: 50 + description: New description of ml rule + id: 60b13926-289b-41b1-a537-197ef1fa5059 + machine_learning_job_id: + - auth_high_count_logon_events_ea + name: New name of ml rule + risk_score: 21 + severity: low + type: machine_learning + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Example response for an updated rule + value: + actions: [] + created_at: '2020-04-07T14:51:09.755Z' + created_by: elastic + description: Updated description for the rule. + enabled: false + false_positives: [] + filters: + - query: null + from: now-70m + id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 + immutable: false + interval: 1h + language: kuery + max_signals: 100 + name: Updated Rule Name + query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE + references: [] + related_integrations: + - package: o365 + required_fields: + - name: process.parent.name + risk_score: 50 + rule_id: process_started_by_ms_office_program + setup: '' + severity: low + tags: + - child process + - ms office + threat: [] + to: now + type: query + updated_at: '2020-04-07T14:51:09.970Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + example01: + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag + value: + action: enable + query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) + value: + action: edit + edit: + - type: delete_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + value: + action: edit + edit: + - type: set_tags + value: + - tag-1 + - tag-2 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + eventAction: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example27: + description: The following request set alert suppression to the rules with the specified IDs. + summary: Edit - Set alert suppression to rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression + value: + duration: + unit: h + value: 1 + group_by: + - source.ip + missing_fields_strategy: suppress + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example28: + description: The following request set alert suppression to threshold rules with the specified IDs. + summary: Edit - Set alert suppression to threshold rules (idempotent) + value: + action: edit + edit: + - type: set_alert_suppression_for_threshold + value: + duration: + unit: h + value: 1 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example29: + description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. + summary: Edit - Removes alert suppression from rules (idempotent) + value: + action: edit + edit: + - type: delete_alert_suppression + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example30: + description: The following request triggers the filling of gaps for the specified rule ids and time range + summary: Fill Gaps - Manually trigger the filling of gaps for specified rules + value: + action: fill_gaps + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 164d0918-f720-4c9f-9f5c-c5122587cf19 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + '200': + content: + application/json: + examples: + example01: + description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. + summary: Successful response + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 51658332-a15e-4c9e-912a-67214e2e2359 + name: Skipped rule + skip_reason: RULE_NOT_MODIFIED + updated: + - anomaly_threshold: 50 + author: + - Elastic + created_at: '2022-02-21T14:14:13.801Z' + created_by: elastic + description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: + - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. + from: now-45m + id: 8bc7dad0-9320-11ec-9265-8b772383a08d + immutable: false + interval: 15m + license: Elastic License v2 + machine_learning_job_id: + - packetbeat_dns_tunneling_ea + max_signals: 100 + name: DNS Tunneling [Duplicate] + references: + - https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem + related_integrations: [] + required_fields: [] + risk_score: 21 + risk_score_mapping: [] + rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 + setup: '' + severity: low + severity_mapping: [] + tags: + - Elastic + - Network + - Threat Detection + - ML + threat: [] + to: now + type: machine_learning + updated_at: '2022-02-21T17:05:50.883Z' + updated_by: elastic + version: 6 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 1 + success: true + example02: + description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). + summary: Partial failure + value: + value: + attributes: + errors: + - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property + rules: + - id: 8bc7dad0-9320-11ec-9265-8b772383a08d + name: DNS Tunneling [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: + - Elastic + created_at: '2022-02-21T14:14:17.883Z' + created_by: elastic + description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + enabled: true + exceptions_list: [] + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 8e5c1a40-9320-11ec-9265-8b772383a08d + immutable: false + index: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - added-by-id-* + interval: 5m + language: kuery + license: Elastic License v2 + max_signals: 10000 + name: External Alerts [Duplicate] + query: | + event.kind:alert and not event.module:(endgame or endpoint) + references: [] + related_integrations: [] + required_fields: [] + risk_score: 47 + risk_score_mapping: + - field: event.risk_score + operator: equals + value: '' + rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 + rule_name_override: message + setup: '' + severity: medium + severity_mapping: + - field: event.severity + operator: equals + severity: low + value: '21' + - field: event.severity + operator: equals + severity: medium + value: '47' + - field: event.severity + operator: equals + severity: high + value: '73' + - field: event.severity + operator: equals + severity: critical + value: '99' + tags: + - Elastic + - Network + - Windows + - APM + - macOS + - Linux + threat: [] + timestamp_override: event.ingested + to: now + type: query + updated_at: '2022-02-21T16:56:22.818Z' + updated_by: elastic + version: 5 + summary: + failed: 1 + skipped: 0 + succeeded: 1 + total: 2 + message: Bulk edit partially failed + rules_count: 2 + status_code: 500 + success: false + example03: + description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. + summary: Dry run + value: + attributes: + errors: + - err_code: IMMUTABLE + message: Elastic rule can't be edited + rules: + - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + name: Unusual AWS Command for a User + status_code: 500 + - err_code: MACHINE_LEARNING_INDEX_PATTERN + message: Machine learning rule doesn't have index patterns + rules: + - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a + name: Suspicious Powershell Script [Duplicate] + status_code: 500 + results: + created: [] + deleted: [] + skipped: [] + updated: [] + summary: + failed: 2 + skipped: 0 + succeeded: 1 + total: 3 + message: Bulk edit partially failed + status_code: 500 + example04: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example05: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example06: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example07: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example08: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + examples: + exportByRuleIds: + summary: Request body to export a subset of rules + value: + objects: + - rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900 + - rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d + schema: + nullable: true + type: object + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + type: object + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson: + examples: + sampleNdjson: + value: | + {"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true} + {"exception_list":true} + {"export_summary":{"total_rules":1,"exceptions_count":0}} + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - description: | + List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`). + If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or + use comma-separated values when supported by your client. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + - description: Gap fill statuses + in: query + name: gap_fill_statuses + required: false + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' + type: array + - description: Gap auto fill scheduler ID used to determine gap fill status for rules + in: query + name: gap_auto_fill_scheduler_id + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + example1: + value: + data: + - created_at: '2020-02-02T10:05:19.613Z' + created_by: elastic + description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + enabled: false + execution_summary: + last_execution: + date: '2022-03-23T16:06:12.787Z' + message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. + metrics: + execution_gap_duration_s: 0 + total_indexing_duration_ms: 15 + total_search_duration_ms: 135 + status: partial failure + status_order: 20 + false_positives: [] + from: now-6m + id: 89761517-fdb0-4223-b67b-7621acc48f9e + immutable: true + index: + - winlogbeat-* + interval: 5m + language: kuery + max_signals: 33 + name: Windows Script Executing PowerShell + query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' + references: [] + related_integrations: + - package: o365 + version: ^2.3.2 + required_fields: + - ecs: true + name: event.action + type: keyword + - ecs: true + name: process.name + type: keyword + - ecs: true + name: process.parent.name + type: keyword + risk_score: 21 + rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc + setup: '' + severity: low + tags: + - Elastic + - Windows + threat: + - framework: MITRE ATT&CK + tactic: + id: TA0002 + name: Execution + reference: https://attack.mitre.org/tactics/TA0002/ + technique: + - id: T1193 + name: Spearphishing Attachment + reference: https://attack.mitre.org/techniques/T1193/ + to: now + type: query + updated_at: '2020-02-02T10:05:19.830Z' + updated_by: elastic + page: 1 + perPage: 5 + total: 4 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + required: + - page + - perPage + - total + - data + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + rulesFile: + summary: Multipart part containing a rule export + value: + file: rules_import.ndjson + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json: + examples: + example1: + summary: Import rules with success + value: + errors: [] + exceptions_errors: [] + exceptions_success: true + exceptions_success_count: 0 + rules_count: 1 + success: true + success_count: 1 + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + examples: + id: + value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + requestBody: + content: + application/json: + examples: + addItems: + value: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + schema: + example: + items: + - description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple + type: object + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + description: Rule exception items. + required: true + responses: + '200': + content: + application/json: + examples: + ruleExceptionItems: + value: + - _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badPayload: + value: + error: Bad Request + message: Invalid request payload JSON format + statusCode: 400 + badRequest: + value: + error: Bad Request + message: '[request params]: id: Invalid uuid' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + message: Unable to create exception-list + status_code: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules/prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install and update all Elastic prebuilt detection rules and Timelines. + + This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. + When you call this endpoint, it will: + - Install any new prebuilt detection rules that are not currently installed in your system. + - Update any existing prebuilt detection rules that have been modified or improved by Elastic. + - Install any new prebuilt Timelines that are not currently installed in your system. + - Update any existing prebuilt Timelines that have been modified or improved by Elastic. + + This ensures that your detection engine is always up-to-date with the latest rules and Timelines, + providing you with the most current and effective threat detection capabilities. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_installed: 112 + rules_updated: 0 + timelines_installed: 5 + timelines_updated: 2 + schema: + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged/_status: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the status of all Elastic prebuilt detection rules and Timelines. + + This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json: + examples: + example1: + value: + rules_custom_installed: 0 + rules_installed: 0 + rules_not_installed: 112 + rules_not_updated: 0 + timelines_installed: 0 + timelines_not_installed: 0 + timelines_not_updated: 0 + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: The total number of available prebuilt rules that are not installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: The total number of available prebuilt timelines that are not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Simulates a detection rule using the same rule type and query logic as a persisted rule, over a short + time window, without persisting a rule or writing alerts. Use the response to validate queries, see sample + matching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time. + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + queryRule: + value: + description: Find matching events + from: now-24h + index: + - logs-* + invocationCount: 1 + language: kuery + max_signals: 20 + name: Rule preview + query: 'process.name : *' + risk_score: 25 + severity: low + timeframeEnd: '2025-01-20T12:00:00.000Z' + to: now + type: query + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + discriminator: + propertyName: type + description: | + Rule create payload (same shape as `POST /api/detection_engine/rules` for a given `type`) plus + `invocationCount` and `timeframeEnd` to control how the preview is executed. Optional + `enable_logged_requests` surfaces Elasticsearch request logging for debugging. + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + isAborted: false + logs: + - duration: 45 + errors: [] + requests: [] + startedAt: '2025-01-20T10:00:00.000Z' + warnings: [] + previewId: 7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90 + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].timeframeEnd: expected string, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody' + description: User profile IDs to add or remove on each listed alert document ID. + required: true + responses: + '200': + content: + application/json: + examples: + add: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 76 + total: 1 + updated: 1 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: | + Indicates a successful call. The body matches an Elasticsearch update-by-query response + (for example `took`, `updated`, `failures`). + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].ids: at least one alert id is required to update assignees' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/finalize_migration: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/finalize_migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code. + **WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the + successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration + finishes and then call this operation once. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json: + examples: + oneMigration: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to finalize. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - completed: true + destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to finalize' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration: + delete: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites. + **WARNING:** This schedules deletions; ensure no production reads still point at the source index. + + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration can leave both the old and new indices present, so the old + index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy + to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json: + examples: + cleanupMigrations: + value: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + schema: + example: + migration_ids: + - 924f7c50-505f-11eb-ae0a-3fa2e626a51d + type: object + properties: + migration_ids: + description: Array of `migration_id`s to cleanup. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + migrations: + - destinationIndex: .siem-signals-default-000002-r000016 + id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + sourceIndex: .siem-signals-default-000002 + status: success + updated: '2021-01-06T22:05:56.859Z' + version: 16 + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' + type: array + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].migration_ids: at least one migration id is required to run cleanup' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new + integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. + **WARNING:** Migrations can be resource intensive and should be planned during a maintenance window. + + Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive + and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json: + examples: + singleIndex: + value: + index: + - .siem-signals-default-000001 + schema: + allOf: + - type: object + properties: + index: + description: Array of index names to migrate. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + required: + - index + - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' + description: Alerts migration parameters + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000001, + migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d + migration_index: .siem-signals-default-000001-r000016 + schema: + type: object + properties: + indices: + items: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' + - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].index: at least one index name is required to start a migration' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration_status: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/signals/migration_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use + for new automations; there is no supported replacement in this public API. + **WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations. + + Retrieves indices that contain detection alerts of a particular age, along with migration information for + each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: | + Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes + before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + example: now-30d + format: date-math + type: string + responses: + '200': + content: + application/json: + examples: + success: + value: + indices: + - index: .siem-signals-default-000002 + is_outdated: true + migrations: + - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d + status: pending + updated: '2021-01-06T20:41:37.173Z' + version: 16 + signal_versions: + - count: 100 + version: 15 + - count: 87 + version: 16 + version: 15 + - index: .siem-signals-default-000003 + is_outdated: false + migrations: [] + signal_versions: + - count: 54 + version: 16 + version: 16 + schema: + type: object + properties: + indices: + items: + $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' + type: array + required: + - indices + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query].from: expected date-math, received null' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + examples: + query: + value: + aggs: + alertsByGrouping: + terms: + field: host.name + size: 10 + missingFields: + missing: + field: host.name + query: + bool: + filter: + - bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + - range: + '@timestamp': + gte: '2025-01-17T08:00:00.000Z' + lte: '2025-01-18T07:59:59.999Z' + runtime_mappings: {} + size: 0 + schema: + $ref: '#/components/schemas/Security_Detections_API_QueryAlertsBodyParams' + description: Elasticsearch query and aggregation request + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + _shards: + failed: 0 + skipped: 0 + successful: 1 + total: 1 + aggregations: + alertsByGrouping: + buckets: + - doc_count: 5 + key: Host-f43kkddfyc + doc_count_error_upper_bound: 0 + sum_other_doc_count: 0 + missingFields: + doc_count: 0 + hits: + hits: [] + max_score: null + total: + relation: eq + value: 5 + timed_out: false + took: 0 + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Failed to parse search request: unknown query clause in bool filter' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + examples: + byId: + value: + signal_ids: + - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 + status: closed + byQuery: + value: + conflicts: proceed + query: + bool: + filter: + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + - bool: + filter: + bool: + filter: + - match_phrase: + kibana.alert.workflow_status: open + - '@timestamp': + format: strict_date_optional_time + gte: '2024-10-23T07:00:00.000Z' + lte: '2025-01-21T20:12:11.704Z' + range: null + must: [] + must_not: + - exists: + field: kibana.alert.building_block_type + should: [] + must: [] + must_not: [] + should: [] + status: closed + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + '200': + content: + application/json: + examples: + byId: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 81 + total: 1 + updated: 1 + version_conflicts: 0 + byQuery: + value: + batches: 1 + deleted: 0 + failures: [] + noops: 0 + requests_per_second: -1 + retries: + bulk: 0 + search: 0 + throttled_millis: 0 + throttled_until_millis: 0 + timed_out: false + took: 100 + total: 17 + updated: 17 + version_conflicts: 0 + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].signal_ids: at least one alert id is required to update status' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + examples: + add: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd' + remove: + $ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove' + schema: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + '200': + content: + application/json: + examples: + success: + value: + batches: 1, + deleted: 0, + failures: [] + noops: 0, + requests_per_second: '-1,' + retries: + bulk: 0, + search: 0 + throttled_millis: 0, + throttled_until_millis: 0, + timed_out: false, + took: 68, + total: 1, + updated: 1, + version_conflicts: 0, + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body].tags: cannot add and remove the same tag in a single request' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json: + examples: + example1: + value: + - zeek + - suricata + - windows + - linux + - network + - initial access + - remote access + - phishing + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/encrypted_saved_objects/_rotate_key: + post: + description: | + Superuser role required. + + If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: rotateEncryptionKey + parameters: + - description: | + Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: | + Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. + in: query + name: type + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: | + Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. + type: number + successful: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + + NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. + type: number + total: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + type: number + description: Indicates a successful call. + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': + content: + application/json: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + '200': + content: + application/json: + examples: + alreadyExists: + summary: Endpoint exception list already exists (empty response) + value: {} + newList: + summary: Endpoint exception list created + value: + created_at: '2025-01-01T00:00:00.000Z' + created_by: elastic + description: Endpoint Security Exception List + id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b + immutable: false + list_id: endpoint_list + name: Endpoint Security Exception List + namespace_type: agnostic + os_types: [] + tags: [] + tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e + type: endpoint + updated_at: '2025-01-01T00:00:00.000Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: expected value of type [object] but got [undefined]' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + deleted: + summary: Deleted endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: [] + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: Either "item_id" or "id" needs to be defined in the request + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + '200': + content: + application/json: + examples: + item: + summary: Endpoint exception list item + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: id or item_id required + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items?item_id=block-malicious-file] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: "block-malicious-file" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + examples: + matchAny: + summary: Exclude multiple process names + value: + description: Exclude common security tools from endpoint protection + entries: + - field: process.name + operator: included + type: match_any + value: + - scanner.exe + - updater.exe + name: Trusted security tools + os_types: + - windows + type: simple + simpleMatch: + summary: Block a specific file hash + value: + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + name: Block malicious file + os_types: + - windows + tags: + - policy:all + type: simple + schema: + type: object + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + created: + summary: Endpoint exception list item created + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list item id: "block-malicious-file" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + examples: + updateName: + summary: Update an endpoint exception list item + value: + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + item_id: block-malicious-file + name: Block malicious file (updated) + os_types: + - windows + - linux + type: simple + schema: + type: object + properties: + _version: + description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json: + examples: + updated: + summary: Endpoint exception list item updated + value: + comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Updated description for the exception + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file (updated) + namespace_type: agnostic + os_types: + - windows + - linux + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-15T09:30:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PUT /api/endpoint_list/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item item_id: "block-malicious-file" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json: + examples: + foundItems: + summary: Found endpoint exception list items + value: + data: + - comments: [] + created_at: '2025-01-01T12:00:00.000Z' + created_by: elastic + description: Blocks a known malicious file by its hash + entries: + - field: file.hash.sha256 + operator: included + type: match + value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e + item_id: block-malicious-file + list_id: endpoint_list + name: Block malicious file + namespace_type: agnostic + os_types: + - windows + tags: + - policy:all + tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 + type: simple + updated_at: '2025-01-01T12:00:00.000Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 + schema: + type: object + properties: + data: + description: The list of endpoint exception list items. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + type: array + page: + description: The current page number. + minimum: 0 + type: integer + per_page: + description: The number of items per page. + minimum: 0 + type: integer + pit: + description: The point-in-time ID for pagination. + type: string + total: + description: The total number of endpoint exception list items. + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: page: Expected number, received string' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/endpoint_list/items/_find] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "endpoint_list" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of response actions to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A list of response action command names to filter by. + in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - description: A list of Elastic Agent IDs to filter the response actions by. + in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - description: A list of user IDs that submitted the response actions. + in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - description: A start date in ISO 8601 format or Date Math format (for example, `now-24h`). + in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - description: An end date in ISO 8601 format or Date Math format (for example, `now`). + in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - description: The agent type to filter response actions by. Defaults to `endpoint`. + in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - description: A list of response action IDs whose outputs should be included in the response. + in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - description: A list of response action types to filter by (`automated`, `manual`). + in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + '200': + content: + application/json: + examples: + actionsList: + summary: A list of response actions + value: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: Indicates a successful call. + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - description: A list of agent IDs to get the action status for. + in: query + name: agent_ids + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + responses: + '200': + content: + application/json: + examples: + actionStatus: + summary: Pending response actions per agent + value: + data: + - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + pending_actions: + execute: 0 + get-file: 0 + isolate: 0 + kill-process: 1 + running-processes: 0 + scan: 0 + unisolate: 0 + upload: 0 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: Indicates a successful call. + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - description: The ID of the response action to retrieve. + in: path + name: action_id + required: true + schema: + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + actionDetails: + summary: Details of an isolate response action + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + fileInfo: + summary: File information for a response action upload + value: + data: + actionId: 233db9ea-6733-4849-9226-5a7039c7161d + agentId: ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + created: '2025-02-26T13:37:30.452Z' + id: 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 + mimeType: application/zip + name: memory_dump.zip + size: 1048576 + status: READY + schema: + properties: + data: + type: object + properties: + actionId: + description: The response action ID. + type: string + agentId: + description: The agent ID that generated the file. + type: string + agentType: + description: The type of agent that generated the file. + type: string + created: + description: The date and time the file was created. + format: date-time + type: string + id: + description: The unique file identifier. + type: string + mimeType: + description: The MIME type of the file. + type: string + name: + description: The file name. + type: string + size: + description: The file size in bytes. + type: number + status: + description: The file upload status. + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + description: Indicates a successful call. + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + > info + > Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password. + operationId: EndpointFileDownload + parameters: + - description: The ID of the response action that generated the file. + in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/octet-stream: + examples: + fileDownload: + summary: Password-protected ZIP archive containing the response action file + value: binary file content (password-protected .zip) + schema: + format: binary + type: string + description: Indicates a successful call. + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + examples: + MicrosoftDefenderEndpoint: + summary: Cancel a response action on a Microsoft Defender for Endpoint host + value: + agent_type: microsoft_defender_endpoint + comment: Cancelling action due to change in requirements + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CancelSuccess: + summary: Cancel action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: microsoft_defender_endpoint + command: cancel + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + examples: + executeCommand: + summary: Execute a shell command on an endpoint + value: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ExecuteSuccess: + summary: Execute action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + examples: + getFile: + summary: Get a specific file from an endpoint + value: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + GetFileSuccess: + summary: Get file action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + IsolateSuccess: + summary: Isolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: isolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: Indicates a successful call. + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Terminate a process by entity ID + value: + comment: Terminating malicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Terminate a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + KillProcessSuccess: + summary: Kill process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: kill-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/memory_dump: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/memory_dump
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generates memory dumps on the targeted host. + operationId: EndpointGenerateMemoryDump + requestBody: + content: + application/json: + examples: + ProcessMemoryDump: + summary: Generate a memory dump from the host machine + value: + agent_type: endpoint + comment: Generating memory dump for investigation + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + type: process + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + MemoryDumpSuccessResponse: + summary: Memory dump action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: memory-dump + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + type: process + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Generate a memory dump from the host machine + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + examples: + singleEndpoint: + summary: Get running processes on a single endpoint + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunningProcsSuccess: + summary: Running processes action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: running-processes + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + examples: + Elastic Defend: + description: Endpoint runscript to collect logs + summary: Run a script against an Elastic Defend agent + value: + agent_type: endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--path= /usr/log/exec.log' + MDE: + description: Microsoft Defender Endpoint runscript + summary: Run a script against a Microsoft Defender Endpoint agent + value: + agent_type: microsoft_defender_endpoint + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + args: '-param1 value1 -param2 value2' + scriptName: my-script.ps1 + SentinelOne: + description: SentinelOne runscript + summary: Run a script against a SentinelOne agent + value: + agent_type: sentinel_one + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + RunScriptSuccess: + summary: Run script action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: sentinel_one + command: runscript + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + examples: + scanFile: + summary: Scan a file on an endpoint + value: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + ScanSuccess: + summary: Scan action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json: + examples: + actionsState: + summary: Response actions state with encryption enabled + value: + data: + canEncrypt: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + examples: + byEntityId: + summary: Suspend a process by entity ID + value: + comment: Suspending suspicious process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + byPid: + summary: Suspend a process by PID + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + pid: 1234 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + SuspendProcessSuccess: + summary: Suspend process action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: suspend-process + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e + schema: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. + example: + - alert-id-1 + - alert-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. Max of 50. + example: + - case-id-1 + - case-id-2 + items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json: + examples: + UnisolateSuccess: + summary: Unisolate action successfully created + value: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: unisolate + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-node-1235412 + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: false + isExpired: false + outputs: {} + startedAt: '2022-07-29T19:08:49.126Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: Indicates a successful call. + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + examples: + uploadFile: + summary: Upload a script file to a specific endpoint + value: + comment: Pushing remediation script to host + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: + overwrite: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UploadSuccess: + summary: Upload action successfully created + value: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Indicates a successful call. + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all endpoint host metadata. + operationId: GetEndpointMetadataList + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: The number of endpoints to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - description: A KQL string to filter the endpoint metadata results. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - description: A set of host statuses to filter the results by (for example, `healthy`, `updating`). + in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - description: The field used to sort the results. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - description: The sort order, either `asc` or `desc`. + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + '200': + content: + application/json: + examples: + metadataList: + summary: A list of endpoint host metadata + value: + data: + - host_status: healthy + last_checkin: '2023-07-04T15:47:57.432Z' + metadata: + agent: + id: 285297c6-3bff-4b83-9a07-f3e749801123 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + page: 0 + pageSize: 10 + sortDirection: desc + sortField: enrolled_at + total: 1 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: Indicates a successful call. + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get host metadata for a specific endpoint. + operationId: GetEndpointMetadata + parameters: + - description: The agent ID of the endpoint. + in: path + name: id + required: true + schema: + example: ed518850-681a-4d60-bb98-e22640cae2a8 + type: string + responses: + '200': + content: + application/json: + examples: + endpointMetadata: + summary: Host metadata for a specific endpoint + value: + host_status: healthy + last_checkin: '2023-07-04T15:48:57.360Z' + metadata: + agent: + id: abb8a826-6812-448c-a571-6d8269b51449 + type: endpoint + version: 8.10.0 + Endpoint: + policy: + applied: + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: test + status: success + status: enrolled + host: + hostname: WinDev2104Eval + os: + name: Windows + platform: windows + version: 20H2 + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: Indicates a successful call. + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the most recent policy response for an endpoint. + operationId: GetPolicyResponse + parameters: + - description: The agent ID to retrieve the policy response for. + in: query + name: agentId + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + responses: + '200': + content: + application/json: + examples: + policyResponse: + summary: The most recent policy response for an endpoint + value: + policy_response: + '@timestamp': '2023-07-04T15:48:57.360Z' + agent: + id: ed518850-681a-4d60-bb98-e22640cae2a8 + version: 7.16.0 + Endpoint: + policy: + applied: + endpoint_policy_version: '2' + id: d5371dcd-93b7-4627-af88-4084f7d6aa3e + name: My endpoint policy + status: success + version: '3' + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: Indicates a successful call. + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the protection updates note for a package policy. + operationId: GetProtectionUpdatesNote + parameters: + - description: The package policy ID to retrieve the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + protectionUpdatesNote: + summary: The protection updates note for a package policy + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update the protection updates note for a package policy. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - description: The package policy ID to create or update the protection updates note for. + in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + setNote: + summary: Set a new protection updates note + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + type: object + properties: + note: + description: The note content. + type: string + required: true + responses: + '200': + content: + application/json: + examples: + noteSaved: + summary: Protection updates note saved + value: + note: Pinned protection updates to 2025-01-01 while validating new signatures. + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: Indicates a successful call. + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a list of scripts + operationId: EndpointScriptLibraryListScripts + parameters: + - description: Page number of the results to return. Defaults to 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - description: Number of results to return per page. Defaults to 10. Max value is 1000. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + - description: The field to sort the results by. Defaults to name. + in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + - description: The direction to sort the results by. Defaults to asc (ascending). + in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + - description: | + A KQL query string to filter the list of scripts. Nearly all fields in the script object are searchable. + in: query + name: kuery + required: false + schema: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - example: platform:windows + responses: + '200': + content: + application/json: + examples: + response: + summary: List of scripts response example + value: + data: [] + page: 1 + pageSize: 10 + sortDirection: asc + sortField: name + total: 100 + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' + type: array + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' + sortDirection: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + sortField: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' + total: + description: The total number of scripts matching the query + type: integer + description: List of scripts response + summary: Get a list of scripts + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/scripts_library
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new script entry by uploading a script file + operationId: EndpointScriptLibraryCreateScript + requestBody: + content: + multipart/form-data: + examples: + CreateArchiveScriptEntry: + summary: Create an archive script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.zip + fileType: archive + instructions: Collects host data for investigation + name: Collect host data + pathToExecutable: ./bin/collect_host_data.sh + platform: + - linux + - macos + requiresInput: false + CreateScriptEntry: + summary: Create a script entry + value: + description: Collects host data for investigation + example: ./collect_host_data.sh --help + file: ./collect_host_data.sh + fileType: script + instructions: Collects host data for investigation + name: Collect host data + platform: + - linux + - macos + requiresInput: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + CreateScriptEntrySuccess: + summary: Create a script entry + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully created + summary: Create script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library/{script_id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a script + operationId: EndpointScriptLibraryDeleteScript + parameters: + - description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be deleted. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + response: + summary: Delete script response example. + value: {} + schema: + type: object + description: Delete script response. + summary: Delete a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a script + operationId: EndpointScriptLibraryGetOneScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Get one script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Get script response + summary: Get script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/endpoint/scripts_library/{script_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update (full or partial) a script entry + operationId: EndpointScriptLibraryPatchUpdateScript + parameters: + - description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry to be updated. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + requestBody: + content: + multipart/form-data: + examples: + PatchUpdateScriptEntry: + summary: Update script entry instructions + value: + instructions: ./collect_host_data.sh --help + PatchUpdateScriptEntryFromArchiveToScript: + summary: Update script entry from an archive to a script + value: + fileType: script + PatchUpdateScriptEntryToArchive: + summary: Update script entry to be an archive + value: + fileType: archive + pathToExecutable: ./bin/collect_host_data.sh + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody' + required: true + responses: + '200': + content: + application/json: + examples: + UpdateScriptEntrySuccess: + summary: Update script entry success + value: + data: + description: Collects host data for investigation + file: ./collect_host_data.sh + fileType: script + id: 1234567890 + instructions: No arguments required + name: Collect host data + platform: + - linux + - macos + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse' + description: Action request was successfully updated + summary: Update script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/scripts_library/{script_id}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/scripts_library/{script_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a script file + operationId: EndpointScriptLibraryDownloadScript + parameters: + - description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + in: path + name: script_id + required: true + schema: + description: The ID of the script entry. + example: fr518850-681a-4y60-aa98-e22640cae2b8 + type: string + responses: + '200': + content: + application/octet-stream: + examples: + response: + summary: Download script file response example. + value: null + schema: + description: A download stream is returned. + format: binary + type: string + description: Download script file response. + summary: Download a script file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes the Privilege Monitoring Engine and optionally removes all associated privileged user data. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + DeleteMonitoringEngineResponse: + summary: Engine deleted successfully + value: + deleted: true + schema: + type: object + properties: + deleted: + type: boolean + required: + - deleted + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables the Privilege Monitoring Engine, stopping all monitoring activity without removing data. + operationId: DisableMonitoringEngine + responses: + '200': + content: + application/json: + examples: + DisableMonitoringEngineResponse: + summary: Engine disabled successfully + value: + status: disabled + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initializes the Privilege Monitoring Engine, setting up the required resources and starting the engine. + operationId: InitMonitoringEngine + responses: + '200': + content: + application/json: + examples: + InitMonitoringEngineResponse: + summary: Engine initialized successfully + value: + status: started + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + '500': + content: + application/json: + examples: + InitMonitoringEngineError: + summary: Internal server error during engine initialization + value: + error: + message: Failed to initialize monitoring engine + status: error + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle. + operationId: ScheduleMonitoringEngine + responses: + '200': + content: + application/json: + examples: + ScheduleMonitoringEngineResponse: + summary: Engine scheduled successfully + value: + success: true + schema: + type: object + properties: + success: + description: Indicates the scheduling was successful + type: boolean + description: Successful response + '409': + content: + application/json: + examples: + ScheduleMonitoringEngineConflict: + summary: Engine is already running + value: + message: Monitoring engine is already running + schema: + type: object + properties: + message: + description: Error message indicating the engine is already running + type: string + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics. + operationId: PrivMonHealth + responses: + '200': + content: + application/json: + examples: + PrivMonHealthResponse: + summary: Healthy privilege monitoring engine + value: + status: started + users: + current_count: 42 + max_allowed: 1000 + schema: + type: object + properties: + error: + type: object + properties: + message: + type: string + required: + - status + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + type: object + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + required: + - status + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + '200': + content: + application/json: + examples: + PrivMonPrivilegesResponse: + summary: Privileges check response + value: + has_all_required: true + privileges: + elasticsearch: + index: + .entity_analytics.monitoring.user-default: + read: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new privileged user to be monitored by the Privilege Monitoring Engine. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + examples: + CreatePrivMonUserRequest: + summary: Create a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + user: + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + '200': + content: + application/json: + examples: + CreatePrivMonUserResponse: + summary: Created monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + examples: + PrivmonBulkUploadUsersCSVRequest: + summary: CSV file with privileged users + value: + file: | + username,is_privileged + john.doe,true + jane.smith,true + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + responses: + '200': + content: + application/json: + examples: + PrivmonBulkUploadUsersCSVResponse: + summary: Bulk upload response with mixed results + value: + errors: + - index: 1 + message: Invalid monitored field + username: john.doe + stats: + failedOperations: 1 + successfulOperations: 1 + totalOperations: 2 + uploaded: 2 + schema: + type: object + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Removes a privileged user from monitoring by their document ID. + operationId: DeletePrivMonUser + parameters: + - description: The document ID of the monitored user to delete + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + DeletePrivMonUserResponse: + summary: User deleted successfully + value: + acknowledged: true + message: User deleted successfully + schema: + type: object + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the details of an existing monitored privileged user by their document ID. + operationId: UpdatePrivMonUser + parameters: + - description: The document ID of the monitored user to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdatePrivMonUserRequest: + summary: Update a monitored user + value: + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + '200': + content: + application/json: + examples: + UpdatePrivMonUserResponse: + summary: Updated monitored user + value: + '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: Security + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all privileged users currently being monitored. Supports optional KQL filtering. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + ListPrivMonUsersResponse: + summary: List of monitored users + value: + - '@timestamp': '2026-01-28T12:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: api + value: IT + event: + ingested: '2026-01-28T12:00:00.000Z' + id: user-abc-123 + user: + is_privileged: true + name: john.doe + - '@timestamp': '2026-01-15T09:00:00.000Z' + entity_analytics_monitoring: + labels: + - field: department + source: csv + value: Security + event: + ingested: '2026-01-15T09:00:00.000Z' + id: user-def-456 + user: + is_privileged: true + name: jane.smith + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Installs the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + '200': + content: + application/json: + examples: + InstallPrivilegedAccessDetectionPackageResponse: + summary: Package installed successfully + value: + message: Privileged access detection package installed successfully + schema: + type: object + properties: + message: + type: string + required: + - message + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + '200': + content: + application/json: + examples: + GetPrivilegedAccessDetectionPackageStatusResponse: + summary: Package fully installed and running + value: + jobs: + - description: Detects high-risk login patterns + job_id: pad-high-risk-login + state: opened + - description: Detects privilege escalation events + job_id: pad-privilege-escalation + state: opened + ml_module_setup_status: complete + package_installation_status: complete + schema: + type: object + properties: + jobs: + items: + type: object + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities. + operationId: CreateWatchlist + requestBody: + content: + application/json: + examples: + CreateWatchlistRequest: + summary: Create watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + CreateWatchlistWithSourcesRequest: + summary: Create watchlist with entity sources + value: + description: High risk vendor watchlist + entitySources: + - enabled: true + identifierField: user.name + indexPattern: my-sync-index + name: My User Index Source + type: index + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + entitySources: + description: Optional entity sources to create and link to the watchlist + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + filter: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Filter' + identifierField: + description: Field used to query the entity store for index-type sources + type: string + indexPattern: + type: string + integrationName: + description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad. + type: string + matchers: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher' + type: array + name: + type: string + queryRule: + description: KQL query used to filter data from the provided index patterns + type: string + range: + $ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' + required: + - type + - name + type: array + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name for the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + CreateWatchlistResponse: + summary: Created watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-01-28T12:00:00.000Z' + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + - type: object + properties: + entitySources: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource' + type: array + description: Watchlist created successfully + summary: Create a new watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves the details of an entity analytics watchlist by its unique identifier. + operationId: GetWatchlist + parameters: + - description: Unique ID of the watchlist + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + GetWatchlistResponse: + summary: Watchlist details + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist details + summary: Get a watchlist by ID + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/watchlists/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist. + operationId: UpdateWatchlist + parameters: + - description: The ID of the watchlist to update + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + UpdateWatchlistRequest: + summary: Update watchlist request + value: + description: High risk vendor watchlist + managed: false + name: High Risk Vendors + riskModifier: 1.5 + schema: + type: object + properties: + description: + description: Description of the watchlist + type: string + managed: + description: Indicates if the watchlist is managed by the system + type: boolean + name: + description: Unique name of the watchlist + type: string + riskModifier: + description: Risk score modifier associated with the watchlist + maximum: 2 + minimum: 0 + type: number + required: + - name + - riskModifier + required: true + responses: + '200': + content: + application/json: + examples: + UpdateWatchlistResponse: + summary: Updated watchlist + value: + createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + description: Watchlist updated successfully + summary: Update an existing watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/csv_upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row + with a "type" column (user, host, service, or generic) and one or more ECS identity + fields (e.g. "user.name", "host.hostname") used to match entities in the entity store. + + Matched entities are added to the watchlist and their `entity.attributes.watchlists` + field is updated in the entity store. + + Each row will match up to 10,000 entities. + operationId: UploadWatchlistCsv + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + csvUpload: + summary: CSV file with user entities + value: + file: | + type,user.name + user,john.doe + user,jane.smith + schema: + type: object + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + required: true + responses: + '200': + content: + application/json: + examples: + CsvUploadResponse: + summary: CSV upload response with mixed results + value: + failed: 1 + items: + - matchedEntities: 1 + status: success + - error: Invalid entity type + matchedEntities: 0 + status: failure + - matchedEntities: 0 + status: unmatched + successful: 1 + total: 3 + unmatched: 1 + schema: + type: object + properties: + failed: + description: Number of rows that failed to process + example: 1 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem' + type: array + successful: + description: Number of rows that matched at least one entity + example: 1 + type: integer + total: + description: Total number of rows processed + example: 3 + type: integer + unmatched: + description: Number of rows that matched no entities + example: 1 + type: integer + required: + - successful + - failed + - total + - unmatched + - items + description: Upload successful + '413': + description: File too large + summary: Upload a CSV file to add entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/assign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assigns the provided entities to the specified watchlist using a "manual" source label. + The entities must already exist in the entity store. + + If an entity is already on the watchlist, no new document is created — the "manual" label + is added to its existing source labels instead. + operationId: AssignWatchlistEntities + parameters: + - description: The ID of the watchlist to add entities to + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + assignEntities: + summary: Assign two entities to a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to assign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + assignEntitiesResponse: + summary: Successful assignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem' + type: array + not_found: + description: Number of entities not found in the entity store + example: 1 + type: integer + successful: + description: Number of entities successfully assigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Assignment successful + summary: Manually assign entities to a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unassigns the provided entities from the specified watchlist. + This only removes the "manual" assignment. If the entity is also + assigned via other sources (for example, index or integration), it will + remain on the watchlist. + operationId: UnassignWatchlistEntities + parameters: + - description: The ID of the watchlist to remove entities from + example: high-risk-vendors + in: path + name: watchlist_id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unassignEntities: + summary: Unassign two entities from a watchlist + value: + euids: + - user:john.doe + - host:web-01 + schema: + type: object + properties: + euids: + description: The EUIDs of the entities to unassign + example: + - user:john.doe + - host:web-01 + items: + type: string + type: array + required: + - euids + required: true + responses: + '200': + content: + application/json: + examples: + unassignEntitiesResponse: + summary: Successful unassignment of two entities + value: + failed: 0 + items: + - euid: user:john.doe + status: success + - euid: host:web-01 + status: not_found + not_found: 1 + successful: 1 + total: 2 + schema: + type: object + properties: + failed: + description: Number of entities that failed to process + example: 0 + type: integer + items: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem' + type: array + not_found: + description: Number of entities not found in the manual watchlist assignment + example: 1 + type: integer + successful: + description: Number of entities successfully unassigned + example: 1 + type: integer + total: + description: Total number of entities processed + example: 2 + type: integer + required: + - successful + - failed + - not_found + - total + - items + description: Unassignment successful + summary: Manually unassign entities from a watchlist + tags: + - Security Entity Analytics API + x-state: Technical Preview; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/watchlists/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/watchlists/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a list of all entity analytics watchlists. + operationId: ListWatchlists + responses: + '200': + content: + application/json: + examples: + ListWatchlistsResponse: + summary: List of watchlists + value: + - createdAt: '2026-01-28T12:00:00.000Z' + description: High risk vendor watchlist + id: watchlist-123 + managed: false + name: High Risk Vendors + riskModifier: 1.5 + updatedAt: '2026-02-18T12:00:00.000Z' + - createdAt: '2026-01-10T09:30:00.000Z' + description: Privileged user monitoring watchlist + id: watchlist-456 + managed: true + name: Privileged Accounts + riskModifier: 2 + updatedAt: '2026-02-01T15:45:00.000Z' + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject' + type: array + description: List of watchlists + summary: List all watchlists + tags: + - Security Entity Analytics API + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize the entire Entity Store, creating engines for all or specified entity types. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + description: Configuration for the entity store initialization. + required: true + responses: + '200': + content: + application/json: + examples: + initEntityStoreExample: + description: The Entity Store was successfully initialized, creating host and user engines in the installing state. + summary: Entity Store initialized with host and user engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: user + succeeded: true + schema: + type: object + properties: + engines: + description: The engine descriptors created during initialization. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + description: Whether the Entity Store was initialized successfully. + type: boolean + description: Successful response + '400': + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines: + delete: + operationId: DeleteEntityEngines + parameters: + - description: The entity type of the engine ('user', 'host', 'service', 'generic'). + examples: + hostAndService: + value: host,service + in: query + name: entityTypes + required: false + schema: + description: Array of engine types to delete. Empty by default, which results in all the engines being deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEnginesExample: + description: Example response after deleting 'host' engine + value: + deleted: + - host + still_running: + - generic + - user + - service + schema: + type: object + properties: + deleted: + description: Entity types whose engines were successfully deleted. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + still_running: + description: Entity types whose engines are still running. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + description: Successful response + summary: Delete Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all installed entity engines and their current status. + operationId: ListEntityEngines + responses: + '200': + content: + application/json: + examples: + listEntityEnginesExample: + description: Returns a list with one running host engine and one stopped user engine. + summary: Two engines installed + value: + count: 2 + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: stopped + timeout: 180s + timestampField: '@timestamp' + type: user + schema: + type: object + properties: + count: + description: The total number of entity engines. + type: integer + engines: + description: An array of engine descriptors. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + examples: + host: + value: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: delete_data + required: false + schema: + type: boolean + - deprecated: true + description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteEntityEngineExample: + description: Example response after deleting 'host' engine + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the engine was successfully deleted. + type: boolean + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the engine descriptor for a specific entity type, including its configuration and current status. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + getEntityEngineExample: + description: Returns the engine descriptor for a host engine that is currently running with default settings. + summary: A running host engine + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize a single entity engine for the specified entity type. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json: + examples: + initEntityEngineExample: + description: A host engine was successfully initialized and is now in the installing state. + summary: Host engine initialized + value: + delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 3h + status: installing + timeout: 180s + timestampField: '@timestamp' + type: host + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + '400': + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start a previously stopped entity engine, resuming transform processing for the given entity type. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine to start. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + startEntityEngineExample: + description: The engine was successfully started and is now processing data. + summary: Engine started successfully + value: + started: true + schema: + type: object + properties: + started: + description: Whether the engine was successfully started. + type: boolean + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop a running entity engine, pausing transform processing for the given entity type. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine to stop. + example: host + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json: + examples: + stopEntityEngineExample: + description: The engine was successfully stopped and is no longer processing data. + summary: Engine stopped successfully + value: + stopped: true + schema: + type: object + properties: + stopped: + description: Whether the engine was successfully stopped. + type: boolean + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms. + operationId: ApplyEntityEngineDataviewIndices + responses: + '200': + content: + application/json: + examples: + applyDataviewIndicesExample: + description: All running engines were successfully updated with the current data view index patterns. + summary: All engines updated + value: + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: host + - changes: + indexPatterns: + - logs-* + - filebeat-* + - auditbeat-* + type: user + success: true + schema: + type: object + properties: + result: + description: Per-engine update results. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Whether all engines updated successfully. + type: boolean + description: Successful response + '207': + content: + application/json: + examples: + partialSuccessExample: + description: The host engine was updated but the user engine failed due to insufficient privileges. + summary: One engine failed + value: + errors: + - 'Failed to update user engine: insufficient privileges' + result: + - changes: + indexPatterns: + - logs-* + - filebeat-* + type: host + success: false + schema: + type: object + properties: + errors: + description: Error messages for engines that failed to update. + items: + type: string + type: array + result: + description: Per-engine update results for engines that succeeded. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + description: Always `false` for a partial success. + type: boolean + description: Partial successful response + '500': + content: + application/json: + examples: + serverErrorExample: + description: An unexpected error occurred while applying data view indices. + summary: Internal server error + value: + body: An internal error occurred while updating engine indices + statusCode: 500 + schema: + type: object + properties: + body: + description: Error message. + type: string + statusCode: + description: HTTP status code. + type: number + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/{entityType}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity in Entity Store. + The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. + operationId: DeleteSingleEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + type: object + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + example: arn:aws:iam::123456789012:user/jane.doe + type: string + required: + - id + description: Schema for the deleting entity + required: true + responses: + '200': + content: + application/json: + examples: + deleteEntityExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted + value: + deleted: true + schema: + type: object + properties: + deleted: + description: Whether the entity was successfully deleted. + type: boolean + description: Successful response. Entity deleted. + '404': + description: Entity Not Found. No entity with this ID and Type exists. + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - example: user + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + '403': + description: Operation on a restricted field + '409': + description: Conflict. The entity was updated while another update was happening in ElasticSearch + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + '200': + description: Entities updated or created + '403': + description: Operation on a restricted field + '503': + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - description: Field to sort results by. + example: entity.name + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed). + example: 1 + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: Number of entities per page. + example: 10 + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + description: Current page number. + minimum: 1 + type: integer + per_page: + description: Number of entities per page. + maximum: 1000 + minimum: 1 + type: integer + records: + description: The entity records for this page. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + description: Total number of entities matching the query. + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details. + operationId: GetEntityStoreStatus + parameters: + - description: If true, returns a detailed status of each engine including all its components. + example: true + in: query + name: include_components + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + entityStoreRunning: + description: The Entity Store is running with both host and user engines started and using default settings. + summary: Entity Store running with two engines + value: + engines: + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: host + - delay: 1m + fieldHistoryLength: 10 + frequency: 1m + indexPattern: '' + lookbackPeriod: 24h + status: started + timeout: 180s + timestampField: '@timestamp' + type: user + status: running + schema: + type: object + properties: + engines: + description: Per-engine status information. + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - type: object + properties: + components: + description: Detailed component-level status. Only included when include_components is true. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + description: The overall status of the Entity Store. + required: + - status + - engines + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + examples: + autogeneratedId: + value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + list_id: + value: simple_list + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the + list you are removing when using `list_id` or `id`. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionExceptionList: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list list_id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global + (space-agnostic) container. Required for looking up the correct list when `list_id` is not unique. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + '200': + content: + application/json: + examples: + detectionType: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + examples: + createDetection: + value: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + schema: + example: + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + type: detection + type: object + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json: + examples: + autogeneratedListId: + value: + _version: WzMsMV0= + created_at: '2025-01-09T01:05:23.019Z' + created_by: elastic + description: This is a sample detection type exception with an autogenerated list_id. + id: 28243c2f-624a-4443-823d-c0b894880931 + immutable: false + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 + type: detection + updated_at: '2025-01-09T01:05:23.020Z' + updated_by: elastic + version: 1 + namespaceAgnostic: + value: + _version: WzUsMV0= + created_at: '2025-01-09T01:10:36.369Z' + created_by: elastic + description: This is a sample agnostic endpoint type exception. + id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 + immutable: false + list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 + name: Sample Agnostic Endpoint Exception List + namespace_type: agnostic + os_types: + - linux + tags: + - malware + tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 + type: endpoint + updated_at: '2025-01-09T01:10:36.369Z' + updated_by: elastic + version: 1 + typeDetection: + value: + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + typeEndpoint: + value: + _version: WzQsMV0= + created_at: '2025-01-09T01:07:49.658Z' + created_by: elastic + description: This is a sample endpoint type exception list. + id: a79f4730-6e32-4278-abfc-349c0add7d54 + immutable: false + list_id: endpoint_list + name: Sample Endpoint Exception List + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee + type: endpoint + updated_at: '2025-01-09T01:07:49.658Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: @@ -10862,16 +24439,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].timeframeEnd: expected string, received - null + message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -10883,9 +24456,31 @@ paths: message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'exception list id: "simple_list" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response '500': content: application/json: @@ -10895,65 +24490,109 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Preview rule alerts generated on specified time range + summary: Create an exception list tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: - post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList requestBody: content: application/json: examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove + fullReplace: + value: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft + - malware + type: detection schema: - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertAssigneesBody - description: User profile IDs to add or remove on each listed alert document ID. + example: + description: Different description + list_id: simple_list + name: Updated exception list name + os_types: + - linux + tags: + - draft malware + type: detection + type: object + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + description: Exception list's properties required: true responses: '200': content: application/json: examples: - add: + simpleList: value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 76 - total: 1 - updated: 1 - version_conflicts: 0 + _version: WzExLDFd + created_at: '2025-01-07T20:43:55.264Z' + created_by: elastic + description: Different description + id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 + immutable: false + list_id: simple_list + name: Updated exception list name + namespace_type: single + os_types: [] + tags: + - draft malware + tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f + type: detection + updated_at: '2025-01-07T21:32:03.726Z' + updated_by: elastic + version: 2 schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: > - Indicates a successful call. The body matches an Elasticsearch - update-by-query response - - (for example `took`, `updated`, `failures`). + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json: @@ -10961,16 +24600,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].ids: at least one alert id is required to - update assignees + message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -10979,11 +24614,10 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: @@ -10992,16 +24626,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [POST /api/detection_engine/signals/assignees] is - unauthorized for the current user, this action is granted - by the Kibana Security Solution privileges for cases and - detections + message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -11011,75 +24651,80 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Assign and unassign users from detection alerts + summary: Update an exception list tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/finalize_migration: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_duplicate: post: - deprecated: true - description: > - **DEPRECATED.** Completes a legacy alert index migration. Do not - automate against this in new code. - - **WARNING:** Finalizing swaps read aliases; confirm the migration has - finished successfully before calling. - + description: |- + **Spaces method and path for this operation:** - Finalize successful migrations of detection alerts. This replaces the - original index's alias with the +
post /s/{space_id}/api/exception_lists/_duplicate
- successfully migrated index's alias. The endpoint is idempotent, so you - can poll until a migration + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - finishes and then call this operation once. - operationId: FinalizeAlertsMigration - requestBody: - content: - application/json: - examples: - oneMigration: - value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to finalize. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to finalize - required: true + Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: The `list_id` of the existing exception list to copy (source list). + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces). + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + example: true + type: string responses: '200': content: application/json: examples: - success: + detectionExceptionList: value: - migrations: - - completed: true - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: '2021-01-06T22:05:56.859Z' - version: 16 + _version: WzExNDY1LDFd + created_at: '2025-01-09T16:19:50.280Z' + created_by: elastic + description: This is a sample detection type exception + id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 + immutable: false + list_id: d6390d60-bce3-4a48-9002-52db600f329c + name: Sample Detection Exception List [Duplicate] + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 + type: detection + updated_at: '2025-01-09T16:19:50.280Z' + updated_by: elastic + version: 1 schema: - items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationFinalizationResult - type: array + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: @@ -11088,16 +24733,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to finalize + message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11106,12 +24747,45 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list id: "foo" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + '405': + content: + application/json: + examples: + notAllowed: + value: + message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state' + status_code: 405 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response '500': content: application/json: @@ -11121,78 +24795,265 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Finalize detection alert migrations + summary: Duplicate an exception list tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration: - delete: - deprecated: true - description: > - **DEPRECATED.** Cleanup API for old migration artifacts. Do not add new - call sites. + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_export
- **WARNING:** This schedules deletions; ensure no production reads still - point at the source index. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target. + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + example: true + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson: + examples: + exportSavedObjectsResponse: + value: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + schema: + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: list_id: Required, namespace_type: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message": 'exception list id: "foo" does not exist' + status_code": 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/exception_lists/_find
- Migrations favor data integrity over shard size. Consequently, unused or - orphaned indices are artifacts of + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - the migration process. A successful migration can leave both the old and - new indices present, so the old + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. - index may be deleted. While you can delete these indices manually, the - endpoint applies a deletion policy + Uses the `so type.field name:field` value syntax, where `so type` can be: - to the relevant index, causing it to be deleted after 30 days, and - removes other migration-specific artifacts. - operationId: AlertsMigrationCleanup - requestBody: - content: - application/json: - examples: - cleanupMigrations: - value: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - schema: - example: - migration_ids: - - 924f7c50-505f-11eb-ae0a-3fa2e626a51d - type: object - properties: - migration_ids: - description: Array of `migration_id`s to cleanup. - items: - type: string - minItems: 1 - type: array - required: - - migration_ids - description: Array of `migration_id`s to cleanup - required: true + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: desc + type: string responses: '200': content: application/json: examples: - success: + simpleLists: value: - migrations: - - destinationIndex: .siem-signals-default-000002-r000016 - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - sourceIndex: .siem-signals-default-000002 - status: success - updated: 2021-01-06T22:05:56.859Z - version: 16 + data: + - _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' + created_by: elastic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Detection Exception List + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - items: - $ref: >- - #/components/schemas/Security_Detections_API_MigrationCleanupResult - type: array + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total description: Successful response '400': content: @@ -11201,16 +25062,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].migration_ids: at least one migration id is - required to run cleanup + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11219,12 +25076,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -11234,83 +25102,125 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Clean up detection alert migrations + summary: Get exception lists tags: - - Security Detections API - - Alerts migration API + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_import: post: - deprecated: true - description: > - **DEPRECATED.** Legacy API for on-demand reindexing of old - `.siem-signals-*` alert indices. Do not build new - - integrations; upgrade the Elastic Stack and rely on product-managed data - lifecycle instead. + description: |- + **Spaces method and path for this operation:** - **WARNING:** Migrations can be resource intensive and should be planned - during a maintenance window. +
post /s/{space_id}/api/exception_lists/_import
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Initiate a migration of detection alerts. Migrations are initiated per - index. The process is not destructive - - and should not remove existing data, but it can consume significant - cluster resources. Plan capacity accordingly. - operationId: CreateAlertsMigration + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + example: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + example: false + type: boolean requestBody: content: - application/json: + multipart/form-data: examples: - singleIndex: + ndjsonUpload: value: - index: - - .siem-signals-default-000001 + file: exception_lists.ndjson schema: - allOf: - - type: object - properties: - index: - description: Array of index names to migrate. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - required: - - index - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsReindexOptions - description: Alerts migration parameters + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + example: | + {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} + {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} + format: binary + type: string required: true responses: '200': content: application/json: examples: - success: + withErrors: value: - indices: - - index: .siem-signals-default-000001, - migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d - migration_index: .siem-signals-default-000001-r000016 + errors: + - error: + message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' + status_code: 400 + list_id: (unknown list_id) + - error: + message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' + status_code: 409 + item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 + list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee + success: false, + success_count: 0, + success_count_exception_list_items: 0 + success_count_exception_lists: 0, + success_exception_list_items: false, + success_exception_lists: false, + withoutErrors: + value: + errors: [] + success: true + success_count: 2 + success_count_exception_list_items: 1 + success_count_exception_lists: 1 + success_exception_list_items: true + success_exception_lists: true, schema: type: object properties: - indices: - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess - - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexMigrationError - - $ref: >- - #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration - type: array + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean required: - - indices + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items description: Successful response '400': content: @@ -11319,16 +25229,12 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body].index: at least one index name is required - to start a migration + message: Multipart part `file` is required and must contain a valid .ndjson exception list export statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11337,12 +25243,23 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '500': content: application/json: @@ -11352,84 +25269,88 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Initiate a detection alert migration + summary: Import an exception list tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/migration_status: - get: - deprecated: true - description: > - **DEPRECATED.** This endpoint was used for historical `.siem-signals-*` - index migration workflows. Do not use - - for new automations; there is no supported replacement in this public - API. - - **WARNING:** Prefer upgrading through supported Elastic stack upgrades - rather than ad-hoc index migrations. + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items: + delete: + description: |- + **Spaces method and path for this operation:** +
delete /s/{space_id}/api/exception_lists/items
- Retrieves indices that contain detection alerts of a particular age, - along with migration information for + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - each of those indices. - operationId: ReadAlertsMigrationStatus + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem parameters: - - description: Maximum age of qualifying detection alerts + - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query - name: from - required: true + name: id + required: false schema: - description: > - Time from which data is analyzed. For example, now-4200s means the - rule analyzes data from 70 minutes - - before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - example: now-30d - format: date-math - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - success: + simpleExceptionItem: value: - indices: - - index: .siem-signals-default-000002 - is_outdated: true - migrations: - - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d - status: pending - updated: 2021-01-06T20:41:37.173Z - version: 16 - signal_versions: - - count: 100 - version: 15 - - count: 87 - version: 16 - version: 15 - - index: .siem-signals-default-000003 - is_outdated: false - migrations: [] - signal_versions: - - count: 54 - version: 16 - version: 16 + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic schema: - type: object - properties: - indices: - items: - $ref: >- - #/components/schemas/Security_Detections_API_IndexMigrationStatus - type: array - required: - - indices + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11438,14 +25359,12 @@ paths: badRequest: value: error: Bad Request - message: '[request query].from: expected date-math, received null' + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11454,12 +25373,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -11469,87 +25410,88 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Retrieve the status of detection alert migrations + summary: Delete an exception list item tags: - - Security Detections API - - Alerts migration API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json: - examples: - query: - value: - aggs: - alertsByGrouping: - terms: - field: host.name - size: 10 - missingFields: - missing: - field: host.name - query: - bool: - filter: - - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - - range: - '@timestamp': - gte: 2025-01-17T08:00:00.000Z - lte: 2025-01-18T07:59:59.999Z - runtime_mappings: {} - size: 0 - schema: - $ref: >- - #/components/schemas/Security_Detections_API_QueryAlertsBodyParams - description: Elasticsearch query and aggregation request - description: Search and/or aggregation query - required: true + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem + parameters: + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - description: | + `single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must + match how the list was created. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single responses: '200': content: application/json: examples: - success: + simpleListItem: value: - _shards: - failed: 0 - skipped: 0 - successful: 1 - total: 1 - aggregations: - alertsByGrouping: - buckets: - - doc_count: 5 - key: Host-f43kkddfyc - doc_count_error_upper_bound: 0 - sum_other_doc_count: 0 - missingFields: - doc_count: 0 - hits: - hits: [] - max_score: null - total: - relation: eq - value: 5 - timed_out: false - took: 0 + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic schema: - additionalProperties: true - description: Elasticsearch search response - type: object + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11558,16 +25500,12 @@ paths: badRequest: value: error: Bad Request - message: >- - Failed to parse search request: unknown query clause in - bool filter + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11576,157 +25514,34 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: - post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json: - examples: - byId: - value: - signal_ids: - - >- - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 - status: closed - byQuery: - value: - conflicts: proceed - query: - bool: - filter: - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - - bool: - filter: - bool: - filter: - - match_phrase: - kibana.alert.workflow_status: open - - '@timestamp': - format: strict_date_optional_time - gte: 2024-10-23T07:00:00.000Z - lte: 2025-01-21T20:12:11.704Z - range: null - must: [] - must_not: - - exists: - field: kibana.alert.building_block_type - should: [] - must: [] - must_not: [] - should: [] - status: closed - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true - responses: - '200': - content: - application/json: - examples: - byId: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 81 - total: 1 - updated: 1 - version_conflicts: 0 - byQuery: - value: - batches: 1 - deleted: 0 - failures: [] - noops: 0 - requests_per_second: -1 - retries: - bulk: 0 - search: 0 - throttled_millis: 0 - throttled_until_millis: 0 - timed_out: false - took: 100 - total: 17 - updated: 17 - version_conflicts: 0 - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': + '403': content: application/json: examples: - badRequest: + forbidden: value: - error: Bad Request - message: >- - [request body].signal_ids: at least one alert id is - required to update status - statusCode: 400 + error: Forbidden + message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - unauthorized: + notFound: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -11736,64 +25551,251 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response - summary: Set a detection alert status + summary: Get an exception list item tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Add tags to detection alerts, and remove them from alerts, by alert IDs - or a query, in a single request. + description: | + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/exception_lists/items
- > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json: examples: - add: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyAdd - remove: - $ref: >- - #/components/examples/Security_Detections_API_SetAlertTagsBodyRemove + simpleItem: + value: + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + type: simple schema: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody' - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac' + description: Exception list item's properties required: true responses: '200': content: application/json: examples: - success: + autogeneratedItemId: value: - batches: 1, - deleted: 0, - failures: [] - noops: 0, - requests_per_second: '-1,' - retries: - bulk: 0, - search: 0 - throttled_millis: 0, - throttled_until_millis: 0, - timed_out: false, - took: 68, - total: 1, - updated: 1, - version_conflicts: 0, + _version: WzYsMV0= + comments: [] + created_at: '2025-01-09T01:16:23.322Z' + created_by: elastic + description: This is a sample exception that has no item_id so it is autogenerated. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 323faa75-c657-4fa0-9084-8827612c207b + item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Sample Autogenerated Exception List Item ID + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 + type: simple + updated_at: '2025-01-09T01:16:23.322Z' + updated_by: elastic + detectionExceptionListItem: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withExistEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchAnyEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: host.name + operator: included + type: match_any + value: + - saturn + - jupiter + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withMatchEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - field: actingProcess.file.signer + operator: included + type: match + value: Elastic N.V. + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withNestedEntry: + value: + _version: WzQsMV0= + comments: [] + created_at: '2025-01-07T20:07:33.119Z' + created_by: elastic + description: This is a sample detection type exception item. + entries: + - entries: + - field: signer + operator: included + type: match + value: Evil + - field: trusted + operator: included + type: match + value: true + field: file.signature + type: nested + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c + type: simple + updated_at: '2025-01-07T20:07:33.119Z' + updated_by: elastic + withValueListEntry: + value: + _version: WzcsMV0= + comments: [] + created_at: '2025-01-09T01:31:12.614Z' + created_by: elastic + description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list + entries: + - field: source.ip + list: + id: goodguys.txt + type: ip + operator: excluded + type: list + id: deb26876-297d-4677-8a1f-35467d2f1c4f + item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 + list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 + name: Filter out good guys ip and agent.name rock01 + namespace_type: single + os_types: [] + tags: + - malware + tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 + type: simple + updated_at: '2025-01-09T01:31:12.614Z' + updated_by: elastic schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -11801,17 +25803,13 @@ paths: examples: badRequest: value: - error: Bad Request - message: >- - [request body].tags: cannot add and remove the same tag in - a single request - statusCode: 400 + error: Bad Request, + message: '[request body]: list_id: Expected string, received number' + statusCode: 400, schema: oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: @@ -11820,183 +25818,119 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response - '500': + '403': content: application/json: examples: - serverError: + forbidden: value: - message: Internal Server Error - status_code: 500 + error: Forbidden + message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: - get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - example1: + alreadyExists: value: - - zeek - - suricata - - windows - - linux - - network - - initial access - - remote access - - phishing + message: 'exception list item id: \"simple_list_item\" already exists' + status_code: 409 schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/encrypted_saved_objects/_rotate_key: - post: - description: > - Superuser role required. - - - If a saved object cannot be decrypted using the primary encryption key, - then Kibana will attempt to decrypt it using the specified - decryption-only keys. In most of the cases this overhead is negligible, - but if you're dealing with a large number of saved objects and - experiencing performance issues, you may want to rotate the encryption - key. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: rotateEncryptionKey - parameters: - - description: > - Specifies a maximum number of saved objects that Kibana can process - in a single batch. Bulk key rotation is an iterative process since - Kibana may not be able to fetch and process all required saved - objects in one go and splits processing into consequent batches. By - default, the batch size is 10000, which is also a maximum allowed - value. - in: query - name: batch_size - required: false - schema: - default: 10000 - type: number - - description: > - Limits encryption key rotation only to the saved objects with the - specified type. By default, Kibana tries to rotate the encryption - key for all saved object types that may contain encrypted - attributes. - in: query - name: type - required: false - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': content: application/json: examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' + serverError: + value: + message: Internal Server Error + status_code: 500 schema: - type: object - properties: - failed: - description: > - Indicates the number of the saved objects that were still - encrypted with one of the old encryption keys that Kibana - failed to re-encrypt with the primary key. - type: number - successful: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/exception_lists/items
- NOTE: In most cases, `total` will be greater than - `successful` even if `failed` is zero. The reason is that - Kibana may not need or may not be able to rotate - encryption keys for all encrypted saved objects. - type: number - total: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - type: number - description: Indicates a successful call. - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - '429': - content: - application/json: - schema: - type: object - description: Already in progress. - summary: Rotate a key for encrypted saved objects - tags: - - saved objects - /api/endpoint_list: - post: - description: >- - Create the exception list for Elastic Endpoint rule exceptions. When you - create the exception list, it will have a `list_id` of `endpoint_list`. - If the Elastic Endpoint exception list already exists, your request will - return an empty response. - operationId: CreateEndpointList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + examples: + updateItem: + value: + description: Updated description + id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 + name: Updated name + namespace_type: single + type: simple + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux' + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac' + description: Exception list item's properties + required: true responses: '200': content: application/json: examples: - alreadyExists: - summary: Endpoint exception list already exists (empty response) - value: {} - newList: - summary: Endpoint exception list created + simpleListItem: value: - created_at: '2025-01-01T00:00:00.000Z' + _version: WzEyLDFd + comments: [] + created_at: '2025-01-07T21:12:25.512Z' created_by: elastic - description: Endpoint Security Exception List - id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b - immutable: false - list_id: endpoint_list - name: Endpoint Security Exception List - namespace_type: agnostic + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Updated name + namespace_type: single os_types: [] tags: [] - tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e - type: endpoint - updated_at: '2025-01-01T00:00:00.000Z' + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic - version: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: @@ -12005,17 +25939,13 @@ paths: badRequest: value: error: Bad Request - message: >- - [request body]: expected value of type [object] but got - [undefined] + message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12023,12 +25953,11 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: @@ -12036,15 +25965,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [POST /api/endpoint_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] + message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'exception list item item_id: \"foo\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response '500': content: application/json: @@ -12054,66 +25990,168 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - description: >- - Delete an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: DeleteEndpointListItem + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems parameters: - - description: Either `id` or `item_id` must be specified + - description: The `list_id`s of the items to fetch. in: query - name: id + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + examples: + singleFilter: + value: + - exception-list.attributes.name:%My%20item + in: query + name: filter required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + examples: + single: + value: + - single in: query - name: item_id + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: | + Free-text search term applied to exception list item fields (for example a hostname or file path fragment). + in: query + name: search + required: false + schema: + example: host.name + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + example: 1 + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + example: 20 + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + example: name + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + enum: + - desc + - asc + example: desc + type: string responses: '200': content: - application/json: - examples: - deleted: - summary: Deleted endpoint exception list item - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: [] - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + application/json: + examples: + simpleListItems: + value: + data: + - _version: WzgsMV0= + comments: [] + created_at: '2025-01-07T21:12:25.512Z' + created_by: elastic + description: This is a sample exception item. + entries: + - field: actingProcess.file.signer + operator: excluded + type: exists + - field: host.name + operator: included + type: match_any + value: + - jupiter + - saturn + id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da + item_id: simple_list_item + list_id: simple_list + name: Sample Exception List Item + namespace_type: single + os_types: + - linux + tags: + - malware + tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 + type: simple + updated_at: '2025-01-07T21:12:25.512Z' + updated_by: elastic + page: 1 + per_page: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: object + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total description: Successful response '400': content: @@ -12122,17 +26160,13 @@ paths: badRequest: value: error: Bad Request - message: >- - Either "item_id" or "id" needs to be defined in the - request + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12140,12 +26174,11 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: @@ -12153,30 +26186,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [DELETE - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] + message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: notFound: value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist + message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -12186,66 +26211,85 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Delete an Elastic Endpoint exception list item + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items tags: - - Security Endpoint Exceptions API + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/summary: get: - description: >- - Get the details of an Elastic Endpoint exception list item, specified by - the `id` or `item_id` field. - operationId: ReadEndpointListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/summary
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary parameters: - - description: Either `id` or `item_id` must be specified + - description: Exception list's identifier generated upon creation. in: query name: id required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. in: query - name: item_id + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - description: | + `single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must + line up with `id` / `list_id` used to look up the list. + examples: + agnostic: + value: agnostic + single: + value: single + in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" + type: string responses: '200': content: application/json: examples: - item: - summary: Endpoint exception list item + summary: value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + linux: 0 + macos: 0 + total: 0 + windows: 0 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer description: Successful response '400': content: @@ -12254,15 +26298,13 @@ paths: badRequest: value: error: Bad Request - message: id or item_id required + message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12270,12 +26312,11 @@ paths: unauthorized: value: error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: @@ -12283,30 +26324,22 @@ paths: forbidden: value: error: Forbidden - message: >- - API [GET - /api/endpoint_list/items?item_id=block-malicious-file] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] + message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '404': content: application/json: examples: notFound: value: - message: >- - exception list item item_id: "block-malicious-file" does - not exist - status_code: 404 + message": 'exception list id: "foo" does not exist' + status_code": 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json: @@ -12316,126 +26349,79 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get an Elastic Endpoint rule exception list item + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary tags: - - Security Endpoint Exceptions API + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exceptions/shared: post: - description: >- - Create an Elastic Endpoint exception list item, and associate it with - the Elastic Endpoint exception list. - operationId: CreateEndpointListItem + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exceptions/shared
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList requestBody: content: application/json: examples: - matchAny: - summary: Exclude multiple process names - value: - description: Exclude common security tools from endpoint protection - entries: - - field: process.name - operator: included - type: match_any - value: - - scanner.exe - - updater.exe - name: Trusted security tools - os_types: - - windows - type: simple - simpleMatch: - summary: Block a specific file hash + createSharedExceptionList: value: - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - name: Block malicious file + description: This is a sample detection type exception list. + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single os_types: - - windows + - linux tags: - - policy:all - type: simple + - malware schema: type: object properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' required: - - type - name - description - - entries - description: Exception list item's properties required: true responses: '200': content: application/json: examples: - created: - summary: Endpoint exception list item created + sharedList: value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' + _version: WzIsMV0= + created_at: '2025-01-07T19:34:27.942Z' created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic + description: This is a sample detection type exception list. + id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 + immutable: false + list_id: simple_list + name: Sample Detection Exception List + namespace_type: single os_types: - - windows + - linux tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' + - malware + tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 + type: detection + updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic + version: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: @@ -12444,15 +26430,13 @@ paths: badRequest: value: error: Bad Request - message: '[request body]: name: Required' + message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response '401': content: application/json: @@ -12463,39 +26447,30 @@ paths: message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: - error: Forbidden - message: >- - API [POST /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + message: Unable to create exception-list + status_code: 403 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: - message: >- - exception list item id: "block-malicious-file" already - exists + message: 'exception list id: "simple_list" already exists' status_code: 409 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response '500': content: application/json: @@ -12505,598 +26480,673 @@ paths: message: Internal Server Error status_code: 500 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Create an Elastic Endpoint rule exception list item + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list tags: - - Security Endpoint Exceptions API - put: - description: >- - Update an Elastic Endpoint exception list item, specified by the `id` or - `item_id` field. - operationId: UpdateEndpointListItem - requestBody: - content: - application/json: - examples: - updateName: - summary: Update an endpoint exception list item - value: - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - item_id: block-malicious-file - name: Block malicious file (updated) - os_types: - - windows - - linux - type: simple - schema: - type: object - properties: - _version: - description: >- - The version id, normally returned by the API when the item - is retrieved. Use it ensure updates are made against the - latest version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/features: + get: + description: | + Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. + operationId: get-features responses: '200': content: application/json: examples: - updated: - summary: Endpoint exception list item updated - value: - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Updated description for the exception - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file (updated) - namespace_type: agnostic - os_types: - - windows - - linux - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-15T09:30:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: name: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/endpoint_list/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item item_id: "block-malicious-file" not found' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Update an Elastic Endpoint rule exception list item - tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: - get: - description: Get a list of all Elastic Endpoint exception list items. - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string + getFeaturesExample: + value: | + { + "features": [ + { + "name": "tasks", + "description": "Manages task results" + }, + { + "name": "security", + "description": "Manages configuration for Security features, such as users and roles" + }, + { + "name": "searchable_snapshots", + "description": "Manages caches and configuration for searchable snapshots" + }, + { + "name": "logstash_management", + "description": "Enables Logstash Central Management pipeline storage" + }, + { + "name": "transform", + "description": "Manages configuration and state for transforms" + }, + { + "name": "kibana", + "description": "Manages Kibana configuration and reports" + }, + { + "name": "synonyms", + "description": "Manages synonyms" + }, + { + "name": "async_search", + "description": "Manages results of async searches" + }, + { + "name": "ent_search", + "description": "Manages configuration for Enterprise Search features" + }, + { + "name": "machine_learning", + "description": "Provides anomaly detection and forecasting functionality" + }, + { + "name": "geoip", + "description": "Manages data related to GeoIP database downloader" + }, + { + "name": "watcher", + "description": "Manages Watch definitions and state" + }, + { + "name": "fleet", + "description": "Manages configuration for Fleet" + }, + { + "name": "enrich", + "description": "Manages data related to Enrich policies" + }, + { + "name": "inference_plugin", + "description": "Inference plugin for managing inference services and inference" + } + ] + } + schema: + type: object + description: Indicates a successful call + summary: Get features + tags: + - system + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent binary download sources.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] responses: '200': content: application/json: examples: - foundItems: - summary: Found endpoint exception list items + getDownloadSourcesExample: + description: List of agent binary download sources value: - data: - - comments: [] - created_at: '2025-01-01T12:00:00.000Z' - created_by: elastic - description: Blocks a known malicious file by its hash - entries: - - field: file.hash.sha256 - operator: included - type: match - value: >- - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e - item_id: block-malicious-file - list_id: endpoint_list - name: Block malicious file - namespace_type: agnostic - os_types: - - windows - tags: - - policy:all - tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890 - type: simple - updated_at: '2025-01-01T12:00:00.000Z' - updated_by: elastic + items: + - host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts page: 1 - per_page: 20 + perPage: 20 total: 1 schema: + additionalProperties: false type: object properties: - data: - description: The list of endpoint exception list items. + items: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + maxItems: 10000 type: array page: - description: The current page number. - minimum: 0 - type: integer - per_page: - description: The number of items per page. - minimum: 0 - type: integer - pit: - description: The point-in-time ID for pagination. - type: string + type: number + perPage: + type: number total: - description: The total number of endpoint exception list items. - minimum: 0 - type: integer + type: number required: - - data - - page - - per_page + - items - total + - page + - perPage description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request query]: page: Expected number, received string' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/endpoint_list/items/_find] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: "endpoint_list" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Get Elastic Endpoint exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent binary download sources tags: - - Security Endpoint Exceptions API - /api/endpoint/action: - get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent binary download source.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of response actions to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A list of response action command names to filter by. - in: query - name: commands - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - - description: A list of Elastic Agent IDs to filter the response actions by. - in: query - name: agentIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - - description: A list of user IDs that submitted the response actions. - in: query - name: userIds - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - - description: >- - A start date in ISO 8601 format or Date Math format (for example, - `now-24h`). - in: query - name: startDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - - description: >- - An end date in ISO 8601 format or Date Math format (for example, - `now`). - in: query - name: endDate - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - - description: >- - The agent type to filter response actions by. Defaults to - `endpoint`. - in: query - name: agentTypes - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - - description: >- - A list of response action IDs whose outputs should be included in - the response. - in: query - name: withOutputs - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - - description: >- - A list of response action types to filter by (`automated`, - `manual`). - in: query - name: types - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDownloadSourceRequestExample: + description: Create a new agent binary download source + value: + host: https://my-custom-host.example.com/downloads/ + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host responses: '200': content: application/json: examples: - actionsList: - summary: A list of response actions + postDownloadSourceExample: + description: The created agent binary download source + value: + item: + host: https://my-custom-host.example.com/downloads/ + id: download-source-id-2 + is_default: false + name: My custom download source + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - data: - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: running-processes - completedAt: '2022-08-08T09:50:47.672Z' - createdBy: elastic - id: b3d6de74-36b0-4fa8-be46-c375bf1771bf - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:24:57.402Z' - wasSuccessful: true - - agents: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true - elasticAgentIds: - - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - endDate: now - page: 1 - pageSize: 10 - startDate: now-24h/h - total: 2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse - description: Indicates a successful call. - summary: Get response actions + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent binary download source tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid parameters: - - description: A list of agent IDs to get the action status for. - in: query - name: agent_ids + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + example: 'true' + type: string + - description: The ID of the download source + in: path + name: sourceId + required: true + schema: + type: string responses: '200': content: application/json: examples: - actionStatus: - summary: Pending response actions per agent + deleteDownloadSourceExample: + description: The download source was successfully deleted value: - data: - - agent_id: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 - pending_actions: - execute: 0 - get-file: 0 - isolate: 0 - kill-process: 1 - running-processes: 0 - scan: 0 - unisolate: 0 - upload: 0 + id: download-source-id-1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: Indicates a successful call. - summary: Get response actions status - tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}: - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - description: The ID of the response action to retrieve. - in: path - name: action_id - required: true - schema: - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': content: application/json: examples: - actionDetails: - summary: Details of an isolate response action + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - command: isolate - completedAt: '2022-08-08T10:41:57.352Z' - createdBy: elastic - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: true - isExpired: false - startedAt: '2022-08-08T15:23:37.359Z' - wasSuccessful: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse - description: OK - summary: Get action details + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent binary download source tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name get: - description: | - Get information for the specified response action file download. - operationId: EndpointFileInfo - parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id - required: true - schema: - type: string - - description: > - The file identifier is constructed in one of two ways: + description: |- + **Spaces method and path for this operation:** - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- `{file_id}` = `{action_id}.{agent_id}` + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - description: The ID of the download source in: path - name: file_id + name: sourceId required: true schema: type: string @@ -13105,1962 +27155,3036 @@ paths: content: application/json: examples: - fileInfo: - summary: File information for a response action upload + getDownloadSourceExample: + description: An agent binary download source value: - data: - actionId: 233db9ea-6733-4849-9226-5a7039c7161d - agentId: ed518850-681a-4d60-bb98-e22640cae2a8 - agentType: endpoint - created: '2025-02-26T13:37:30.452Z' - id: >- - 233db9ea-6733-4849-9226-5a7039c7161d.ed518850-681a-4d60-bb98-e22640cae2a8 - mimeType: application/zip - name: memory_dump.zip - size: 1048576 - status: READY + item: + host: https://artifacts.elastic.co/downloads/ + id: download-source-id-1 + is_default: true + name: Elastic Artifacts schema: + additionalProperties: false + type: object properties: - data: + item: + additionalProperties: false type: object properties: - actionId: - description: The response action ID. - type: string - agentId: - description: The agent ID that generated the file. - type: string - agentType: - description: The type of agent that generated the file. - type: string - created: - description: The date and time the file was created. - format: date-time + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri type: string id: - description: The unique file identifier. - type: string - mimeType: - description: The MIME type of the file. type: string + is_default: + default: false + type: boolean name: - description: The file name. type: string - size: - description: The file size in bytes. - type: number - status: - description: The file upload status. - enum: - - AWAITING_UPLOAD - - UPLOADING - - READY - - UPLOAD_ERROR - - DELETED + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true type: string - description: Indicates a successful call. - summary: Get file information + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No download source was found with the given ID + value: + error: Not Found + message: Agent binary source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent binary download source tags: - - Security Endpoint Management API - /api/endpoint/action/{action_id}/file/{file_id}/download: - get: - description: > - Download a file associated with a response action. Files are downloaded - in a password-protected `.zip` archive to prevent the file from running. - Use password `elastic` to open the `.zip` in a safe environment. + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
- > Files retrieved from third-party-protected hosts require a different - password. Refer to [Third-party response - actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) - for your system's password. - operationId: EndpointFileDownload + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid parameters: - - description: The ID of the response action that generated the file. - in: path - name: action_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: > - The file identifier is constructed in one of two ways: - - - For Elastic Defend agents (`agentType` of `endpoint`): combine the - `action_id` and `agent_id` values using a dot (`.`) separator: - - `{file_id}` = `{action_id}.{agent_id}` - - - For all other agent types: the `file_id` is the `agent_id` for - which the response action was sent to. + - description: The ID of the download source in: path - name: file_id + name: sourceId required: true schema: type: string - responses: - '200': - content: - application/octet-stream: - examples: - fileDownload: - summary: >- - Password-protected ZIP archive containing the response - action file - value: binary file content (password-protected .zip) - schema: - format: binary - type: string - description: Indicates a successful call. - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/cancel: - post: - description: >- - Cancel a running or pending response action (Applies only to some agent - types). - operationId: CancelAction - requestBody: - content: - application/json: - examples: - MicrosoftDefenderEndpoint: - summary: >- - Cancel a response action on a Microsoft Defender for Endpoint - host - value: - agent_type: microsoft_defender_endpoint - comment: Cancelling action due to change in requirements - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody - required: true - responses: - '200': - content: - application/json: - examples: - CancelSuccess: - summary: Cancel action successfully created - value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: microsoft_defender_endpoint - command: cancel - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Cancel a response action - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction requestBody: content: application/json: examples: - executeCommand: - summary: Execute a shell command on an endpoint + putDownloadSourceRequestExample: + description: Update an agent binary download source value: - comment: Get list of all files - endpoint_ids: - - b3d6de74-36b0-4fa8-be46-c375bf1771bf - parameters: - command: ls -al - timeout: 600 + host: https://updated-host.example.com/downloads/ + is_default: false + name: Updated download source schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - name + - host responses: '200': content: application/json: examples: - ExecuteSuccess: - summary: Execute action successfully created + putDownloadSourceExample: + description: The updated agent binary download source value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: execute - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 9f934028-2300-4927-b531-b26376793dc4 - isCompleted: false - isExpired: false - outputs: {} - parameters: - command: ls -al - timeout: 600 - startedAt: '2023-07-28T18:43:27.362Z' - status: pending - wasSuccessful: false + item: + host: https://updated-host.example.com/downloads/ + id: download-source-id-1 + is_default: false + name: Updated download source schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json: - examples: - getFile: - summary: Get a specific file from an endpoint - value: - comment: Get my file - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + nullable: true + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + required: + - id + - name + - host + required: + - item + description: Successful response + '400': content: application/json: examples: - GetFileSuccess: - summary: Get file action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: get-file - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get a file - tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json: - examples: - multiple_endpoints: - summary: Isolates several hosts; includes a comment - value: - comment: Locked down, pending further investigation - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - single_endpoint: - summary: >- - Isolates a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - with_case_id: - summary: Isolates a single host with a case_id value of 1234 - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Isolating as initial response - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 + errorType: type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true - responses: - '200': + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - IsolateSuccess: - summary: Isolate action successfully created + notFoundExample: + description: No download source was found with the given ID value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: isolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse - description: Indicates a successful call. - summary: Isolate an endpoint + error: Not Found + message: Download source download-source-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent binary download source tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json: - examples: - byEntityId: - summary: Terminate a process by entity ID - value: - comment: Terminating malicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Terminate a process by PID - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with upgradeable agents + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - KillProcessSuccess: - summary: Kill process action successfully created + getAgentPoliciesExample: + description: List of agent policies value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: kill-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + items: + - description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 + page: 1 + perPage: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Terminate a process + additionalProperties: false + type: object + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent policies tags: - - Security Endpoint Management API - /api/endpoint/action/memory_dump: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name post: - description: Generates memory dumps on the targeted host. - operationId: EndpointGenerateMemoryDump + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent policy.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to add the system integration to the new agent policy + in: query + name: sys_monitoring + required: false + schema: + type: boolean requestBody: content: application/json: examples: - ProcessMemoryDump: - summary: Generate a memory dump from the host machine + postAgentPolicyRequestExample: + description: Create a new agent policy value: - agent_type: endpoint - comment: Generating memory dump for investigation - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - type: process + description: A sample agent policy + monitoring_enabled: + - logs + - metrics + name: My agent policy + namespace: default schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - MemoryDumpSuccessResponse: - summary: Memory dump action successfully created + postAgentPolicyExample: + description: The created agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: memory-dump - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - type: process - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + description: A sample agent policy + id: agent-policy-id-2 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Generate a memory dump from the host machine + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/_bulk_get: post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple agent policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - singleEndpoint: - summary: Get running processes on a single endpoint + postBulkGetAgentPoliciesRequestExample: + description: Retrieve multiple agent policies by ID value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true + additionalProperties: false + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + ignoreMissing: + type: boolean + required: + - ids responses: '200': content: application/json: examples: - RunningProcsSuccess: - summary: Running processes action successfully created + postBulkGetAgentPoliciesExample: + description: The requested agent policies value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: running-processes - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + items: + - id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Get running processes + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more agent policies were not found + value: + error: Not Found + message: An error message describing what went wrong + statusCode: 404 + description: Not Found + summary: Bulk get agent policies tags: - - Security Endpoint Management API - /api/endpoint/action/runscript: - post: - description: Run a script on a host. Currently supported only for some agent types. - operationId: RunScriptAction - requestBody: - content: - application/json: - examples: - Elastic Defend: - description: Endpoint runscript to collect logs - summary: Run a script against an Elastic Defend agent - value: - agent_type: endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: '--path= /usr/log/exec.log' - MDE: - description: Microsoft Defender Endpoint runscript - summary: Run a script against a Microsoft Defender Endpoint agent - value: - agent_type: microsoft_defender_endpoint - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - args: '-param1 value1 -param2 value2' - scriptName: my-script.ps1 - SentinelOne: - description: SentinelOne runscript - summary: Run a script against a SentinelOne agent - value: - agent_type: sentinel_one - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - scriptInput: >- - --delete --paths-to-delete - /tmp/temp_file.txt,/tmp/random_file.txt - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody - required: true + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string responses: '200': content: application/json: examples: - RunScriptSuccess: - summary: Run script action successfully created + getAgentPolicyExample: + description: An agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: sentinel_one - command: runscript - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - scriptId: 1111-2222-3333-4444-5555-6666-7777-8888 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + description: A sample agent policy + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: My agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T10:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Run a script + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - scanFile: - summary: Scan a file on an endpoint + putAgentPolicyRequestExample: + description: Update an agent policy value: - comment: Scan the file for malware - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - path: /usr/my-file.txt + description: An updated agent policy description + monitoring_enabled: + - logs + name: Updated agent policy + namespace: default schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' responses: '200': content: application/json: examples: - ScanSuccess: - summary: Scan action successfully created + putAgentPolicyExample: + description: The updated agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: scan - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 - isCompleted: false - isExpired: false - outputs: {} - parameters: - path: /usr/my-file.txt - startedAt: '2023-07-28T19:00:03.911Z' - status: pending - wasSuccessful: false + item: + description: An updated agent policy description + id: agent-policy-id-1 + is_managed: false + is_protected: false + name: Updated agent policy + namespace: default + revision: 2 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Scan a file or directory + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update an agent policy tags: - - Security Endpoint Management API - /api/endpoint/action/state: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the auto-upgrade status for agents assigned to an agent policy.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string responses: '200': content: application/json: examples: - actionsState: - summary: Response actions state with encryption enabled + getAutoUpgradeAgentsStatusExample: + description: Auto-upgrade status for agents in the policy value: - data: - canEncrypt: true + agentsCount: 5 + currentVersion: 8.16.0 + failedAgentsCount: 0 + upgradedAgentsCount: 3 + upgradingAgentsCount: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state + additionalProperties: false + type: object + properties: + currentVersions: + items: + additionalProperties: false + type: object + properties: + agents: + description: Number of agents that upgraded to this version + type: number + failedUpgradeActionIds: + description: List of action IDs related to failed upgrades + items: + type: string + maxItems: 1000 + type: array + failedUpgradeAgents: + description: Number of agents that failed to upgrade to this version + type: number + inProgressUpgradeActionIds: + description: List of action IDs related to in-progress upgrades + items: + type: string + maxItems: 1000 + type: array + inProgressUpgradeAgents: + description: Number of agents that are upgrading to this version + type: number + version: + description: Agent version + type: string + required: + - version + - agents + - failedUpgradeAgents + - inProgressUpgradeAgents + maxItems: 10000 + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get auto upgrade agent status tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - byEntityId: - summary: Suspend a process by entity ID - value: - comment: Suspending suspicious process - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - entity_id: abc123 - byPid: - summary: Suspend a process by PID + postCopyAgentPolicyRequestExample: + description: Copy an agent policy with a new name value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - parameters: - pid: 1234 + description: A copy of the original agent policy + name: Copy of my agent policy schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' responses: '200': content: application/json: examples: - SuspendProcessSuccess: - summary: Suspend process action successfully created + postCopyAgentPolicyExample: + description: The copied agent policy value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: suspend-process - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - parameters: - entity_id: abc123 - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: + description: A copy of the original agent policy + id: agent-policy-id-copy-1 + is_managed: false + is_protected: false + name: Copy of my agent policy + namespace: default + revision: 1 + status: active + updated_at: '2024-01-15T11:00:00.000Z' + updated_by: user1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Suspend a process - tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: - post: - description: Release an isolated endpoint, allowing it to rejoin a network. - operationId: EndpointUnisolateAction - requestBody: - content: - application/json: - examples: - multipleHosts: - summary: 'Releases several hosts; includes a comment:' - value: - comment: Benign process identified, releasing group - endpoint_ids: - - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - - fa89271b-b9d4-43f2-a684-307cffddeb5a - singleHost: - summary: >- - Releases a single host with an endpoint_id value of - ed518850-681a-4d60-bb98-e22640cae2a8 - value: - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - withCaseId: - summary: Releases hosts with an associated case; includes a comment. - value: - case_ids: - - 4976be38-c134-4554-bd5e-0fd89ce63667 - comment: Remediation complete, restoring network - endpoint_ids: - - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - - b30a11bf-1395-4707-b508-fbb45ef9793e - schema: - type: object - properties: - agent_type: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentTypes - alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. - example: - - alert-id-1 - - alert-id-2 - items: - minLength: 1 + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 50 - minItems: 1 - type: array - case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max - of 50. - example: - - case-id-1 - - case-id-2 - items: - minLength: 1 + errorType: type: string - maxItems: 50 - minItems: 1 - type: array - comment: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Comment - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Parameters - required: - - endpoint_ids - required: true + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true + schema: + type: string + - description: If true, returns the policy as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for standalone agents + in: query + name: standalone + required: false + schema: + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment + in: query + name: kubernetes + required: false + schema: + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. + in: query + name: revision + required: false + schema: + type: number responses: '200': content: application/json: examples: - UnisolateSuccess: - summary: Unisolate action successfully created + getDownloadAgentPolicyExample: + description: The agent policy download response value: - action: 233db9ea-6733-4849-9226-5a7039c7161d - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: unisolate - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: gke-node-1235412 - id: 233db9ea-6733-4849-9226-5a7039c7161d - isCompleted: false - isExpired: false - outputs: {} - startedAt: '2022-07-29T19:08:49.126Z' - status: pending - wasSuccessful: false + item: 'id: agent-policy-id-1\nrevision: 1\noutputs:\n default:\n type: elasticsearch\n hosts:\n - https://elasticsearch.example.com:9200\n' schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse - description: Indicates a successful call. - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - multipart/form-data: - examples: - uploadFile: - summary: Upload a script file to a specific endpoint - value: - comment: Pushing remediation script to host - endpoint_ids: - - ed518850-681a-4d60-bb98-e22640cae2a8 - file: RWxhc3RpYw== - parameters: - overwrite: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': + type: string + description: Successful response — returns the agent policy as a YAML file download + '400': content: application/json: examples: - UploadSuccess: - summary: Upload action successfully created + genericErrorResponseExample: + description: Example of a generic error response value: - data: - agents: - - ed518850-681a-4d60-bb98-e22640cae2a8 - agentState: - ed518850-681a-4d60-bb98-e22640cae2a8: - isCompleted: false - wasSuccessful: false - agentType: endpoint - command: upload - createdBy: elastic - hosts: - ed518850-681a-4d60-bb98-e22640cae2a8: - name: Host-5i6cuc8kdv - id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 - isCompleted: false - isExpired: false - outputs: {} - parameters: - file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 - file_name: fix-malware.sh - file_sha256: >- - a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a - file_size: 69 - startedAt: '2023-07-03T15:07:22.837Z' - status: pending - wasSuccessful: false + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse - description: Indicates a successful call. - summary: Upload a file + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Not Found + summary: Download an agent policy tags: - - Security Endpoint Management API - /api/endpoint/metadata: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: Get a list of all endpoint host metadata. - operationId: GetEndpointMetadataList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - - description: The page number to return. - in: query - name: page - required: false + - description: The ID of the agent policy + in: path + name: agentPolicyId + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: The number of endpoints to return per page. + type: string + - description: If true, returns the policy as a downloadable file in: query - name: pageSize + name: download required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - - description: A KQL string to filter the endpoint metadata results. + type: boolean + - description: If true, returns the policy formatted for standalone agents in: query - name: kuery + name: standalone required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - description: >- - A set of host statuses to filter the results by (for example, - `healthy`, `updating`). - in: query - name: hostStatuses - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - - description: The field used to sort the results. + type: boolean + - description: If true, returns the policy formatted for Kubernetes deployment in: query - name: sortField + name: kubernetes required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - - description: The sort order, either `asc` or `desc`. + type: boolean + - description: If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags. in: query - name: sortDirection + name: revision required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection + type: number responses: '200': content: application/json: examples: - metadataList: - summary: A list of endpoint host metadata + getFullAgentPolicyExample: + description: The full agent policy configuration value: - data: - - host_status: healthy - last_checkin: '2023-07-04T15:47:57.432Z' - metadata: - agent: - id: 285297c6-3bff-4b83-9a07-f3e749801123 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 - page: 0 - pageSize: 10 - sortDirection: desc - sortField: enrolled_at - total: 1 + item: + agent: + monitoring: + logs: true + metrics: true + id: agent-policy-id-1 + inputs: [] + outputs: + default: + hosts: + - https://elasticsearch.example.com:9200 + type: elasticsearch + revision: 1 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MetadataListResponse - description: Indicates a successful call. - summary: Get a metadata list + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get a full agent policy tags: - - Security Endpoint Management API - /api/endpoint/metadata/{id}: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: Get host metadata for a specific endpoint. - operationId: GetEndpointMetadata + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - - description: The agent ID of the endpoint. + - description: The ID of the agent policy in: path - name: id + name: agentPolicyId required: true schema: - example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: examples: - endpointMetadata: - summary: Host metadata for a specific endpoint + getAgentPolicyOutputsExample: + description: Outputs associated with the agent policy value: - host_status: healthy - last_checkin: '2023-07-04T15:48:57.360Z' - metadata: - agent: - id: abb8a826-6812-448c-a571-6d8269b51449 - type: endpoint - version: 8.10.0 - Endpoint: - policy: - applied: - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: test - status: success - status: enrolled - host: - hostname: WinDev2104Eval - os: - name: Windows - platform: windows - version: 20H2 + item: + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse - description: Indicates a successful call. - summary: Get metadata - tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - description: Get the most recent policy response for an endpoint. - operationId: GetPolicyResponse - parameters: - - description: The agent ID to retrieve the policy response for. - in: query - name: agentId - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response' + description: Successful response + '400': content: application/json: examples: - policyResponse: - summary: The most recent policy response for an endpoint + genericErrorResponseExample: + description: Example of a generic error response value: - policy_response: - '@timestamp': '2023-07-04T15:48:57.360Z' - agent: - id: ed518850-681a-4d60-bb98-e22640cae2a8 - version: 7.16.0 - Endpoint: - policy: - applied: - endpoint_policy_version: '2' - id: d5371dcd-93b7-4627-af88-4084f7d6aa3e - name: My endpoint policy - status: success - version: '3' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: Indicates a successful call. - summary: Get a policy response + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent policy was found with the given ID + value: + error: Not Found + message: Agent policy not found + statusCode: 404 + description: Not Found + summary: Get outputs for an agent policy tags: - - Security Endpoint Management API - /api/endpoint/protection_updates_note/{package_policy_id}: - get: - description: Get the protection updates note for a package policy. - operationId: GetProtectionUpdatesNote + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete parameters: - - description: The package policy ID to retrieve the protection updates note for. - in: path - name: package_policy_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postDeleteAgentPolicyRequestExample: + description: Delete an agent policy by ID + value: + agentPolicyId: agent-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request' responses: '200': content: application/json: examples: - protectionUpdatesNote: - summary: The protection updates note for a package policy + postDeleteAgentPolicyExample: + description: The agent policy was successfully deleted value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + id: agent-policy-id-1 + name: My agent policy schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Get a protection updates note + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an agent policy tags: - - Security Endpoint Management API + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/outputs: post: - description: Create or update the protection updates note for a package policy. - operationId: CreateUpdateProtectionUpdatesNote + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs parameters: - - description: >- - The package policy ID to create or update the protection updates - note for. - in: path - name: package_policy_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - setNote: - summary: Set a new protection updates note + postListAgentPolicyOutputsRequestExample: + description: Get outputs for multiple agent policies value: - note: >- - Pinned protection updates to 2025-01-01 while validating new - signatures. + ids: + - agent-policy-id-1 + - agent-policy-id-2 schema: - type: object - properties: - note: - description: The note content. - type: string - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request' responses: '200': content: application/json: examples: - noteSaved: - summary: Protection updates note saved + postListAgentPolicyOutputsExample: + description: Outputs associated with the requested agent policies + value: + items: + - agent_policy_id: agent-policy-id-1 + data_output: + id: output-id-1 + name: Default output + type: elasticsearch + monitoring_output: + id: output-id-1 + name: Default output + type: elasticsearch + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get outputs for agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of agent statuses for a given agent policy. + operationId: get-fleet-agent-status + parameters: + - description: Filter by agent policy ID + in: query + name: policyId + required: false + schema: + type: string + - description: Filter by one or more agent policy IDs + in: query + name: policyIds + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getAgentStatusExample: + description: Agent status summary for an agent policy + value: + results: + error: 1 + offline: 2 + online: 5 + other: 0 + updating: 0 + totalInactive: 0 + schema: + additionalProperties: false + type: object + properties: + results: + additionalProperties: false + type: object + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + required: + - results + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - note: >- - Pinned protection updates to 2025-01-01 while validating - new signatures. + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: Indicates a successful call. - summary: Create or update a protection updates note + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent status summary tags: - - Security Endpoint Management API - /api/endpoint/scripts_library: + - Elastic Agent status + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status/data: get: - description: Retrieve a list of scripts - operationId: EndpointScriptLibraryListScripts + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the data streams that an agent is actively sending data to.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data parameters: - - description: Page number of the results to return. Defaults to 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - - description: >- - Number of results to return per page. Defaults to 10. Max value is - 1000. + - description: Agent IDs to check data for, as an array or comma-separated string in: query - name: pageSize - required: false + name: agentsIds + required: true schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiPageSize' - - description: The field to sort the results by. Defaults to name. + items: + type: string + maxItems: 10000 + type: array + - description: Filter by integration package name in: query - name: sortField + name: pkgName required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_ApiSortField' - - description: The direction to sort the results by. Defaults to asc (ascending). + type: string + - description: Filter by integration package version in: query - name: sortDirection + name: pkgVersion required: false schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - - description: > - A KQL query string to filter the list of scripts. Nearly all fields - in the script object are searchable. + type: string + - description: When true, return a preview of the ingested data in: query - name: kuery + name: previewData required: false schema: - allOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - - example: platform:windows + default: false + type: boolean responses: '200': content: application/json: examples: - response: - summary: List of scripts response example + getAgentDataExample: + description: Data streams the agent is actively sending data to value: - data: [] - page: 1 - pageSize: 10 - sortDirection: asc - sortField: name - total: 100 + items: + - data: + logs-nginx.access-default: + - id: agent-id-1 + name: my-host + total: 1 + totalMonitoring: 0 schema: + additionalProperties: false type: object properties: - data: + dataPreview: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScript + nullable: true + maxItems: 10000 type: array - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiPageSize - sortDirection: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SortDirection - sortField: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ApiSortField - total: - description: The total number of scripts matching the query - type: integer - description: List of scripts response - summary: Get a list of scripts - tags: - - Security Endpoint Management API - post: - description: Create a new script entry by uploading a script file - operationId: EndpointScriptLibraryCreateScript - requestBody: - content: - multipart/form-data: - examples: - CreateArchiveScriptEntry: - summary: Create an archive script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.zip - fileType: archive - instructions: Collects host data for investigation - name: Collect host data - pathToExecutable: ./bin/collect_host_data.sh - platform: - - linux - - macos - requiresInput: false - CreateScriptEntry: - summary: Create a script entry - value: - description: Collects host data for investigation - example: ./collect_host_data.sh --help - file: ./collect_host_data.sh - fileType: script - instructions: Collects host data for investigation - name: Collect host data - platform: - - linux - - macos - requiresInput: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CreateScriptRouteRequestBody - required: true - responses: - '200': + items: + items: + additionalProperties: + additionalProperties: false + type: object + properties: + data: + type: boolean + required: + - data + type: object + maxItems: 10000 + type: array + required: + - items + - dataPreview + description: Successful response + '400': content: application/json: examples: - CreateScriptEntrySuccess: - summary: Create a script entry + genericErrorResponseExample: + description: Example of a generic error response value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully created - summary: Create script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}: - delete: - description: Delete a script - operationId: EndpointScriptLibraryDeleteScript - parameters: - - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry to be deleted. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/json: - examples: - response: - summary: Delete script response example. - value: {} + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object - description: Delete script response. - summary: Delete a script + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get incoming agent data tags: - - Security Endpoint Management API - get: - description: Get a script - operationId: EndpointScriptLibraryGetOneScript + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + example: 'true' type: string - responses: - '200': - content: - application/json: - examples: - UpdateScriptEntrySuccess: - summary: Get one script entry success - value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Get script response - summary: Get script - tags: - - Security Endpoint Management API - patch: - description: Update (full or partial) a script entry - operationId: EndpointScriptLibraryPatchUpdateScript - parameters: - - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true + - description: The format of the response package policy. + in: query + name: format + required: false schema: - description: The ID of the script entry to be updated. - example: fr518850-681a-4y60-aa98-e22640cae2b8 + default: simplified + enum: + - legacy + - simplified type: string requestBody: content: - multipart/form-data: + application/json: examples: - PatchUpdateScriptEntry: - summary: Update script entry instructions + createAgentlessPoliciesRequestExample: + description: Example request to create agentless policies value: - instructions: ./collect_host_data.sh --help - PatchUpdateScriptEntryFromArchiveToScript: - summary: Update script entry from an archive to a script + description: test + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + organization_id: '1234' + name: ess_billing-1 + namespace: default + package: + name: ess_billing + version: 1.6.0 + createAgentlessPoliciesReuseAWSCloudConnectorExample: + description: Example request to create agentless policy reusing an existing AWS cloud connector value: - fileType: script - PatchUpdateScriptEntryToArchive: - summary: Update script entry to be an archive + cloud_connector: + cloud_connector_id: existing-aws-connector-id + target_csp: aws + description: CSPM integration for AWS reusing existing cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-reuse-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAWSCloudConnectorExample: + description: Example request to create agentless policy with AWS cloud connector value: - fileType: archive - pathToExecutable: ./bin/collect_host_data.sh + cloud_connector: + target_csp: aws + description: CSPM integration for AWS with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + aws.supports_cloud_connectors: true + external_id: + id: ABCDEFGHIJKLMNOPQRST + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: aws + posture: cspm + createAgentlessPoliciesWithAzureCloudConnectorExample: + description: Example request to create agentless policy with Azure cloud connector + value: + cloud_connector: + target_csp: azure + description: CSPM integration for Azure with cloud connector + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id + isSecretRef: true + tenant_id: + id: tenant-secret-id + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + version: 3.1.1 + vars: + deployment: azure + posture: cspm schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - UpdateScriptEntrySuccess: - summary: Update script entry success + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - data: - description: Collects host data for investigation - file: ./collect_host_data.sh - fileType: script - id: 1234567890 - instructions: No arguments required - name: Collect host data - platform: - - linux - - macos - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScriptsApiResponse - description: Action request was successfully updated - summary: Update script - tags: - - Security Endpoint Management API - /api/endpoint/scripts_library/{script_id}/download: - get: - description: Download a script file - operationId: EndpointScriptLibraryDownloadScript - parameters: - - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - in: path - name: script_id - required: true - schema: - description: The ID of the script entry. - example: fr518850-681a-4y60-aa98-e22640cae2b8 - type: string - responses: - '200': - content: - application/octet-stream: - examples: - response: - summary: Download script file response example. - value: null - schema: - description: A download stream is returned. - format: binary - type: string - description: Download script file response. - summary: Download a script file - tags: - - Security Endpoint Management API - /api/entity_analytics/monitoring/engine/delete: - delete: - description: >- - Deletes the Privilege Monitoring Engine and optionally removes all - associated privileged user data. - operationId: DeleteMonitoringEngine - parameters: - - description: Whether to delete all the privileged user data - in: query - name: data - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - DeleteMonitoringEngineResponse: - summary: Engine deleted successfully + item: + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: test + enabled: true + id: d52a7812-5736-4fdc-aed8-72152afa1ffa + inputs: + ESS Billing-cel: + enabled: true + streams: + ess_billing.billing: + enabled: true + vars: + hide_sensitive: true + http_client_timeout: 30s + lookbehind: 365 + tags: + - forwarded + - billing + ess_billing.credits: + enabled: false + vars: + api_key: + id: QY1sWpoBbWcMW-edr0Ee + isSecretRef: true + organization_id: '1234' + url: https://billing.elastic-cloud.com + name: ess_billing-1 + namespace: default + package: + name: ess_billing + title: Elasticsearch Service Billing + version: 1.6.0 + revision: 1 + secret_references: + - id: QY1sWpoBbWcMW-edr0Ee + supports_agentless: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAWSCloudConnectorResponseExample: + description: Example response for AWS cloud connector integration value: - deleted: true + item: + cloud_connector_id: aws-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for AWS with cloud connector + enabled: true + id: aws-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + aws.account_type: organization-account + aws.credentials.type: cloud_connector + external_id: + id: secret-external-id-123 + isSecretRef: true + role_arn: arn:aws:iam::123456789012:role/TestRole + vars: + cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml + cspm-cloudbeat/cis_azure: + enabled: false + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-aws-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: secret-external-id-123 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: aws + posture: cspm + version: WzE0OTgsMV0= + createAgentlessPoliciesWithAzureCloudConnectorResponseExample: + description: Example response for Azure cloud connector integration + value: + item: + cloud_connector_id: azure-connector-67890 + created_at: '2025-11-06T18:27:43.541Z' + created_by: test_user + description: CSPM integration for Azure with cloud connector + enabled: true + id: azure-policy-12345 + inputs: + cspm-cloudbeat/cis_aws: + enabled: false + cspm-cloudbeat/cis_azure: + enabled: true + streams: + cloud_security_posture.findings: + enabled: true + vars: + azure_credentials_cloud_connector_id: + type: text + value: existing-azure-credentials-connector-id + azure.account_type: organization-account + client_id: + id: client-secret-id-456 + isSecretRef: true + tenant_id: + id: tenant-secret-id-123 + isSecretRef: true + cspm-cloudbeat/cis_gcp: + enabled: false + name: cspm-azure-policy + namespace: default + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + revision: 1 + secret_references: + - id: tenant-secret-id-123 + - id: client-secret-id-456 + supports_agentless: true + supports_cloud_connector: true + updated_at: '2025-11-06T18:27:43.541Z' + updated_by: test_user + vars: + deployment: azure + posture: cspm + version: WzE0OTgsMV0= schema: + additionalProperties: false type: object properties: - deleted: - type: boolean + item: + additionalProperties: false + description: The created agentless package policy. + type: object + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by required: - - deleted - description: Successful response - summary: Delete the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/disable: - post: - description: >- - Disables the Privilege Monitoring Engine, stopping all monitoring - activity without removing data. - operationId: DisableMonitoringEngine - responses: - '200': - content: - application/json: - examples: - DisableMonitoringEngineResponse: - summary: Engine disabled successfully - value: - status: disabled - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - summary: Disable the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/init: - post: - description: >- - Initializes the Privilege Monitoring Engine, setting up the required - resources and starting the engine. - operationId: InitMonitoringEngine - responses: - '200': - content: - application/json: - examples: - InitMonitoringEngineResponse: - summary: Engine initialized successfully - value: - status: started - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Successful response - '500': - content: - application/json: - examples: - InitMonitoringEngineError: - summary: Internal server error during engine initialization - value: - error: - message: Failed to initialize monitoring engine - status: error - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor - description: Internal Server Error - summary: Initialize the Privilege Monitoring Engine - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/engine/schedule_now: - post: - description: >- - Schedules the Privilege Monitoring Engine to run as soon as possible, - triggering an immediate monitoring cycle. - operationId: ScheduleMonitoringEngine - responses: - '200': + - item + description: Indicates a successful response + '400': content: application/json: examples: - ScheduleMonitoringEngineResponse: - summary: Engine scheduled successfully + genericErrorResponseExample: + description: Example of a generic error response value: - success: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - success: - description: Indicates the scheduling was successful - type: boolean - description: Successful response + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request '409': content: application/json: examples: - ScheduleMonitoringEngineConflict: - summary: Engine is already running + conflictErrorResponseExample: + description: Example of a conflict error response value: - message: Monitoring engine is already running + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: + additionalProperties: false + description: Generic Error type: object properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: Error message indicating the engine is already running type: string - description: Conflict - Monitoring engine is already running - summary: Schedule the Privilege Monitoring Engine + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create an agentless policy tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/health: - get: - description: >- - Returns the current health status of the Privilege Monitoring Engine, - including engine status, error details, and user count statistics. - operationId: PrivMonHealth + - Fleet agentless policies + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - PrivMonHealthResponse: - summary: Healthy privilege monitoring engine + createAgentlessPoliciesResponseExample: + description: Example response showing the successful result of communication initialisation over MCP protocol value: - status: started - users: - current_count: 42 - max_allowed: 1000 + item: + id: d52a7812-5736-4fdc-aed8-72152afa1ffa schema: + additionalProperties: false + description: Response for deleting an agentless package policy. type: object properties: - error: - type: object - properties: - message: - type: string - required: - - status - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus - users: - description: User statistics for privilege monitoring - type: object - properties: - current_count: - description: Current number of privileged users being monitored - type: integer - max_allowed: - description: >- - Maximum number of privileged users allowed to be - monitored - type: integer - required: - - current_count - - max_allowed + id: + description: The ID of the deleted agentless package policy. + type: string required: - - status - description: Successful response - summary: Health check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/privileges/privileges: - get: - description: >- - Check if the current user has all required permissions for Privilege - Monitoring - operationId: PrivMonPrivileges - responses: - '200': - content: - application/json: - examples: - PrivMonPrivilegesResponse: - summary: Privileges check response - value: - has_all_required: true - privileges: - elasticsearch: - index: - .entity_analytics.monitoring.user-default: - read: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges - description: Successful response - summary: Run a privileges check on Privilege Monitoring - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users: - post: - description: >- - Creates a new privileged user to be monitored by the Privilege - Monitoring Engine. - operationId: CreatePrivMonUser - requestBody: - content: - application/json: - examples: - CreatePrivMonUserRequest: - summary: Create a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - user: - name: john.doe - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' - required: true - responses: - '200': - content: - application/json: - examples: - CreatePrivMonUserResponse: - summary: Created monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User created successfully - summary: Create a new monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/_csv: - post: - description: >- - Bulk upserts privileged users by uploading a CSV file. Returns per-row - errors and aggregate upload statistics. - operationId: PrivmonBulkUploadUsersCSV - requestBody: - content: - multipart/form-data: - examples: - PrivmonBulkUploadUsersCSVRequest: - summary: CSV file with privileged users - value: - file: | - username,is_privileged - john.doe,true - jane.smith,true - schema: - type: object - properties: - file: - description: The CSV file to upload. - format: binary - type: string - required: - - file - responses: - '200': + - id + description: Indicates a successful response + '400': content: application/json: examples: - PrivmonBulkUploadUsersCSVResponse: - summary: Bulk upload response with mixed results + genericErrorResponseExample: + description: Example of a generic error response value: - errors: - - index: 1 - message: Invalid monitored field - username: john.doe - stats: - failedOperations: 1 - successfulOperations: 1 - totalOperations: 2 - uploaded: 2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Upsert multiple monitored users via CSV upload - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/{id}: - delete: - description: Removes a privileged user from monitoring by their document ID. - operationId: DeletePrivMonUser - parameters: - - description: The document ID of the monitored user to delete - in: path - name: id - required: true - schema: - type: string - responses: - '200': + - message + - attributes + description: Bad Request + '409': content: application/json: examples: - DeletePrivMonUserResponse: - summary: User deleted successfully + conflictErrorResponseExample: + description: Example of a conflict error response value: - acknowledged: true - message: User deleted successfully + error: Conflict + message: An error message describing what went wrong + statusCode: 409 schema: + additionalProperties: false + description: Generic Error type: object properties: - acknowledged: - description: Indicates if the deletion was successful - type: boolean + attributes: + nullable: true + error: + type: string + errorType: + type: string message: - description: >- - A message providing additional information about the - deletion status type: string + statusCode: + type: number required: - - success - description: User deleted successfully - summary: Delete a monitored user + - message + - attributes + description: Conflict + summary: Delete an agentless policy tags: - - Security Entity Analytics API - put: - description: >- - Updates the details of an existing monitored privileged user by their - document ID. - operationId: UpdatePrivMonUser + - Fleet agentless policies + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List agents, with optional filtering and pagination.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents parameters: - - description: The document ID of the monitored user to update - in: path - name: id - required: true + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: type: string - requestBody: - content: - application/json: - examples: - UpdatePrivMonUserRequest: - summary: Update a monitored user - value: - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc - required: true - responses: - '200': - content: - application/json: - examples: - UpdatePrivMonUserResponse: - summary: Updated monitored user - value: - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: Security - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - description: User updated successfully - summary: Update a monitored user - tags: - - Security Entity Analytics API - /api/entity_analytics/monitoring/users/list: - get: - description: >- - Returns a list of all privileged users currently being monitored. - Supports optional KQL filtering. - operationId: ListPrivMonUsers - parameters: - - description: KQL query to filter the list of monitored users + - description: When true, include agentless agents in the results + in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - description: When true, include inactive agents in the results + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - description: When true, only return agents that are upgradeable + in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - description: When true, return a summary of agent statuses in the response + in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - description: Field to sort results by + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - description: JSON-encoded array of sort values for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + type: string + - description: When true, opens a new point-in-time for pagination in: query - name: kql + name: openPit + required: false + schema: + type: boolean + - description: Point-in-time ID for pagination + in: query + name: pitId + required: false + schema: + type: string + - description: Duration to keep the point-in-time alive, for example, `1m` + in: query + name: pitKeepAlive required: false schema: type: string @@ -15069,4570 +30193,5534 @@ paths: content: application/json: examples: - ListPrivMonUsersResponse: - summary: List of monitored users - value: - - '@timestamp': '2026-01-28T12:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: api - value: IT - event: - ingested: '2026-01-28T12:00:00.000Z' - id: user-abc-123 - user: - is_privileged: true - name: john.doe - - '@timestamp': '2026-01-15T09:00:00.000Z' - entity_analytics_monitoring: - labels: - - field: department - source: csv - value: Security - event: - ingested: '2026-01-15T09:00:00.000Z' - id: user-def-456 - user: - is_privileged: true - name: jane.smith - schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc - type: array - description: List of monitored users - summary: List all monitored users - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/install: - post: - description: >- - Installs the privileged access detection integration package and sets up - the associated ML modules required for the Entity Analytics privileged - user monitoring experience. - operationId: InstallPrivilegedAccessDetectionPackage - responses: - '200': - content: - application/json: - examples: - InstallPrivilegedAccessDetectionPackageResponse: - summary: Package installed successfully - value: - message: Privileged access detection package installed successfully - schema: - type: object - properties: - message: - type: string - required: - - message - description: Successful response - summary: >- - Installs the privileged access detection package for the Entity - Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/privileged_user_monitoring/pad/status: - get: - description: >- - Returns the installation and ML module setup status of the privileged - access detection package, along with the state of each associated ML - job. - operationId: GetPrivilegedAccessDetectionPackageStatus - responses: - '200': - content: - application/json: - examples: - GetPrivilegedAccessDetectionPackageStatusResponse: - summary: Package fully installed and running + getAgentsExample: + description: List of agents value: - jobs: - - description: Detects high-risk login patterns - job_id: pad-high-risk-login - state: opened - - description: Detects privilege escalation events - job_id: pad-privilege-escalation - state: opened - ml_module_setup_status: complete - package_installation_status: complete + items: + - active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: + additionalProperties: false type: object properties: - jobs: + items: items: + additionalProperties: false type: object properties: - description: + access_api_key: type: string - job_id: + access_api_key_id: type: string - state: + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: enum: - - closing - - closed - - opened - - failed - - opening + - error + - online + - degraded + - updating + - starting + - disconnected type: string - required: - - job_id - - state - type: array - ml_module_setup_status: - enum: - - complete - - incomplete - type: string - package_installation_status: - enum: - - complete - - incomplete - type: string - required: - - package_installation_status - - ml_module_setup_status - - jobs - description: Privileged access detection status retrieved - summary: >- - Gets the status of the privileged access detection package for the - Entity Analytics privileged user monitoring experience - tags: - - Security Entity Analytics API - /api/entity_analytics/watchlists: - post: - description: >- - Creates a new entity analytics watchlist with an optional set of entity - sources. Watchlists apply a risk score modifier to matched entities. - operationId: CreateWatchlist - requestBody: - content: - application/json: - examples: - CreateWatchlistRequest: - summary: Create watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - CreateWatchlistWithSourcesRequest: - summary: Create watchlist with entity sources - value: - description: High risk vendor watchlist - entitySources: - - enabled: true - identifierField: user.name - indexPattern: my-sync-index - name: My User Index Source - type: index - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - entitySources: - description: Optional entity sources to create and link to the watchlist - items: - additionalProperties: false + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + maxItems: 10000 + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number type: object - properties: - enabled: - type: boolean - filter: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Filter - identifierField: - description: >- - Field used to query the entity store for index-type - sources - type: string - indexPattern: - type: string - integrationName: - description: >- - Required when type is entity_analytics_integration. - One of entityanalytics_okta, entityanalytics_ad. - type: string - matchers: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Matcher - type: array - name: - type: string - queryRule: - description: >- - KQL query used to filter data from the provided index - patterns - type: string - range: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_DateRange - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitySourceType - required: - - type - - name - type: array - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name for the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': - content: - application/json: - examples: - CreateWatchlistResponse: - summary: Created watchlist - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-01-28T12:00:00.000Z' - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - - type: object - properties: - entitySources: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource - type: array - description: Watchlist created successfully - summary: Create a new watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{id}: - get: - description: >- - Retrieves the details of an entity analytics watchlist by its unique - identifier. - operationId: GetWatchlist - parameters: - - description: Unique ID of the watchlist - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - GetWatchlistResponse: - summary: Watchlist details - value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist details - summary: Get a watchlist by ID - tags: - - Security Entity Analytics API - x-state: Technical Preview - put: - description: >- - Updates the name, description, risk modifier, or managed status of an - existing entity analytics watchlist. - operationId: UpdateWatchlist - parameters: - - description: The ID of the watchlist to update - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - UpdateWatchlistRequest: - summary: Update watchlist request - value: - description: High risk vendor watchlist - managed: false - name: High Risk Vendors - riskModifier: 1.5 - schema: - type: object - properties: - description: - description: Description of the watchlist - type: string - managed: - description: Indicates if the watchlist is managed by the system - type: boolean - name: - description: Unique name of the watchlist - type: string - riskModifier: - description: Risk score modifier associated with the watchlist - maximum: 2 - minimum: 0 - type: number - required: - - name - - riskModifier - required: true - responses: - '200': + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': content: application/json: examples: - UpdateWatchlistResponse: - summary: Updated watchlist + genericErrorResponseExample: + description: Example of a generic error response value: - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - description: Watchlist updated successfully - summary: Update an existing watchlist + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agents tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/csv_upload: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Uploads a CSV file to add entities to a watchlist. The CSV must contain - a header row - - with a "type" column (user, host, service, or generic) and one or more - ECS identity + description: |- + **Spaces method and path for this operation:** - fields (e.g. "user.name", "host.hostname") used to match entities in the - entity store. - - - Matched entities are added to the watchlist and their - `entity.attributes.watchlists` - - field is updated in the entity store. +
post /s/{space_id}/api/fleet/agents
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Each row will match up to 10,000 entities. - operationId: UploadWatchlistCsv + Retrieve agents associated with specific action IDs.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - csvUpload: - summary: CSV file with user entities + postGetAgentsByActionsRequestExample: + description: Retrieve agents associated with specific action IDs value: - file: | - type,user.name - user,john.doe - user,jane.smith + actionIds: + - action-id-1 + - action-id-2 schema: + additionalProperties: false type: object properties: - file: - description: The CSV file to upload. - format: binary - type: string + actionIds: + items: + type: string + maxItems: 1000 + type: array required: - - file - required: true + - actionIds responses: '200': content: application/json: examples: - CsvUploadResponse: - summary: CSV upload response with mixed results + postGetAgentsByActionsExample: + description: Agents associated with the given actions value: - failed: 1 items: - - matchedEntities: 1 - status: success - - error: Invalid entity type - matchedEntities: 0 - status: failure - - matchedEntities: 0 - status: unmatched - successful: 1 - total: 3 - unmatched: 1 + - active: true + id: agent-id-1 + policy_id: agent-policy-id-1 + status: online + total: 1 schema: + additionalProperties: false type: object properties: - failed: - description: Number of rows that failed to process - example: 1 - type: integer items: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem + type: string + maxItems: 10000 type: array - successful: - description: Number of rows that matched at least one entity - example: 1 - type: integer - total: - description: Total number of rows processed - example: 3 - type: integer - unmatched: - description: Number of rows that matched no entities - example: 1 - type: integer required: - - successful - - failed - - total - - unmatched - items - description: Upload successful - '413': - description: File too large - summary: Upload a CSV file to add entities to a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_analytics/watchlists/{watchlist_id}/entities/assign: - post: - description: > - Assigns the provided entities to the specified watchlist using a - "manual" source label. - - The entities must already exist in the entity store. - - - If an entity is already on the watchlist, no new document is created — - the "manual" label - - is added to its existing source labels instead. - operationId: AssignWatchlistEntities - parameters: - - description: The ID of the watchlist to add entities to - example: high-risk-vendors - in: path - name: watchlist_id - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - assignEntities: - summary: Assign two entities to a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to assign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true - responses: - '200': + description: Successful response + '400': content: application/json: examples: - assignEntitiesResponse: - summary: Successful assignment of two entities + genericErrorResponseExample: + description: Example of a generic error response value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem - type: array - not_found: - description: Number of entities not found in the entity store - example: 1 - type: integer - successful: - description: Number of entities successfully assigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - successful - - failed - - not_found - - total - - items - description: Assignment successful - summary: Manually assign entities to a watchlist + - message + - attributes + description: Bad Request + summary: Get agents by action ids tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/{watchlist_id}/entities/unassign: - post: - description: | - Unassigns the provided entities from the specified watchlist. - This only removes the "manual" assignment. If the entity is also - assigned via other sources (for example, index or integration), it will - remain on the watchlist. - operationId: UnassignWatchlistEntities + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid parameters: - - description: The ID of the watchlist to remove entities from - example: high-risk-vendors + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: watchlist_id + name: agentId required: true schema: type: string - requestBody: - content: - application/json: - examples: - unassignEntities: - summary: Unassign two entities from a watchlist - value: - euids: - - user:john.doe - - host:web-01 - schema: - type: object - properties: - euids: - description: The EUIDs of the entities to unassign - example: - - user:john.doe - - host:web-01 - items: - type: string - type: array - required: - - euids - required: true responses: '200': content: application/json: examples: - unassignEntitiesResponse: - summary: Successful unassignment of two entities + deleteAgentExample: + description: Agent successfully deleted value: - failed: 0 - items: - - euid: user:john.doe - status: success - - euid: host:web-01 - status: not_found - not_found: 1 - successful: 1 - total: 2 + id: agent-id-1 + success: true schema: + additionalProperties: false type: object properties: - failed: - description: Number of entities that failed to process - example: 0 - type: integer - items: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem - type: array - not_found: - description: >- - Number of entities not found in the manual watchlist - assignment - example: 1 - type: integer - successful: - description: Number of entities successfully unassigned - example: 1 - type: integer - total: - description: Total number of entities processed - example: 2 - type: integer + action: + enum: + - deleted + type: string required: - - successful - - failed - - not_found - - total - - items - description: Unassignment successful - summary: Manually unassign entities from a watchlist - tags: - - Security Entity Analytics API - x-state: Technical Preview; added in 9.4.0 - /api/entity_analytics/watchlists/list: - get: - description: Returns a list of all entity analytics watchlists. - operationId: ListWatchlists - responses: - '200': + - action + description: Successful response + '400': content: application/json: examples: - ListWatchlistsResponse: - summary: List of watchlists + genericErrorResponseExample: + description: Example of a generic error response value: - - createdAt: '2026-01-28T12:00:00.000Z' - description: High risk vendor watchlist - id: watchlist-123 - managed: false - name: High Risk Vendors - riskModifier: 1.5 - updatedAt: '2026-02-18T12:00:00.000Z' - - createdAt: '2026-01-10T09:30:00.000Z' - description: Privileged user monitoring watchlist - id: watchlist-456 - managed: true - name: Privileged Accounts - riskModifier: 2 - updatedAt: '2026-02-01T15:45:00.000Z' + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_WatchlistObject - type: array - description: List of watchlists - summary: List all watchlists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No agent was found with the given ID + value: + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete an agent tags: - - Security Entity Analytics API - x-state: Technical Preview - /api/entity_store/enable: - post: - description: >- - Initialize the entire Entity Store, creating engines for all or - specified entity types. - operationId: InitEntityStore - requestBody: - content: - application/json: - schema: - type: object - properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - entityTypes: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp. - type: string - description: Configuration for the entity store initialization. - required: true + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + - description: When true, include CPU and memory metrics in the response + in: query + name: withMetrics + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - initEntityStoreExample: - description: >- - The Entity Store was successfully initialized, creating host - and user engines in the installing state. - summary: Entity Store initialized with host and user engines + getAgentExample: + description: Agent details value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: user - succeeded: true + item: + active: true + agent_id: agent-id-1 + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + local_metadata: + elastic: + agent: + version: 8.17.0 + host: + hostname: my-host + os: + name: linux + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: + additionalProperties: false type: object properties: - engines: - description: The engine descriptors created during initialization. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - succeeded: - description: Whether the Entity Store was initialized successfully. - type: boolean + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item description: Successful response '400': - description: Invalid request - summary: Initialize the Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/engines: - delete: - operationId: DeleteEntityEngines - parameters: - - description: >- - The entity type of the engine ('user', 'host', 'service', - 'generic'). - examples: - hostAndService: - value: host,service - in: query - name: entityTypes - required: false - schema: - description: >- - Array of engine types to delete. Empty by default, which results - in all the engines being deleted. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEntityEnginesExample: - description: Example response after deleting 'host' engine - value: - deleted: - - host - still_running: - - generic - - user - - service - schema: - type: object - properties: - deleted: - description: Entity types whose engines were successfully deleted. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - still_running: - description: Entity types whose engines are still running. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - type: array - description: Successful response - summary: Delete Entity Engines - tags: - - Security Entity Analytics API - get: - description: Get a list of all installed entity engines and their current status. - operationId: ListEntityEngines - responses: - '200': content: application/json: examples: - listEntityEnginesExample: - description: >- - Returns a list with one running host engine and one stopped - user engine. - summary: Two engines installed + genericErrorResponseExample: + description: Example of a generic error response value: - count: 2 - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: stopped - timeout: 180s - timestampField: '@timestamp' - type: user + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - count: - description: The total number of entity engines. - type: integer - engines: - description: An array of engine descriptors. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}: - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - examples: - host: - value: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: delete_data - required: false - schema: - type: boolean - - deprecated: true - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - deleteEntityEngineExample: - description: Example response after deleting 'host' engine + notFoundExample: + description: No agent was found with the given ID value: - deleted: true - schema: - type: object - properties: - deleted: - description: Whether the engine was successfully deleted. - type: boolean - description: Successful response - summary: Delete the Entity Engine + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Get an agent tags: - - Security Entity Analytics API - get: - description: >- - Get the engine descriptor for a specific entity type, including its - configuration and current status. - operationId: GetEntityEngine + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid parameters: - - description: The entity type of the engine. - example: host - in: path - name: entityType + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json: - examples: - getEntityEngineExample: - description: >- - Returns the engine descriptor for a host engine that is - currently running with default settings. - summary: A running host engine - value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/init: - post: - description: Initialize a single entity engine for the specified entity type. - operationId: InitEntityEngine - parameters: - - description: The entity type of the engine. + example: 'true' + type: string + - description: The agent ID in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string requestBody: content: application/json: + examples: + putAgentRequestExample: + description: Update agent tags + value: + tags: + - production + - linux schema: + additionalProperties: false type: object properties: - delay: - default: 1m - description: The delay before the transform will run. - pattern: '[smdh]$' - type: string - docsPerSecond: - default: -1 - description: The number of documents per second to process. - type: integer - enrichPolicyExecutionInterval: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - frequency: - default: 1m - description: The frequency at which the transform will run. - pattern: '[smdh]$' - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - lookbackPeriod: - default: 3h - description: >- - The amount of time the transform looks back to calculate the - aggregations. - pattern: '[smdh]$' - type: string - maxPageSearchSize: - default: 500 - description: >- - The initial page size to use for the composite aggregation - of each checkpoint. - type: integer - timeout: - default: 180s - description: The timeout for initializing the aggregating transform. - pattern: '[smdh]$' - type: string - timestampField: - default: '@timestamp' - description: The field to use as the timestamp for the entity type. - type: string - description: Schema for the engine initialization - required: true + tags: + items: + type: string + maxItems: 10 + type: array + user_provided_metadata: + additionalProperties: + nullable: true + type: object responses: '200': content: application/json: examples: - initEntityEngineExample: - description: >- - A host engine was successfully initialized and is now in the - installing state. - summary: Host engine initialized + putAgentExample: + description: Updated agent details value: - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 3h - status: installing - timeout: 180s - timestampField: '@timestamp' - type: host + item: + active: true + enrolled_at: '2024-01-01T00:00:00.000Z' + id: agent-id-1 + policy_id: agent-policy-id-1 + policy_revision: 1 + status: online + tags: + - production + - linux + type: PERMANENT + updated_at: '2024-01-01T00:00:00.000Z' schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + type: object + properties: + id: + type: string + type: + type: string + version: + type: string + required: + - id + - version + audit_unenrolled_reason: + type: string + capabilities: + items: + type: string + maxItems: 100 + type: array + components: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + type: object + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: + nullable: true + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - '' + type: string + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + required: + - id + - type + - status + - message + maxItems: 10000 + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + default_api_key_id: + type: string + effective_config: + nullable: true + enrolled_at: + type: string + health: + additionalProperties: + nullable: true + type: object + id: + type: string + identifying_attributes: + additionalProperties: + type: string + type: object + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + - disconnected + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: + nullable: true + type: object + metrics: + additionalProperties: false + type: object + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + non_identifying_attributes: + additionalProperties: + type: string + type: object + outputs: + additionalProperties: + additionalProperties: false + type: object + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + type: object + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + maxItems: 100 + type: array + type: + type: string + type: object + packages: + items: + type: string + maxItems: 10000 + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sequence_num: + type: number + signals: + items: + type: string + maxItems: 50 + type: array + sort: + items: + nullable: true + maxItems: 10 + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + maxItems: 100 + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + - OPAMP + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + maxItems: 3 + nullable: true + type: array + upgrade: + additionalProperties: false + type: object + properties: + rollbacks: + items: + additionalProperties: false + type: object + properties: + valid_until: + type: string + version: + type: string + required: + - valid_until + - version + maxItems: 100 + type: array + upgrade_attempts: + items: + type: string + maxItems: 10000 + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + type: object + properties: + action_id: + type: string + metadata: + additionalProperties: false + type: object + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + reason: + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: + nullable: true + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + - effective_config + required: + - item description: Successful response '400': - description: Invalid request - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/start: - post: - description: >- - Start a previously stopped entity engine, resuming transform processing - for the given entity type. - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine to start. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': content: application/json: examples: - startEntityEngineExample: - description: >- - The engine was successfully started and is now processing - data. - summary: Engine started successfully + genericErrorResponseExample: + description: Example of a generic error response value: - started: true + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object properties: - started: - description: Whether the engine was successfully started. - type: boolean - description: Successful response - summary: Start an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/{entityType}/stop: - post: - description: >- - Stop a running entity engine, pausing transform processing for the given - entity type. - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine to stop. - example: host - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - stopEntityEngineExample: - description: >- - The engine was successfully stopped and is no longer - processing data. - summary: Engine stopped successfully + notFoundExample: + description: No agent was found with the given ID value: - stopped: true - schema: - type: object - properties: - stopped: - description: Whether the engine was successfully stopped. - type: boolean - description: Successful response - summary: Stop an Entity Engine + error: Not Found + message: Agent agent-id-1 not found + statusCode: 404 + description: Not Found + summary: Update an agent by ID tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/actions: post: - description: >- - Synchronize data view index patterns to all running entity engines so - that newly added indices are picked up by the transforms. - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': - content: - application/json: - examples: - applyDataviewIndicesExample: - description: >- - All running engines were successfully updated with the - current data view index patterns. - summary: All engines updated - value: - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: host - - changes: - indexPatterns: - - logs-* - - filebeat-* - - auditbeat-* - type: user - success: true - schema: - type: object - properties: - result: - description: Per-engine update results. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Whether all engines updated successfully. - type: boolean - description: Successful response - '207': - content: - application/json: - examples: - partialSuccessExample: - description: >- - The host engine was updated but the user engine failed due - to insufficient privileges. - summary: One engine failed - value: - errors: - - 'Failed to update user engine: insufficient privileges' - result: - - changes: - indexPatterns: - - logs-* - - filebeat-* - type: host - success: false - schema: - type: object - properties: - errors: - description: Error messages for engines that failed to update. - items: - type: string - type: array - result: - description: Per-engine update results for engines that succeeded. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - description: Always `false` for a partial success. - type: boolean - description: Partial successful response - '500': - content: - application/json: - examples: - serverErrorExample: - description: >- - An unexpected error occurred while applying data view - indices. - summary: Internal server error - value: - body: An internal error occurred while updating engine indices - statusCode: 500 - schema: - type: object - properties: - body: - description: Error message. - type: string - statusCode: - description: HTTP status code. - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - /api/entity_store/entities/{entityType}: - delete: - description: > - Delete a single entity in Entity Store. + description: |- + **Spaces method and path for this operation:** - The entity will be immediately deleted from the latest index. It will - remain available in historical snapshots if it has been snapshotted. - The delete operation does not prevent the entity from being recreated if - it is observed again in the future. - operationId: DeleteSingleEntity +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions parameters: - - example: user + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID in: path - name: entityType + name: agentId required: true schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: string requestBody: content: application/json: + examples: + postAgentActionRequestExample: + description: Create a UNENROLL action for an agent + value: + action: + type: UNENROLL schema: + additionalProperties: false type: object properties: - id: - description: >- - Identifier of the entity to be deleted, commonly entity.id - value. - example: arn:aws:iam::123456789012:user/jane.doe - type: string + action: + anyOf: + - additionalProperties: false + type: object + properties: + ack_data: + nullable: true + data: + nullable: true + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + - additionalProperties: false + type: object + properties: + data: + additionalProperties: false + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + required: + - log_level + type: + enum: + - SETTINGS + type: string + required: + - type + - data required: - - id - description: Schema for the deleting entity - required: true + - action responses: '200': content: application/json: examples: - deleteEntityExample: - description: >- - The entity was found and successfully removed from the - latest index. - summary: Entity deleted + postAgentActionExample: + description: Created agent action value: - deleted: true + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: action-id-1 + type: UNENROLL schema: + additionalProperties: false type: object properties: - deleted: - description: Whether the entity was successfully deleted. - type: boolean - description: Successful response. Entity deleted. - '404': - description: Entity Not Found. No entity with this ID and Type exists. - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Delete an entity in Entity Store - tags: - - Security Entity Analytics API - put: - description: > - Update or create an entity in Entity Store. - - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. By default, - only the following fields can be updated: * `entity.attributes.*` * - `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set - the `force` query parameter to `true`. > info > Some fields always - retain the first observed value. Updates to these fields will not appear - in the final index. - - > Due to technical limitations, not all updates are guaranteed to appear - in the final list of observed values. - - > Due to technical limitations, create is an async operation. The time - for a document to be present in the > final index depends on the entity - store transform and usually takes more than 1 minute. - operationId: UpsertEntity - parameters: - - example: user - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Schema for the updating a single entity - required: true - responses: - '200': + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item + description: Successful response + '400': content: application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' - description: Entity updated or created - '403': - description: Operation on a restricted field - '409': - description: >- - Conflict. The entity was updated while another update was happening - in ElasticSearch - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert an entity in Entity Store + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create an agent action tags: - - Security Entity Analytics API - /api/entity_store/entities/bulk: - put: - description: > - Update or create many entities in Entity Store. + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/effective_config: + get: + description: |- + **Spaces method and path for this operation:** - If the specified entity already exists, it is updated with the provided - values. If the entity does not exist, a new one is created. +
get /s/{space_id}/api/fleet/agents/{agentId}/effective_config
- The creation is asynchronous. The time for a document to be present in - the final index depends on the entity store transform and usually takes - more than 1 minute. - operationId: UpsertEntitiesBulk - parameters: - - description: When true, allows updating protected fields. - in: query - name: force - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntitiesContainer - description: Schema for the updating many entities - required: true - responses: - '200': - description: Entities updated or created - '403': - description: Operation on a restricted field - '503': - description: >- - Operation on an uninitialized Engine or in a cluster without CRUD - API Enabled - summary: Upsert many entities in Entity Store - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: List entities records, paging, sorting and filtering as needed. - operationId: ListEntities + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent's effective config by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-effective-config parameters: - - description: Field to sort results by. - example: entity.name - in: query - name: sort_field - required: false - schema: - type: string - - description: Sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: Page number to return (1-indexed). - example: 1 - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: Number of entities per page. - example: 10 - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - description: Entity types to include in the results. - in: query - name: entity_types + - description: The agent ID to get effective config of + in: path + name: agentId required: true schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array + type: string responses: '200': content: application/json: + examples: + successResponse: + value: + effective_config: {} schema: + additionalProperties: false type: object properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - description: Current page number. - minimum: 1 - type: integer - per_page: - description: Number of entities per page. - maximum: 1000 - minimum: 1 - type: integer - records: - description: The entity records for this page. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity - type: array - total: - description: Total number of entities matching the query. - minimum: 0 - type: integer + effective_config: + nullable: true required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/entity_store/status: - get: - description: >- - Get the overall Entity Store status and per-engine statuses, optionally - including component-level health details. - operationId: GetEntityStoreStatus - parameters: - - description: >- - If true, returns a detailed status of each engine including all its - components. - example: true - in: query - name: include_components - schema: - type: boolean - responses: - '200': + - effective_config + description: 'OK: A successful request.' + '400': content: application/json: examples: - entityStoreRunning: - description: >- - The Entity Store is running with both host and user engines - started and using default settings. - summary: Entity Store running with two engines + badRequestResponse: value: - engines: - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: host - - delay: 1m - fieldHistoryLength: 10 - frequency: 1m - indexPattern: '' - lookbackPeriod: 24h - status: started - timeout: 180s - timestampField: '@timestamp' - type: user - status: running + message: Bad Request schema: + additionalProperties: false + description: Generic Error type: object properties: - engines: - description: Per-engine status information. - items: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - - type: object - properties: - components: - description: >- - Detailed component-level status. Only included - when include_components is true. - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus - type: array - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_StoreStatus - description: The overall status of the Entity Store. + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - status - - engines - description: Successful response - summary: Get the status of the Entity Store + - message + - attributes + description: A bad request. + summary: Get an agent's effective config tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - description: Delete an exception list using the `id` or `list_id` field. - operationId: DeleteExceptionList + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - examples: - autogeneratedId: - value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - list_id: - value: simple_list - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` deletes the list in the current Kibana space; `agnostic` - deletes a global list. Must match the - - list you are removing when using `list_id` or `id`. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string + requestBody: + content: + application/json: + examples: + postMigrateAgentRequestExample: + description: Migrate a single agent to another cluster + value: + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - uri + - enrollment_token responses: '200': content: application/json: examples: - detectionExceptionList: + postMigrateAgentExample: + description: Agent migration initiated value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change the privilege level of a single agent to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to change privilege level for + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + changeAgentPrivilegeLevelRequest: + value: + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + nullable: true + type: object + properties: + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + successResponse: value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Change agent privilege level + tags: + - Elastic Agents + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reassign an agent to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postReassignAgentRequestExample: + description: Reassign an agent to a different policy + value: + policy_id: agent-policy-id-2 + schema: + additionalProperties: false + type: object + properties: + policy_id: + type: string + required: + - policy_id + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 + postReassignAgentExample: + description: Agent successfully reassigned + value: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: {} + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Reassign an agent tags: - - Security Exceptions API - get: - description: Get the details of an exception list using the `id` or `list_id` field. - operationId: ReadExceptionList + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/remove_collector: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/remove_collector
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a specific OpAMP collector from the Fleet agents list. Marks the collector as unenrolled. This action does not invalidate API keys, so the collector can reconnect on its own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-remove-collector parameters: - - description: >- - Exception list's identifier. Either `id` or `list_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human readable exception list string identifier, e.g. - `trusted-linux-processes`. Either `id` or `list_id` must be - specified. - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - When `single`, the list is resolved in the current Kibana space. - When `agnostic`, the list is a global - - (space-agnostic) container. Required for looking up the correct list - when `list_id` is not unique. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The collector agent ID + in: path + name: agentId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + type: string responses: '200': content: application/json: examples: - detectionType: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + postRemoveCollectorExample: + description: Collector successfully removed + value: {} description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message": 'exception list id: "foo" does not exist' - status_code": 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list details + description: Bad Request + summary: Remove an OpAMP collector tags: - - Security Exceptions API + - Elastic Agent actions + x-state: Experimental; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: post: - description: > - An exception list groups exception items and can be associated with - detection rules. You can assign exception lists to multiple detection - rules. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request a diagnostics bundle from a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string requestBody: content: application/json: examples: - createDetection: + postRequestDiagnosticsRequestExample: + description: Request a diagnostics bundle from an agent value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + additional_metrics: + - CPU schema: - example: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - type: detection + additionalProperties: false + nullable: true type: object properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array responses: '200': content: application/json: examples: - autogeneratedListId: - value: - _version: WzMsMV0= - created_at: 2025-01-09T01:05:23.019Z - created_by: elastic - description: >- - This is a sample detection type exception with an - autogenerated list_id. - id: 28243c2f-624a-4443-823d-c0b894880931 - immutable: false - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 - type: detection - updated_at: 2025-01-09T01:05:23.020Z - updated_by: elastic - version: 1 - namespaceAgnostic: - value: - _version: WzUsMV0= - created_at: 2025-01-09T01:10:36.369Z - created_by: elastic - description: This is a sample agnostic endpoint type exception. - id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 - immutable: false - list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 - name: Sample Agnostic Endpoint Exception List - namespace_type: agnostic - os_types: - - linux - tags: - - malware - tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 - type: endpoint - updated_at: 2025-01-09T01:10:36.369Z - updated_by: elastic - version: 1 - typeDetection: - value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - typeEndpoint: + postRequestDiagnosticsExample: + description: Diagnostics action result value: - _version: WzQsMV0= - created_at: 2025-01-09T01:07:49.658Z - created_by: elastic - description: This is a sample endpoint type exception list. - id: a79f4730-6e32-4278-abfc-349c0add7d54 - immutable: false - list_id: endpoint_list - name: Sample Endpoint Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee - type: endpoint - updated_at: 2025-01-09T01:07:49.658Z - updated_by: elastic - version: 1 + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: Agent agent-id-1 does not support request diagnostics action. statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Request agent diagnostics + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback an agent to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID to rollback + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + successResponse: value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_message_response' + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [POST /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback an agent + tags: + - Elastic Agent actions + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll a specific agent, optionally revoking its enrollment API key.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUnenrollAgentRequestExample: + description: Unenroll an agent, optionally revoking the enrollment API key + value: + revoke: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': content: application/json: examples: - alreadyExists: - value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + postUnenrollAgentExample: + description: Agent successfully unenrolled + value: {} + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + description: Bad Request + summary: Unenroll an agent tags: - - Security Exceptions API - put: - description: Update an exception list using the `id` or `list_id` field. - operationId: UpdateExceptionList - requestBody: - content: - application/json: - examples: - fullReplace: - value: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft - - malware - type: detection + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a specific agent to a newer version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postUpgradeAgentRequestExample: + description: Upgrade an agent to a specific version + value: + version: 8.17.0 schema: - example: - description: Different description - list_id: simple_list - name: Updated exception list name - os_types: - - linux - tags: - - draft malware - type: detection + additionalProperties: false type: object properties: - _version: - description: >- - The version id, normally returned by the API when the item - was retrieved. Use it ensure updates are done against the - latest version. + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion + type: string required: - - name - - description - - type - description: Exception list's properties - required: true + - version responses: '200': content: application/json: examples: - simpleList: - value: - _version: WzExLDFd - created_at: 2025-01-07T20:43:55.264Z - created_by: elastic - description: Different description - id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 - immutable: false - list_id: simple_list - name: Updated exception list name - namespace_type: single - os_types: [] - tags: - - draft malware - tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f - type: detection - updated_at: 2025-01-07T21:32:03.726Z - updated_by: elastic - version: 2 + postUpgradeAgentExample: + description: Agent upgrade initiated + value: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: {} description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PUT /api/exception_lists] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Upgrade an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of files uploaded by a specific agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - description: The agent ID + in: path + name: agentId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + getAgentUploadsExample: + description: List of files uploaded by the agent value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + items: + - actionId: action-id-1 + createTime: '2024-01-01T00:00:00.000Z' + filePath: /tmp/diagnostics-2024-01-01.zip + id: file-id-1 + name: diagnostics-2024-01-01.zip + status: READY schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent uploads tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - description: Duplicate an existing exception list. - operationId: DuplicateExceptionList + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current status of recent agent actions.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status parameters: - - description: The `list_id` of the existing exception list to copy (source list). + - description: Page number in: query - name: list_id - required: true + name: page + required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: >- - Scope in which the source list is defined (`single` = current space, - `agnostic` = all spaces). - examples: - agnostic: - value: agnostic - single: - value: single + default: 0 + type: number + - description: Number of results per page in: query - name: namespace_type - required: true + name: perPage + required: false schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the duplicated - list. Expiration date defined by `expire_time`. + default: 20 + type: number + - description: Return actions created before this date in: query - name: include_expired_exceptions - required: true + name: date + required: false schema: - default: 'true' - enum: - - 'true' - - 'false' - example: true type: string + - description: Return only the latest N actions + in: query + name: latest + required: false + schema: + type: number + - description: Number of error details to include per action + in: query + name: errorSize + required: false + schema: + default: 5 + type: number responses: '200': content: application/json: examples: - detectionExceptionList: + getActionStatusExample: + description: Status of recent agent actions value: - _version: WzExNDY1LDFd - created_at: 2025-01-09T16:19:50.280Z - created_by: elastic - description: This is a sample detection type exception - id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 - immutable: false - list_id: d6390d60-bce3-4a48-9002-52db600f329c - name: Sample Detection Exception List [Duplicate] - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 - type: detection - updated_at: 2025-01-09T16:19:50.280Z - updated_by: elastic - version: 1 + items: + - actionId: action-id-1 + completionTime: '2024-01-01T00:05:00.000Z' + creationTime: '2024-01-01T00:00:00.000Z' + nbAgentsAck: 2 + nbAgentsActioned: 2 + nbAgentsFailed: 0 + status: COMPLETE + type: UPGRADE schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + type: object + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + maxItems: 10 + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + - ROLLBACK + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + maxItems: 10000 + type: array + required: + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type: Invalid enum value. - Expected 'agnostic' | 'single', received 'foo' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_duplicate] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list id: "foo" does not exist' - status_code: 404 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Exception list not found - '405': - content: - application/json: - examples: - notAllowed: - value: - message: >- - Cannot duplicate: list is immutable or the operation is - not allowed in this state - status_code: 405 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicate an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an agent action status tags: - - Security Exceptions API - /api/exception_lists/_export: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: post: - description: Export an exception list and its associated items to an NDJSON file. - operationId: ExportExceptionList + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a pending action for a specific agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel parameters: - - description: >- - Exception list's internal `id` (UUID) returned on create; use with - `list_id` and `namespace_type` for an unambiguous target. - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: >- - Human-readable `list_id` of the exception list to export, as shown - in the UI and API responses. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` exports a list in the current Kibana space; `agnostic` - exports a global (space-agnostic) list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list. Expiration date defined by `expire_time`. - example: true - in: query - name: include_expired_exceptions + example: 'true' + type: string + - description: The ID of the action to cancel + in: path + name: actionId required: true schema: - default: 'true' - enum: - - 'true' - - 'false' type: string + requestBody: + content: + application/json: + examples: + postCancelActionRequestExample: + description: Cancel an agent action + value: {} responses: '200': content: - application/ndjson: + application/json: examples: - exportSavedObjectsResponse: - value: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - - {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} + postCancelActionExample: + description: Cancellation action created + value: + item: + agents: + - agent-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: cancel-action-id-1 + type: CANCEL schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + ack_data: + nullable: true + agents: + items: + type: string + maxItems: 10000 + type: array + created_at: + type: string + data: + nullable: true + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + maxItems: 100 + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: list_id: Required, namespace_type: - Required + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_export] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Cancel an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of Elastic Agent versions available for upgrade.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] + responses: + '200': content: application/json: examples: - notFound: + getAvailableVersionsExample: + description: List of available agent versions for upgrade value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + items: + - 8.17.0 + - 8.16.3 + - 8.16.2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Export an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get available agent versions tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - description: Get a list of all exception list containers. - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** - - `exception-list`: Specify a space-aware exception list. +
post /s/{space_id}/api/fleet/agents/bulk_migrate
- - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - or available in all spaces (`agnostic` or `single`) - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - example: 1 - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 1 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: name - type: string - - description: Determines the sort order, which can be `desc` or `asc`. - in: query - name: sort_order - required: false + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - desc - - asc - example: desc + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkMigrateAgentsRequestExample: + description: Migrate multiple agents to another cluster + value: + agents: + - agent-id-1 + - agent-id-2 + enrollment_token: enrollment-token-value + settings: + retry_max: 5 + uri: https://fleet-server.example.com:8220 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + type: object + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + maxItems: 10 + type: array + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token responses: '200': content: application/json: examples: - simpleLists: + postBulkMigrateAgentsExample: + description: Bulk agent migration initiated value: - data: - - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Detection Exception List - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer + actionId: + type: string required: - - data - - page - - per_page - - total + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Migrate multiple agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_privilege_level_change: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_privilege_level_change
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Change multiple agents' privilege level to unprivileged.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-privilege-level-change + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkChangeAgentPrivilegeLevelRequest: + value: + agents: agent + user_info: + groupname: groupname + password: password + username: username + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + user_info: + additionalProperties: false + type: object + properties: + groupname: + type: string + password: + type: string + username: + type: string + required: + - agents + responses: + '200': content: application/json: examples: - forbidden: + successResponse: value: - error: Forbidden - message: >- - API [GET /api/exception_lists/_find?namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 + actionId: actionId schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + badRequestResponse: value: - message: Internal Server Error - status_code: 500 + message: Bad Request schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception lists + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk change agent privilege level tags: - - Security Exceptions API - /api/exception_lists/_import: + - Elastic Agents + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_reassign: post: - description: Import an exception list and its associated items from an NDJSON file. - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. + description: |- + **Spaces method and path for this operation:** - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - example: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. +
post /s/{space_id}/api/fleet/agents/bulk_reassign
- Additional `item_id`'s are generated for each exception item. Both - the exception + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - list and its items are overwritten. - in: query - name: as_new_list - required: false + Reassign multiple agents to a different agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - default: false - example: false - type: boolean + example: 'true' + type: string requestBody: content: - multipart/form-data: + application/json: examples: - ndjsonUpload: + postBulkReassignAgentsRequestExample: + description: Reassign multiple agents to a different policy value: - file: exception_lists.ndjson + agents: + - agent-id-1 + - agent-id-2 + policy_id: agent-policy-id-2 schema: + additionalProperties: false type: object properties: - file: - description: A `.ndjson` file containing the exception list - example: > - {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This - is a sample detection type - exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample - Detection Exception - List","namespace_type":"single","os_types":[],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} - - {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This - is a sample endpoint type - exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some - host","another - host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample - Endpoint Exception - List","namespace_type":"single","os_types":["linux"],"tags":["user - added string for a - tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} - format: binary + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: type: string - required: true + required: + - policy_id + - agents responses: '200': content: application/json: examples: - withErrors: - value: - errors: - - error: - message: >- - Error found importing exception list: Invalid value - \"4\" supplied to \"list_id\" - status_code: 400 - list_id: (unknown list_id) - - error: - message: >- - Found that item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already - exists. Import of item_id: - \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped. - status_code: 409 - item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 - list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee - success: false, - success_count: 0, - success_count_exception_list_items: 0 - success_count_exception_lists: 0, - success_exception_list_items: false, - success_exception_lists: false, - withoutErrors: + postBulkReassignAgentsExample: + description: Bulk reassign action result value: - errors: [] - success: true - success_count: 2 - success_count_exception_list_items: 1 - success_count_exception_lists: 1 - success_exception_list_items: true - success_exception_lists: true, + actionId: action-id-1 schema: + additionalProperties: false type: object properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean + actionId: + type: string required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - Multipart part `file` is required and must contain a valid - .ndjson exception list export + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk reassign agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_remove_collectors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_remove_collectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove multiple OpAMP collectors from the Fleet agents list. Marks the collectors as unenrolled. This action does not invalidate API keys, so collectors can reconnect on their own.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-remove-collectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRemoveCollectorsRequestExample: + description: Remove multiple OpAMP collectors + value: + agents: + - collector-id-1 + - collector-id-2 + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: List of collector agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string. Leave empty to target all collectors + type: string + includeInactive: + description: When passing collectors by KQL query, also removes inactive collectors + type: boolean + required: + - agents + responses: + '200': content: application/json: examples: - forbidden: + postBulkRemoveCollectorsExample: + description: Bulk remove collectors action result value: - error: Forbidden - message: >- - API [POST /api/exception_lists/_import] is unauthorized - for user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + actionId: action-id-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Import an exception list + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk remove OpAMP collectors tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - description: Delete an exception list item using the `id` or `item_id` field. - operationId: DeleteExceptionListItem + - Elastic Agent actions + x-state: Experimental; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request diagnostics bundles from multiple agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics parameters: - - description: >- - Exception item's identifier. Either `id` or `item_id` must be - specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` deletes the item in the current Kibana space; `agnostic` - deletes an item in a space-agnostic list. Must match the list that - owns the item. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkRequestDiagnosticsRequestExample: + description: Request diagnostics bundles from multiple agents + value: + additional_metrics: + - CPU + agents: + - agent-id-1 + - agent-id-2 + schema: + additionalProperties: false + type: object + properties: + additional_metrics: + items: + enum: + - CPU + type: string + maxItems: 1 + type: array + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + required: + - agents responses: '200': content: application/json: examples: - simpleExceptionItem: + postBulkRequestDiagnosticsExample: + description: Bulk diagnostics action result value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk request diagnostics from agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple agents to the previous version.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkRollbackAgentsRequest: + value: + agents: + - agent-1 + - agent-2 + batchSize: 100 + includeInactive: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + required: + - agents + responses: + '200': content: application/json: examples: - unauthorized: + successResponse: value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + actionIds: + - actionId1 + - actionId2 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + actionIds: + items: + type: string + maxItems: 10000 + type: array + required: + - actionIds + description: 'OK: A successful request.' + '400': content: application/json: examples: - forbidden: + badRequestResponse: value: - error: Forbidden - message: >- - API [DELETE - /api/exception_lists/items?item_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 + message: Bad Request schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Bulk rollback agents + tags: + - Elastic Agent actions + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unenroll multiple agents, optionally revoking their enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUnenrollAgentsRequestExample: + description: Unenroll multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + revoke: false + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + description: list of agent IDs + type: string + maxItems: 10000 + type: array + - description: KQL query string, leave empty to action all agents + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + responses: + '200': content: application/json: examples: - notFound: + postBulkUnenrollAgentsExample: + description: Bulk unenroll action result value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Delete an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk unenroll agents tags: - - Security Exceptions API - get: - description: >- - Get the details of an exception list item using the `id` or `item_id` - field. - operationId: ReadExceptionListItem - parameters: - - description: >- - Exception list item's identifier. Either `id` or `item_id` must be - specified. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: >- - Human readable exception item string identifier, e.g. - `trusted-linux-processes`. Either `id` or `item_id` must be - specified. - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - description: > - `single` fetches the item in the current space; `agnostic` fetches a - global (space-agnostic) item. Must + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** - match how the list was created. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add or remove tags across multiple agents.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postBulkUpdateAgentTagsRequestExample: + description: Add and remove tags across multiple agents + value: + agents: + - agent-id-1 + - agent-id-2 + tagsToAdd: + - production + tagsToRemove: + - staging + schema: + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + maxItems: 10 + type: array + tagsToRemove: + items: + type: string + maxItems: 10 + type: array + required: + - agents responses: '200': content: application/json: examples: - simpleListItem: + postBulkUpdateAgentTagsExample: + description: Bulk action result value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic + actionId: action-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items?item_id=&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk update agent tags tags: - - Security Exceptions API + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_upgrade: post: - description: > - Create an exception item and associate it with the specified exception - list. + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
- > Before creating exception items, you must create an exception list. - operationId: CreateExceptionListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple agents to a newer version, with optional rollout controls.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - simpleItem: + postBulkUpgradeAgentsRequestExample: + description: Upgrade multiple agents to a specific version value: - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - type: simple + agents: + - agent-id-1 + - agent-id-2 + rollout_duration_seconds: 3600 + version: 8.17.0 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + additionalProperties: false + type: object + properties: + agents: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version responses: '200': content: application/json: examples: - autogeneratedItemId: - value: - _version: WzYsMV0= - comments: [] - created_at: 2025-01-09T01:16:23.322Z - created_by: elastic - description: >- - This is a sample exception that has no item_id so it is - autogenerated. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 323faa75-c657-4fa0-9084-8827612c207b - item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Sample Autogenerated Exception List Item ID - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 - type: simple - updated_at: 2025-01-09T01:16:23.322Z - updated_by: elastic - detectionExceptionListItem: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withExistEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchAnyEntry: - value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: host.name - operator: included - type: match_any - value: - - saturn - - jupiter - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withMatchEntry: + postBulkUpgradeAgentsExample: + description: Bulk upgrade action result value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - field: actingProcess.file.signer - operator: included - type: match - value: Elastic N.V. - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withNestedEntry: + actionId: action-id-1 + schema: + additionalProperties: false + type: object + properties: + actionId: + type: string + required: + - actionId + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - _version: WzQsMV0= - comments: [] - created_at: 2025-01-07T20:07:33.119Z - created_by: elastic - description: This is a sample detection type exception item. - entries: - - entries: - - field: signer - operator: included - type: match - value: Evil - - field: trusted - operator: included - type: match - value: true - field: file.signature - type: nested - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c - type: simple - updated_at: 2025-01-07T20:07:33.119Z - updated_by: elastic - withValueListEntry: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk upgrade agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the uploaded file + in: path + name: fileId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteAgentUploadFileExample: + description: Uploaded file successfully deleted value: - _version: WzcsMV0= - comments: [] - created_at: 2025-01-09T01:31:12.614Z - created_by: elastic - description: >- - Don't signal when agent.name is rock01 and source.ip is in - the goodguys.txt list - entries: - - field: source.ip - list: - id: goodguys.txt - type: ip - operator: excluded - type: list - id: deb26876-297d-4677-8a1f-35467d2f1c4f - item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 - list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 - name: Filter out good guys ip and agent.name rock01 - namespace_type: single - os_types: [] - tags: - - malware - tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 - type: simple - updated_at: 2025-01-09T01:31:12.614Z - updated_by: elastic + deleted: true + id: file-id-1 schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + additionalProperties: false + type: object + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Bad Request, - message: '[request body]: list_id: Expected string, received number' - statusCode: 400, + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - description: The ID of the uploaded file + in: path + name: fileId + required: true + schema: + type: string + - description: The name of the uploaded file + in: path + name: fileName + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + getAgentUploadFileExample: + description: The uploaded file content as a stream + value: schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + type: object + description: Successful response — returns the uploaded file content + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [POST /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] + responses: + '200': content: application/json: examples: - alreadyExists: + agentsSetupNotReadyExample: + description: Fleet is not ready — a Fleet Server and API keys are required value: - message: >- - exception list item id: \"simple_list_item\" already - exists - status_code: 409 + is_action_secrets_storage_enabled: false + is_secrets_storage_enabled: false + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: false + missing_optional_features: + - encrypted_saved_object_encryption_key_required + missing_requirements: + - fleet_server + - api_keys + agentsSetupReadyExample: + description: Fleet is ready to enroll agents — all requirements are met + value: + is_action_secrets_storage_enabled: true + is_secrets_storage_enabled: true + is_space_awareness_enabled: false + is_ssl_secrets_storage_enabled: false + isReady: true + missing_optional_features: [] + missing_requirements: [] + package_verification_key_id: D88DB4CC schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + type: object + properties: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + is_ssl_secrets_storage_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + maxItems: 1 + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + maxItems: 5 + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + description: Fleet setup status + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent setup info tags: - - Security Exceptions API - put: - description: Update an exception list item using the `id` or `item_id` field. - operationId: UpdateExceptionListItem - requestBody: - content: - application/json: - examples: - updateItem: - value: - description: Updated description - id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 - name: Updated name - namespace_type: single - type: simple - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac - description: Exception list item's properties - required: true + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string responses: '200': content: application/json: examples: - simpleListItem: + agentsSetupSuccessExample: + description: Fleet setup initialized successfully with no non-fatal errors value: - _version: WzEyLDFd - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Updated name - namespace_type: single - os_types: [] - tags: [] - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:34:50.233Z - updated_by: elastic + isInitialized: true + nonFatalErrors: [] schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: item_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Initiate Fleet setup + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all tags used across enrolled agents.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: When true, include tags from inactive agents + in: query + name: showInactive + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - unauthorized: + getAgentTagsExample: + description: List of tags used across agents value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + items: + - production + - linux + - datacenter-1 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': + additionalProperties: false + type: object + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + description: Successful response + '400': content: application/json: examples: - forbidden: + genericErrorResponseExample: + description: Example of a generic error response value: - error: Forbidden - message: >- - API [PUT /api/exception_lists/items] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges. + operationId: get-fleet-check-permissions + parameters: + - description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges + in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + '200': content: application/json: examples: - notFound: + checkPermissionsMissingPrivilegesExample: + description: The current user is missing Fleet privileges value: - message: 'exception list item item_id: \"foo\" does not exist' - status_code: 404 + error: MISSING_PRIVILEGES + success: false + checkPermissionsSuccessExample: + description: The current user has all required Fleet permissions + value: + success: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': + additionalProperties: false + type: object + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Update an exception list item + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Check permissions tags: - - Security Exceptions API - /api/exception_lists/items/_find: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors: get: - description: Get a list of all exception list items in the specified list. - operationId: FindExceptionListItems - parameters: - - description: The `list_id`s of the items to fetch. - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, + description: |- + **Spaces method and path for this operation:** - using the `:` syntax. - examples: - singleFilter: - value: - - exception-list.attributes.name:%My%20item - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space +
get /s/{space_id}/api/fleet/cloud_connectors
- or available in all spaces (`agnostic` or `single`) - examples: - single: - value: - - single - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: > - Free-text search term applied to exception list item fields (for - example a hostname or file path fragment). - in: query - name: search - required: false - schema: - example: host.name - type: string - - description: The page number to return + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet cloud connectors.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors + parameters: + - description: The page number for pagination. in: query name: page required: false schema: - example: 1 - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - example: 20 - minimum: 0 - type: integer - - description: Determines which field is used to sort the results. - example: name + type: string + - description: The number of items per page. in: query - name: sort_field + name: perPage required: false schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: Determines the sort order, which can be `desc` or `asc`. + type: string + - description: KQL query to filter cloud connectors. in: query - name: sort_order + name: kuery required: false schema: - enum: - - desc - - asc - example: desc type: string responses: '200': content: application/json: examples: - simpleListItems: + getCloudConnectorsExample: + description: List of Fleet cloud connectors value: - data: - - _version: WzgsMV0= - comments: [] - created_at: 2025-01-07T21:12:25.512Z - created_by: elastic - description: This is a sample exception item. - entries: - - field: actingProcess.file.signer - operator: excluded - type: exists - - field: host.name - operator: included - type: match_any - value: - - jupiter - - saturn - id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da - item_id: simple_list_item - list_id: simple_list - name: Sample Exception List Item - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 - type: simple - updated_at: 2025-01-07T21:12:25.512Z - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + items: + - accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: + additionalProperties: false type: object properties: - data: + items: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + maxItems: 10000 type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer required: - - data - - page - - per_page - - total + - items description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connectors + tags: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postCloudConnectorRequestExample: + description: Create a new AWS cloud connector + value: + accountType: single-account + cloudProvider: aws + name: My AWS connector + vars: {} + schema: + additionalProperties: false + type: object + properties: + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object + required: + - name + - cloudProvider + - vars + responses: + '200': content: application/json: examples: - notFound: + postCloudConnectorExample: + description: The created Fleet cloud connector value: - message: 'exception list list_id: "foo" does not exist' - status_code: 404 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-2 + name: My AWS connector + packagePolicyCount: 0 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get exception list items + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create cloud connector tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - description: Get a summary of the specified exception list. - operationId: ReadExceptionListSummary + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid parameters: - - description: Exception list's identifier generated upon creation. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier. - in: query - name: list_id - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - description: > - `single` returns summary for a list in the current space; `agnostic` - for a space-agnostic list. Must - - line up with `id` / `list_id` used to look up the list. - examples: - agnostic: - value: agnostic - single: - value: single - in: query - name: namespace_type - required: false + example: 'true' + type: string + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause + type: string + - description: If true, forces deletion even if the cloud connector is in use. in: query - name: filter + name: force required: false schema: - example: >- - exception-list-agnostic.attributes.tags:"policy:policy-1" OR - exception-list-agnostic.attributes.tags:"policy:all" - type: string + type: boolean responses: '200': content: application/json: examples: - summary: + deleteCloudConnectorExample: + description: The cloud connector was successfully deleted value: - linux: 0 - macos: 0 - total: 0 - windows: 0 + id: cloud-connector-id-1 schema: + additionalProperties: false type: object properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer + id: + type: string + required: + - id description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: >- - [request query]: namespace_type.0: Invalid enum value. - Expected 'agnostic' | 'single', received 'blob' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET - /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-summary] - statusCode: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete cloud connector (supports force deletion) + tags: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFound: + getCloudConnectorExample: + description: A Fleet cloud connector value: - message": 'exception list id: "foo" does not exist' - status_code": 404 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: My AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T10:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item + description: Successful response + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Get an exception list summary + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get cloud connector tags: - - Security Exceptions API - /api/exceptions/shared: - post: - description: > - An exception list groups exception items and can be associated with - detection rules. A shared exception list can apply to multiple detection - rules. + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
- > All exception items added to the same list are evaluated using `OR` - logic. That is, if any of the items in a list evaluate to `true`, the - exception prevents the rule from generating an alert. Likewise, `OR` - logic is used for evaluating exceptions when more than one exception - list is assigned to a rule. To use the `AND` operator, you can define - multiple clauses (`entries`) in a single exception item. - operationId: CreateSharedExceptionList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a cloud connector by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string requestBody: content: application/json: examples: - createSharedExceptionList: + putCloudConnectorRequestExample: + description: Update a Fleet cloud connector value: - description: This is a sample detection type exception list. - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware + name: Updated AWS connector + vars: {} schema: + additionalProperties: false type: object properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + accountType: + description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).' + enum: + - single-account + - organization-account + type: string name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + type: object + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + required: + - type + - value + type: object responses: '200': content: application/json: examples: - sharedList: + putCloudConnectorExample: + description: The updated Fleet cloud connector value: - _version: WzIsMV0= - created_at: 2025-01-07T19:34:27.942Z - created_by: elastic - description: This is a sample detection type exception list. - id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 - immutable: false - list_id: simple_list - name: Sample Detection Exception List - namespace_type: single - os_types: - - linux - tags: - - malware - tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 - type: detection - updated_at: 2025-01-07T19:34:27.942Z - updated_by: elastic - version: 1 + item: + accountType: single-account + cloudProvider: aws + created_at: '2024-01-15T10:00:00.000Z' + id: cloud-connector-id-1 + name: Updated AWS connector + packagePolicyCount: 2 + updated_at: '2024-01-15T11:00:00.000Z' + vars: {} schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + accountType: + type: string + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: + nullable: true + type: object + verification_failed_at: + type: string + verification_started_at: + type: string + verification_status: + type: string + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + required: + - item description: Successful response '400': content: application/json: examples: - badRequest: + genericErrorResponseExample: + description: Example of a generic error response value: error: Bad Request - message: '[request body]: list_id: Expected string, received number' + message: An error message describing what went wrong statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - message: Unable to create exception-list - status_code: 403 - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update cloud connector + tags: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}/usage
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of package policies that are using a given cloud connector.

[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: The page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + minimum: 1 + type: number + responses: + '200': content: application/json: examples: - alreadyExists: + getCloudConnectorUsageResponseExample: + description: Example response showing package policies using the cloud connector value: - message: 'exception list id: "simple_list" already exists' - status_code: 409 + items: + - created_at: '2025-01-16T09:00:00.000Z' + id: package-policy-1 + name: CSPM AWS Policy + package: + name: cloud_security_posture + title: Cloud Security Posture Management + version: 3.1.1 + policy_ids: + - policy-id-123 + - policy-id-456 + updated_at: '2025-01-16T09:00:00.000Z' + page: 1 + perPage: 20 + total: 2 schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + name: + type: string + package: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - title + - version + policy_ids: + items: + type: string + maxItems: 10000 + type: array + updated_at: + type: string + required: + - id + - name + - policy_ids + - created_at + - updated_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: 'OK: A successful request.' + '400': content: application/json: examples: - serverError: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Create a shared exception list - tags: - - Security Exceptions API - /api/features: - get: - description: > - Get information about all Kibana features. Features are used by spaces - and security to refine and secure access to Kibana. - operationId: get-features - responses: - '200': - content: - application/json: - examples: - getFeaturesExample: - value: | - { - "features": [ - { - "name": "tasks", - "description": "Manages task results" - }, - { - "name": "security", - "description": "Manages configuration for Security features, such as users and roles" - }, - { - "name": "searchable_snapshots", - "description": "Manages caches and configuration for searchable snapshots" - }, - { - "name": "logstash_management", - "description": "Enables Logstash Central Management pipeline storage" - }, - { - "name": "transform", - "description": "Manages configuration and state for transforms" - }, - { - "name": "kibana", - "description": "Manages Kibana configuration and reports" - }, - { - "name": "synonyms", - "description": "Manages synonyms" - }, - { - "name": "async_search", - "description": "Manages results of async searches" - }, - { - "name": "ent_search", - "description": "Manages configuration for Enterprise Search features" - }, - { - "name": "machine_learning", - "description": "Provides anomaly detection and forecasting functionality" - }, - { - "name": "geoip", - "description": "Manages data related to GeoIP database downloader" - }, - { - "name": "watcher", - "description": "Manages Watch definitions and state" - }, - { - "name": "fleet", - "description": "Manages configuration for Fleet" - }, - { - "name": "enrich", - "description": "Manages data related to Enrich policies" - }, - { - "name": "inference_plugin", - "description": "Inference plugin for managing inference services and inference" - } - ] - } + error: Bad Request + message: Cloud connector not found + statusCode: 400 schema: + additionalProperties: false + description: Generic Error type: object - description: Indicates a successful call - summary: Get features + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Get cloud connector usage (package policies using the connector) tags: - - system - x-state: Technical Preview - /api/fleet/agent_download_sources: + - Fleet cloud connectors + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/data_streams: get: - description: >- - List all agent binary download sources.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams parameters: [] responses: '200': content: application/json: examples: - getDownloadSourcesExample: - description: List of agent binary download sources + getDataStreamsExample: + description: List of Fleet-managed data streams value: - items: - - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts - page: 1 - perPage: 20 - total: 1 + data_streams: + - dashboards: + - id: nginx-overview + title: Nginx Overview + dataset: nginx.access + index: logs-nginx.access-default + last_activity_ms: 1700000000000 + namespace: default + package: nginx + package_version: 1.20.0 + serviceDetails: null + size_in_bytes: 1048576 + size_in_bytes_formatted: 1mb + type: logs + - dashboards: [] + dataset: system.cpu + index: metrics-system.cpu-default + last_activity_ms: 1699999000000 + namespace: default + package: system + package_version: 1.38.0 + serviceDetails: null + size_in_bytes: 524288 + size_in_bytes_formatted: 512kb + type: metrics schema: additionalProperties: false type: object properties: - items: + data_streams: items: additionalProperties: false type: object properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + title: + type: string + required: + - id + - title + maxItems: 10000 + type: array + dataset: type: string - id: + index: type: string - is_default: - default: false - type: boolean - name: + last_activity_ms: + type: number + namespace: type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true + package: type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: + package_version: + type: string + serviceDetails: additionalProperties: false + nullable: true type: object properties: - certificate: + environment: type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + serviceName: type: string + required: + - environment + - serviceName + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string required: - - id - - name - - host + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails maxItems: 10000 type: array - page: - type: number - perPage: - type: number - total: - type: number required: - - items - - total - - page - - perPage + - data_streams description: Successful response '400': content: @@ -19663,258 +35751,98 @@ paths: - message - attributes description: Bad Request - summary: Get agent binary download sources + summary: Get data streams tags: - - Elastic Agent binary download sources - post: - description: >- - Create a new agent binary download source.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-agent-download-sources + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 20 + type: number + - description: A KQL query string to filter results + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postDownloadSourceRequestExample: - description: Create a new agent binary download source - value: - host: https://my-custom-host.example.com/downloads/ - is_default: false - name: My custom download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host responses: '200': content: application/json: examples: - postDownloadSourceExample: - description: The created agent binary download source + getEnrollmentApiKeysExample: + description: List of enrollment API keys value: - item: - host: https://my-custom-host.example.com/downloads/ - id: download-source-id-2 - is_default: false - name: My custom download source + items: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + list: + - active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage + - list description: Successful response '400': content: @@ -19945,15 +35873,22 @@ paths: - message - attributes description: Bad Request - summary: Create an agent binary download source + summary: Get enrollment API keys tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: - delete: - description: >- - Delete an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: delete-fleet-agent-download-sources-sourceid + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an enrollment API key for a given agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks in: header @@ -19962,29 +35897,37 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source - in: path - name: sourceId - required: true - schema: - type: string + requestBody: + content: + application/json: + examples: + postEnrollmentApiKeyRequestExample: + description: Create an enrollment API key for an agent policy + value: + expiration: '2025-01-01T00:00:00.000Z' + name: My enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' responses: '200': content: application/json: examples: - deleteDownloadSourceExample: - description: The download source was successfully deleted + postEnrollmentApiKeyExample: + description: The created enrollment API key value: - id: download-source-id-1 + action: created + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: My enrollment key + policy_id: policy-id-1 schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: @@ -20015,156 +35958,63 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent binary download source + summary: Create an enrollment API key tags: - - Elastic Agent binary download sources - get: - description: >- - Get an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-read OR - fleet-settings-read. - operationId: get-fleet-agent-download-sources-sourceid + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/_bulk_delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete multiple enrollment API keys.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys-bulk-delete parameters: - - description: The ID of the download source - in: path - name: sourceId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + bulkDeleteByIdsExample: + description: Bulk delete enrollment API keys by IDs + value: + forceDelete: true + tokenIds: + - token-id-1 + - token-id-2 + bulkDeleteByKueryExample: + description: Bulk delete enrollment API keys by KQL query + value: + forceDelete: false + kuery: policy_id:"policy-id-1" + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request' responses: '200': content: application/json: examples: - getDownloadSourceExample: - description: An agent binary download source + bulkDeleteEnrollmentApiKeysExample: + description: The enrollment API keys were successfully processed value: - item: - host: https://artifacts.elastic.co/downloads/ - id: download-source-id-1 - is_default: true - name: Elastic Artifacts + action: deleted + count: 2 + errorCount: 0 + successCount: 2 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host - required: - - item + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response' description: Successful response '400': content: @@ -20174,7 +36024,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: An error message describing what went wrong + message: Either tokenIds or kuery must be provided statusCode: 400 schema: additionalProperties: false @@ -20195,25 +36045,24 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No download source was found with the given ID - value: - error: Not Found - message: Agent binary source download-source-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent binary download source + summary: Bulk revoke or delete enrollment API keys tags: - - Elastic Agent binary download sources - put: - description: >- - Update an agent binary download source by ID.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: put-fleet-agent-download-sources-sourceid + - Fleet enrollment API keys + x-state: Generally available; added in 9.5.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -20222,248 +36071,119 @@ paths: schema: example: 'true' type: string - - description: The ID of the download source + - description: The ID of the enrollment API key in: path - name: sourceId + name: keyId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putDownloadSourceRequestExample: - description: Update an agent binary download source - value: - host: https://updated-host.example.com/downloads/ - is_default: false - name: Updated download source - schema: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the - proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - name - - host + - description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + in: query + name: forceDelete + required: false + schema: + default: false + type: boolean + - description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + in: query + name: includeHidden + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - putDownloadSourceExample: - description: The updated agent binary download source + deleteEnrollmentApiKeyExample: + description: The enrollment API key was successfully revoked value: - item: - host: https://updated-host.example.com/downloads/ - id: download-source-id-1 - is_default: false - name: Updated download source + action: deleted + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - nullable: true - type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - host: - format: uri - type: string - id: - type: string - is_default: - default: false - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. - See the proxies API for more information. - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - auth: - additionalProperties: false - type: object - properties: - api_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - password: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - required: - - id - - name - - host + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No enrollment API key was found with the given ID + value: + error: Not Found + message: EnrollmentAPIKey key-id-1 not found + statusCode: 404 + description: Not Found + summary: Revoke or delete an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - description: The ID of the enrollment API key + in: path + name: keyId + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getEnrollmentApiKeyExample: + description: An enrollment API key + value: + item: + active: true + api_key: api-key-value-1 + api_key_id: api-key-id-1 + created_at: '2024-01-01T00:00:00.000Z' + id: key-id-1 + name: Default policy enrollment key + policy_id: policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response' description: Successful response '400': content: @@ -20499,133 +36219,144 @@ paths: application/json: examples: notFoundExample: - description: No download source was found with the given ID + description: No enrollment API key was found with the given ID value: error: Not Found - message: Download source download-source-id-1 not found + message: EnrollmentAPIKey key-id-1 not found statusCode: 404 description: Not Found - summary: Update an agent binary download source + summary: Get an enrollment API key tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: - get: - description: >- - List all agent policies.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved object assets by their IDs and types.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false - schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with upgradeable agents - in: query - name: showUpgradeable - required: false - schema: - type: boolean - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: use withAgentCount instead - in: query - name: noAgentCount - required: false - schema: - deprecated: true - type: boolean - - description: get policies with agent count + requestBody: + content: + application/json: + examples: + postBulkGetAssetsRequestExample: + description: Retrieve multiple assets by their IDs and types + value: + assetIds: + - id: dashboard-id-1 + type: dashboard + - id: index-pattern-id-1 + type: index_pattern + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' + responses: + '200': + content: + application/json: + examples: + postBulkGetAssetsExample: + description: Requested assets + value: + items: + - appLink: /app/dashboards#/view/dashboard-id-1 + attributes: + title: My Dashboard + id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration categories.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories + parameters: + - description: When true, include prerelease packages in the results in: query - name: withAgentCount + name: prerelease required: false schema: type: boolean - - description: get full policies with package policies populated + - description: When true, include categories that only contain policy templates in: query - name: full + name: include_policy_templates required: false schema: type: boolean - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string responses: '200': content: application/json: examples: - getAgentPoliciesExample: - description: List of agent policies + getCategoriesExample: + description: List of integration categories value: items: - - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - page: 1 - perPage: 20 - total: 1 + - count: 42 + id: security + title: Security + - count: 38 + id: observability + title: Observability schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_agent_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' description: Successful response '400': content: @@ -20656,14 +36387,23 @@ paths: - message - attributes description: Bad Request - summary: Get agent policies + summary: Get package categories tags: - - Elastic Agent policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations: post: - description: >- - Create a new agent policy.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new custom integration package with user-defined data streams.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header @@ -20672,49 +36412,34 @@ paths: schema: example: 'true' type: string - - description: Whether to add the system integration to the new agent policy - in: query - name: sys_monitoring - required: false - schema: - type: boolean requestBody: content: application/json: examples: - postAgentPolicyRequestExample: - description: Create a new agent policy + postCreateCustomIntegrationRequestExample: + description: Create a new custom integration value: - description: A sample agent policy - monitoring_enabled: - - logs - - metrics - name: My agent policy - namespace: default + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request' responses: '200': content: application/json: examples: - postAgentPolicyExample: - description: The created agent policy + postCreateCustomIntegrationExample: + description: Custom integration successfully created value: - item: - description: A sample agent policy - id: agent-policy-id-2 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + _meta: + install_source: custom + items: + - id: my_custom_logs-logs-my_custom_logs.access + type: index_template schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' description: Successful response '400': content: @@ -20745,16 +36470,23 @@ paths: - message - attributes description: Bad Request - summary: Create an agent policy + summary: Create a custom integration tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: - post: - description: >- - Get multiple agent policies by ID.

[Required authorization] - Route required privileges: fleet-agent-policies-read OR - fleet-agents-read OR fleet-setup. - operationId: post-fleet-agent-policies-bulk-get + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the datasets of an existing custom integration package.

[Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname parameters: - description: A required header to protect against CSRF attacks in: header @@ -20763,63 +36495,44 @@ paths: schema: example: 'true' type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false + - description: Package name + in: path + name: pkgName + required: true schema: - enum: - - simplified - - legacy type: string requestBody: content: application/json: examples: - postBulkGetAgentPoliciesRequestExample: - description: Retrieve multiple agent policies by ID + putUpdateCustomIntegrationRequestExample: + description: Update a custom integration value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + datasets: + - name: my_custom_logs.access + type: logs + integrationName: my_custom_logs schema: additionalProperties: false type: object properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of package policy ids + categories: items: type: string - maxItems: 1000 + maxItems: 10 type: array - ignoreMissing: - type: boolean + readMeData: + type: string required: - - ids + - readMeData responses: '200': content: application/json: examples: - postBulkGetAgentPoliciesExample: - description: The requested agent policies - value: - items: - - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_agent_policies_response + putUpdateCustomIntegrationExample: + description: Custom integration successfully updated + value: {} description: Successful response '400': content: @@ -20850,65 +36563,169 @@ paths: - message - attributes description: Bad Request - '404': + summary: Update a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of data streams created by installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams + parameters: + - description: Filter by data stream type + in: query + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - description: Filter data streams by dataset name + in: query + name: datasetQuery + required: false + schema: + type: string + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + - description: When true, only return data streams that are not associated with a package + in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - notFoundExample: - description: One or more agent policies were not found + getDataStreamsExample: + description: List of data streams from installed packages value: - error: Not Found + data_streams: + - ilm_policy: logs-default + index_template: logs-system.syslog + name: logs-system.syslog-default + package: system + package_version: 1.55.0 + title: System syslog logs + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_data_streams_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request message: An error message describing what went wrong - statusCode: 404 - description: Not Found - summary: Bulk get agent policies + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get data streams tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages: get: - description: >- - Get an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-agents-read OR - fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of integration packages available in the registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: Filter packages by category + in: query + name: category + required: false schema: type: string - - description: 'Format for the response: simplified or legacy' + - description: When true, include prerelease packages in the results in: query - name: format + name: prerelease required: false schema: - enum: - - simplified - - legacy - type: string + type: boolean + - description: When true, exclude the install status from the response + in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - description: When true, include the number of package policies per package + in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getAgentPolicyExample: - description: An agent policy + getPackagesExample: + description: List of available integration packages value: - item: - description: A sample agent policy - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: My agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T10:00:00.000Z' - updated_by: user1 + items: + - categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + id: aws + name: aws + status: not_installed + title: AWS + version: 2.10.0 + searchExcluded: 0 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' description: Successful response '400': content: @@ -20939,25 +36756,22 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get an agent policy + summary: Get packages tags: - - Elastic Agent policies - put: - description: >- - Update an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: put-fleet-agent-policies-agentpolicyid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header @@ -20966,61 +36780,64 @@ paths: schema: example: 'true' type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + default: false + type: boolean + - description: When true, skip data stream rollover after installation in: query - name: format + name: skipDataStreamRollover required: false schema: - enum: - - simplified - - legacy - type: string + default: false + type: boolean requestBody: content: - application/json: + application/gzip: examples: - putAgentPolicyRequestExample: - description: Update an agent policy - value: - description: An updated agent policy description - monitoring_enabled: - - logs - name: Updated agent policy - namespace: default + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: + application/gzip; application/zip: + examples: + postInstallByUploadRequestExample: + description: Upload a .zip or .tar.gz package archive (max 100MB) + value: schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_agent_policy' + format: binary + type: string responses: '200': content: - application/json: + application/gzip; application/zip: examples: - putAgentPolicyExample: - description: The updated agent policy + postInstallByUploadExample: + description: Package successfully installed from upload value: - item: - description: An updated agent policy description - id: agent-policy-id-1 - is_managed: false - is_protected: false - name: Updated agent policy - namespace: default - revision: 2 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + application/json: + examples: + postInstallByUploadExample: + description: Package successfully installed from upload + value: + _meta: + install_source: upload + items: + - id: my-custom-package-logs-default + type: index_template description: Successful response '400': content: - application/json: + application/gzip; application/zip: examples: genericErrorResponseExample: description: Example of a generic error response @@ -21046,84 +36863,77 @@ paths: required: - message - attributes + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 description: Bad Request - summary: Update an agent policy + summary: Install a package by upload tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: - get: - description: >- - Get the auto-upgrade status for agents assigned to an agent - policy.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install multiple packages from the Elastic Package Registry in a single request.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postBulkInstallPackagesRequestExample: + description: Install multiple packages from the registry + value: + packages: + - system + - aws + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request' responses: '200': content: application/json: examples: - getAutoUpgradeAgentsStatusExample: - description: Auto-upgrade status for agents in the policy + postBulkInstallPackagesExample: + description: Bulk install results value: - agentsCount: 5 - currentVersion: 8.16.0 - failedAgentsCount: 0 - upgradedAgentsCount: 3 - upgradingAgentsCount: 1 - schema: - additionalProperties: false - type: object - properties: - currentVersions: items: - additionalProperties: false - type: object - properties: - agents: - description: Number of agents that upgraded to this version - type: number - failedUpgradeActionIds: - description: List of action IDs related to failed upgrades - items: - type: string - maxItems: 1000 - type: array - failedUpgradeAgents: - description: >- - Number of agents that failed to upgrade to this - version - type: number - inProgressUpgradeActionIds: - description: List of action IDs related to in-progress upgrades - items: - type: string - maxItems: 1000 - type: array - inProgressUpgradeAgents: - description: Number of agents that are upgrading to this version - type: number - version: - description: Agent version - type: string - required: - - version - - agents - - failedUpgradeAgents - - inProgressUpgradeAgents - maxItems: 10000 - type: array - totalAgents: - type: number - required: - - currentVersions - - totalAgents + - name: system + result: + assets: [] + status: installed + - name: aws + result: + assets: [] + status: installed + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response' description: Successful response '400': content: @@ -21154,15 +36964,23 @@ paths: - message - attributes description: Bad Request - summary: Get auto upgrade agent status + summary: Bulk install packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_namespace_customization: post: - description: >- - Copy an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-agentpolicyid-copy + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_namespace_customization
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enable or disable namespace-level index template customization for a list of packages in one call. Use this for IaC-style declarative flows.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-namespace-customization parameters: - description: A required header to protect against CSRF attacks in: header @@ -21171,64 +36989,49 @@ paths: schema: example: 'true' type: string - - description: The ID of the agent policy - in: path - name: agentPolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string requestBody: content: application/json: examples: - postCopyAgentPolicyRequestExample: - description: Copy an agent policy with a new name + bulkNamespaceCustomizationRequest: value: - description: A copy of the original agent policy - name: Copy of my agent policy + disable: + - dev + enable: + - production + - staging + packages: + - system + - nginx schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_copy_agent_policy_request' + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request' responses: '200': content: application/json: examples: - postCopyAgentPolicyExample: - description: The copied agent policy + successResponse: value: - item: - description: A copy of the original agent policy - id: agent-policy-id-copy-1 - is_managed: false - is_protected: false - name: Copy of my agent policy - namespace: default - revision: 1 - status: active - updated_at: '2024-01-15T11:00:00.000Z' - updated_by: user1 + items: + - name: system + namespace_customization_enabled_for: + - production + - staging + success: true + - error: Package nginx is not installed + name: nginx + success: false schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: error: Bad Request - message: An error message describing what went wrong + message: 'Namespaces must not appear in both enable and disable: production' statusCode: 400 schema: additionalProperties: false @@ -21248,105 +37051,60 @@ paths: required: - message - attributes - description: Bad Request - summary: Copy an agent policy + description: A bad request. + summary: Bulk enable/disable namespace-level customization for packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: - get: - description: >- - Download an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-agent-policies-agentpolicyid-download + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback multiple packages to their previous versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number + requestBody: + content: + application/json: + examples: + bulkRollbackRequest: + value: + packages: + - name: system + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request' responses: '200': content: application/json: examples: - getDownloadAgentPolicyExample: - description: The agent policy download response + successResponse: value: - item: >- - id: agent-policy-id-1\nrevision: 1\noutputs:\n - default:\n type: elasticsearch\n hosts:\n - - https://elasticsearch.example.com:9200\n + taskId: taskId schema: - type: string - description: >- - Successful response — returns the agent policy as a YAML file - download + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID + badRequestResponse: value: - error: Not Found - message: Agent policy not found - statusCode: 404 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -21365,84 +37123,49 @@ paths: required: - message - attributes - description: Not Found - summary: Download an agent policy + description: A bad request. + summary: Bulk rollback packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/full: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: get: - description: >- - Get a full agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read. - operationId: get-fleet-agent-policies-agentpolicyid-full + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package rollback operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid parameters: - - description: The ID of the agent policy + - description: Task ID of the bulk operation in: path - name: agentPolicyId + name: taskId required: true schema: type: string - - description: If true, returns the policy as a downloadable file - in: query - name: download - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for standalone agents - in: query - name: standalone - required: false - schema: - type: boolean - - description: If true, returns the policy formatted for Kubernetes deployment - in: query - name: kubernetes - required: false - schema: - type: boolean - - description: >- - If provided, returns the policy at the specified revision. Cannot be - used with standalone or kubernetes flags. - in: query - name: revision - required: false - schema: - type: number responses: '200': content: application/json: examples: - getFullAgentPolicyExample: - description: The full agent policy configuration + successResponse: value: - item: - agent: - monitoring: - logs: true - metrics: true - id: agent-policy-id-1 - inputs: [] - outputs: - default: - hosts: - - https://elasticsearch.example.com:9200 - type: elasticsearch - revision: 1 + status: success schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_full_agent_policy_response - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' + description: 'OK: A successful request.' '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Bad Request schema: additionalProperties: false description: Generic Error @@ -21461,55 +37184,55 @@ paths: required: - message - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get a full agent policy + description: A bad request. + summary: Get Bulk rollback packages details tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/outputs: - get: - description: >- - Get a list of outputs associated with agent policy by policy - id.

[Required authorization] Route required privileges: - fleet-agent-policies-read AND fleet-settings-read. - operationId: get-fleet-agent-policies-agentpolicyid-outputs + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall multiple packages in a single operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall parameters: - - description: The ID of the agent policy - in: path - name: agentPolicyId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postBulkUninstallPackagesRequestExample: + description: Uninstall multiple packages + value: + packages: + - name: aws + - name: gcp + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request' responses: '200': content: application/json: examples: - getAgentPolicyOutputsExample: - description: Outputs associated with the agent policy + postBulkUninstallPackagesExample: + description: Bulk uninstall task initiated value: - item: - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + taskId: task-id-1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_agent_policy_outputs_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -21540,58 +37263,46 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent policy was found with the given ID - value: - error: Not Found - message: Agent policy not found - statusCode: 404 - description: Not Found - summary: Get outputs for an agent policy + summary: Bulk uninstall packages tags: - - Elastic Agent policies - /api/fleet/agent_policies/delete: - post: - description: >- - Delete an agent policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all. - operationId: post-fleet-agent-policies-delete + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package uninstall operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Task ID of the bulk operation + in: path + name: taskId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postDeleteAgentPolicyRequestExample: - description: Delete an agent policy by ID - value: - agentPolicyId: agent-policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_request responses: '200': content: application/json: examples: - postDeleteAgentPolicyExample: - description: The agent policy was successfully deleted + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - id: agent-policy-id-1 - name: My agent policy + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_agent_policy_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -21622,16 +37333,23 @@ paths: - message - attributes description: Bad Request - summary: Delete an agent policy + summary: Get Bulk uninstall packages details tags: - - Elastic Agent policies - /api/fleet/agent_policies/outputs: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: post: - description: >- - Get a list of outputs associated with agent policies.

[Required - authorization] Route required privileges: fleet-agent-policies-read AND - fleet-settings-read. - operationId: post-fleet-agent-policies-outputs + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade multiple packages to their latest versions.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header @@ -21644,36 +37362,25 @@ paths: content: application/json: examples: - postListAgentPolicyOutputsRequestExample: - description: Get outputs for multiple agent policies + postBulkUpgradePackagesRequestExample: + description: Upgrade multiple packages to their latest versions value: - ids: - - agent-policy-id-1 - - agent-policy-id-2 + packages: + - name: system + - name: elastic_agent schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_request + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request' responses: '200': content: application/json: examples: - postListAgentPolicyOutputsExample: - description: Outputs associated with the requested agent policies + postBulkUpgradePackagesExample: + description: Bulk upgrade task initiated value: - items: - - agent_policy_id: agent-policy-id-1 - data_output: - id: output-id-1 - name: Default output - type: elasticsearch - monitoring_output: - id: output-id-1 - name: Default output - type: elasticsearch + taskId: task-id-1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_list_agent_policy_outputs_response + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response' description: Successful response '400': content: @@ -21704,33 +37411,28 @@ paths: - message - attributes description: Bad Request - summary: Get outputs for agent policies + summary: Bulk upgrade packages tags: - - Elastic Agent policies - /api/fleet/agent_status: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: - description: Get a summary of agent statuses for a given agent policy. - operationId: get-fleet-agent-status + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status and results of a bulk package upgrade operation.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - - description: Filter by agent policy ID - in: query - name: policyId - required: false - schema: - type: string - - description: Filter by one or more agent policy IDs - in: query - name: policyIds - required: false - schema: - items: - type: string - maxItems: 1000 - type: array - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: Task ID of the bulk operation + in: path + name: taskId + required: true schema: type: string responses: @@ -21738,61 +37440,17 @@ paths: content: application/json: examples: - getAgentStatusExample: - description: Agent status summary for an agent policy + getBulkOperationDetailsExample: + description: Details of the bulk operation task value: - results: - error: 1 - offline: 2 - online: 5 - other: 0 - updating: 0 - totalInactive: 0 + packages: + - name: system + result: installed + - name: elastic_agent + result: installed + status: success schema: - additionalProperties: false - type: object - properties: - results: - additionalProperties: false - type: object - properties: - active: - type: number - all: - type: number - error: - type: number - events: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - orphaned: - type: number - other: - type: number - unenrolled: - type: number - uninstalled: - type: number - updating: - type: number - required: - - events - - online - - error - - offline - - other - - updating - - inactive - - unenrolled - - all - - active - required: - - results + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response' description: Successful response '400': content: @@ -21823,85 +37481,56 @@ paths: - message - attributes description: Bad Request - summary: Get an agent status summary + summary: Get Bulk upgrade packages details tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - description: >- - Get the data streams that an agent is actively sending data - to.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agent-status-data + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname parameters: - - description: Agent IDs to check data for, as an array or comma-separated string - in: query - name: agentsIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - items: - type: string - maxItems: 10000 - type: array - - description: Filter by integration package name - in: query - name: pkgName - required: false - schema: + example: 'true' type: string - - description: Filter by integration package version - in: query - name: pkgVersion - required: false + - description: Package name + in: path + name: pkgName + required: true schema: type: string - - description: When true, return a preview of the ingested data + - description: When true, delete the package even if it has active package policies in: query - name: previewData + name: force required: false schema: - default: false type: boolean responses: '200': content: application/json: examples: - getAgentDataExample: - description: Data streams the agent is actively sending data to + deletePackageExample: + description: Package successfully deleted value: items: - - data: - logs-nginx.access-default: - - id: agent-id-1 - name: my-host - total: 1 - totalMonitoring: 0 + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template schema: - additionalProperties: false - type: object - properties: - dataPreview: - items: - nullable: true - maxItems: 10000 - type: array - items: - items: - additionalProperties: - additionalProperties: false - type: object - properties: - data: - type: boolean - required: - - data - type: object - maxItems: 10000 - type: array - required: - - items - - dataPreview + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' description: Successful response '400': content: @@ -21932,869 +37561,191 @@ paths: - message - attributes description: Bad Request - summary: Get incoming agent data + summary: Delete a package tags: - - Elastic Agents - /api/fleet/agentless_policies: - post: - description: Create an agentless policy - operationId: post-fleet-agentless-policies + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a package by name, returning the latest installed or available version. + operationId: get-fleet-epm-packages-pkgname parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - - description: The format of the response package policy. + - description: When true, returns the package even if the signature cannot be verified in: query - name: format + name: ignoreUnverified required: false schema: - default: simplified - enum: - - legacy - - simplified - type: string - requestBody: - content: - application/json: - examples: - createAgentlessPoliciesRequestExample: - description: Example request to create agentless policies - value: - description: test - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - organization_id: '1234' - name: ess_billing-1 - namespace: default - package: - name: ess_billing - version: 1.6.0 - createAgentlessPoliciesReuseAWSCloudConnectorExample: - description: >- - Example request to create agentless policy reusing an existing - AWS cloud connector - value: - cloud_connector: - cloud_connector_id: existing-aws-connector-id - target_csp: aws - description: CSPM integration for AWS reusing existing cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-reuse-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAWSCloudConnectorExample: - description: >- - Example request to create agentless policy with AWS cloud - connector - value: - cloud_connector: - target_csp: aws - description: CSPM integration for AWS with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - aws.supports_cloud_connectors: true - external_id: - id: ABCDEFGHIJKLMNOPQRST - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: aws - posture: cspm - createAgentlessPoliciesWithAzureCloudConnectorExample: - description: >- - Example request to create agentless policy with Azure cloud - connector - value: - cloud_connector: - target_csp: azure - description: CSPM integration for Azure with cloud connector - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id - isSecretRef: true - tenant_id: - id: tenant-secret-id - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - version: 3.1.1 - vars: - deployment: azure - posture: cspm - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol - value: - item: - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: test - enabled: true - id: d52a7812-5736-4fdc-aed8-72152afa1ffa - inputs: - ESS Billing-cel: - enabled: true - streams: - ess_billing.billing: - enabled: true - vars: - hide_sensitive: true - http_client_timeout: 30s - lookbehind: 365 - tags: - - forwarded - - billing - ess_billing.credits: - enabled: false - vars: - api_key: - id: QY1sWpoBbWcMW-edr0Ee - isSecretRef: true - organization_id: '1234' - url: https://billing.elastic-cloud.com - name: ess_billing-1 - namespace: default - package: - name: ess_billing - title: Elasticsearch Service Billing - version: 1.6.0 - revision: 1 - secret_references: - - id: QY1sWpoBbWcMW-edr0Ee - supports_agentless: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAWSCloudConnectorResponseExample: - description: Example response for AWS cloud connector integration - value: - item: - cloud_connector_id: aws-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for AWS with cloud connector - enabled: true - id: aws-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - aws.account_type: organization-account - aws.credentials.type: cloud_connector - external_id: - id: secret-external-id-123 - isSecretRef: true - role_arn: arn:aws:iam::123456789012:role/TestRole - vars: - cloud_formation_template: >- - https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml - cspm-cloudbeat/cis_azure: - enabled: false - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-aws-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: secret-external-id-123 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: aws - posture: cspm - version: WzE0OTgsMV0= - createAgentlessPoliciesWithAzureCloudConnectorResponseExample: - description: Example response for Azure cloud connector integration + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackageInfoExample: + description: Package details and installation status value: item: - cloud_connector_id: azure-connector-67890 - created_at: '2025-11-06T18:27:43.541Z' - created_by: test_user - description: CSPM integration for Azure with cloud connector - enabled: true - id: azure-policy-12345 - inputs: - cspm-cloudbeat/cis_aws: - enabled: false - cspm-cloudbeat/cis_azure: - enabled: true - streams: - cloud_security_posture.findings: - enabled: true - vars: - azure_credentials_cloud_connector_id: - type: text - value: existing-azure-credentials-connector-id - azure.account_type: organization-account - client_id: - id: client-secret-id-456 - isSecretRef: true - tenant_id: - id: tenant-secret-id-123 - isSecretRef: true - cspm-cloudbeat/cis_gcp: - enabled: false - name: cspm-azure-policy - namespace: default - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - revision: 1 - secret_references: - - id: tenant-secret-id-123 - - id: client-secret-id-456 - supports_agentless: true - supports_cloud_connector: true - updated_at: '2025-11-06T18:27:43.541Z' - updated_by: test_user - vars: - deployment: azure - posture: cspm - version: WzE0OTgsMV0= + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - item: - additionalProperties: false - description: The created agentless package policy. - type: object - properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added - to the agent policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - agents: - type: number - cloud_connector_id: - description: >- - ID of the cloud connector associated with this package - policy. - nullable: true - type: string - cloud_connector_name: - description: >- - Transient field for cloud connector name during - creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this integration to its - inputs. - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: >- - The name of the custom field. Cannot contain - spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - description: Package policy unique identifier. - type: string - inputs: - anyOf: - - items: - additionalProperties: false - type: object - properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group - name to the selected option name within that - group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration - documentation for more information) - type: object - required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 - type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression - to evaluate whether to apply this input. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that input. Defaults to - `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition - expression to evaluate whether to apply - this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults - to `true` (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps - var_group name to the selected option - name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to - the integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration - documentation to know which streams are - available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more - information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration - documentation to know which inputs are available. - type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: - type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit - the agent policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package - policy. The override option should be used only in - unusual circumstances and not as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_package - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: >- - ID of the agent policy which the package policy will - be added to. - nullable: true - type: string - policy_ids: - items: - description: >- - IDs of the agent policies which that package policy - will be added to. - type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 - type: array - spaceIds: - items: - type: string - maxItems: 100 - type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an - agentless agent policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: >- - Indicates whether the package policy supports cloud - connectors. - nullable: true - type: boolean - updated_at: - type: string - updated_by: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation - for more information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - package - - inputs - - id - - revision - - updated_at - - updated_by - - created_at - - created_by - required: - - item - description: Indicates a successful response + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install the latest version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response '400': content: application/json: @@ -22824,16 +37775,77 @@ paths: - message - attributes description: Bad Request - '409': + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a package, such as whether policies are kept up to date automatically.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + putUpdatePackageExample: + description: Updated package settings value: - error: Conflict + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request message: An error message describing what went wrong - statusCode: 409 + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22852,15 +37864,24 @@ paths: required: - message - attributes - description: Conflict - summary: Create an agentless policy + description: Bad Request + summary: Update package settings tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agentless_policies/{policyId}: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: - description: Delete an agentless policy - operationId: delete-fleet-agentless-policies-policyid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Uninstall a specific version of a package and remove all its assets.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header @@ -22869,13 +37890,19 @@ paths: schema: example: 'true' type: string - - description: The ID of the policy to delete. + - description: Package name in: path - name: policyId + name: pkgName required: true schema: type: string - - description: Force delete the policy even if the policy is managed. + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, delete the package even if it has active package policies in: query name: force required: false @@ -22886,24 +37913,241 @@ paths: content: application/json: examples: - createAgentlessPoliciesResponseExample: - description: >- - Example response showing the successful result of - communication initialisation over MCP protocol + deletePackageExample: + description: Package successfully deleted + value: + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about a specific version of a package. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, returns the package even if the signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - description: When true, include prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return the full package info including assets + in: query + name: full + required: false + schema: + type: boolean + - description: When true, include package metadata such as whether it has package policies + in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json: + examples: + getPackageInfoExample: + description: Package details and installation status value: item: - id: d52a7812-5736-4fdc-aed8-72152afa1ffa + assets: + kibana: + dashboard: [] + index_pattern: [] + categories: + - cloud + description: Collect logs and metrics from Amazon Web Services + name: aws + status: installed + title: AWS + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - description: Response for deleting an agentless package policy. + description: Generic Error type: object properties: - id: - description: The ID of the deleted agentless package policy. + attributes: + nullable: true + error: type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - id - description: Indicates a successful response + - message + - attributes + description: Bad Request + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install a specific version of a package from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow installing prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, ignore mapping update errors during installation + in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - description: When true, skip data stream rollover after installation + in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + - description: Skip dependency validation when installing a package with dependencies + in: query + name: skipDependencyCheck + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + postInstallPackageRequestExample: + description: Install a package, optionally ignoring constraints + value: + ignore_constraints: false + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallPackageExample: + description: Package successfully installed + value: + _meta: + install_source: registry + items: + - id: aws-logs-aws.cloudwatch_logs-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + description: Successful response '400': content: application/json: @@ -22933,16 +38177,158 @@ paths: - message - attributes description: Bad Request - '409': + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update settings for a specific version of a package.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putUpdatePackageNamespaceCustomizationExample: + description: Enable namespace-level customization for the `production` and `staging` namespaces + value: + namespace_customization_enabled_for: + - production + - staging + putUpdatePackageRequestExample: + description: Update keep_policies_up_to_date setting for a package + value: + keepPoliciesUpToDate: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + responses: + '200': content: application/json: examples: - conflictErrorResponseExample: - description: Example of a conflict error response + putUpdatePackageExample: + description: Updated package settings value: - error: Conflict + item: + keepPoliciesUpToDate: true + name: aws + version: 2.10.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the contents of a specific file from a package.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: File path within the package + in: path + name: filePath + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + getPackageFileExample: + description: The content of the requested package file + value: + schema: {} + description: Successful response — returns the file content + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request message: An error message describing what went wrong - statusCode: 409 + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -22961,109 +38347,48 @@ paths: required: - message - attributes - description: Conflict - summary: Delete an agentless policy + description: Bad Request + summary: Get a package file tags: - - Fleet agentless policies - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents: - get: - description: >- - List agents, with optional filtering and pagination.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete datastream assets for a specific input package, by data stream name.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false - schema: - type: string - - description: When true, include agentless agents in the results - in: query - name: showAgentless - required: false - schema: - default: true - type: boolean - - description: When true, include inactive agents in the results - in: query - name: showInactive - required: false - schema: - default: false - type: boolean - - description: When true, include CPU and memory metrics in the response - in: query - name: withMetrics - required: false - schema: - default: false - type: boolean - - description: When true, only return agents that are upgradeable - in: query - name: showUpgradeable - required: false - schema: - default: false - type: boolean - - description: When true, return a summary of agent statuses in the response - in: query - name: getStatusSummary - required: false - schema: - default: false - type: boolean - - description: Field to sort results by - in: query - name: sortField - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - asc - - desc + example: 'true' type: string - - description: JSON-encoded array of sort values for `search_after` pagination - in: query - name: searchAfter - required: false + - description: Package name + in: path + name: pkgName + required: true schema: type: string - - description: When true, opens a new point-in-time for pagination - in: query - name: openPit - required: false - schema: - type: boolean - - description: Point-in-time ID for pagination - in: query - name: pitId - required: false + - description: Package version + in: path + name: pkgVersion + required: true schema: type: string - - description: Duration to keep the point-in-time alive, for example, `1m` + - description: The ID of the package policy in: query - name: pitKeepAlive - required: false + name: packagePolicyId + required: true schema: type: string responses: @@ -23071,405 +38396,171 @@ paths: content: application/json: examples: - getAgentsExample: - description: List of agents + deletePackageDatastreamAssetsExample: + description: Package datastream assets successfully deleted value: items: - - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' - page: 1 - perPage: 20 - total: 1 + - id: logs-my_package.access-default + type: index_template + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config - maxItems: 10000 - type: array - nextSearchAfter: + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - page: - type: number - perPage: + errorType: + type: string + message: + type: string + statusCode: type: number - pit: + required: + - message + - attributes + description: Bad Request + summary: Delete assets for an input package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that a specific package depends on.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies + parameters: + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + dependenciesResponse: + value: + items: + - name: aws + title: AWS + version: ^2.0.0 + - name: system + title: System + version: ^1.0.0 + noDependenciesResponse: + value: + items: [] + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_dependencies_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + packageNotFoundResponse: + value: + message: '[my-package-1.0.0] package not found in registry' + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - statusSummary: - additionalProperties: - type: number - type: object - total: + errorType: + type: string + message: + type: string + statusCode: type: number required: - - items - - total - - page - - perPage + - message + - attributes + description: A bad request. + summary: Get package dependencies + tags: + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + deleteKibanaAssetsExample: + description: Kibana assets successfully deleted + value: + items: + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' description: Successful response '400': content: @@ -23500,14 +38591,22 @@ paths: - message - attributes description: Bad Request - summary: Get agents + summary: Delete Kibana assets for a package tags: - - Elastic Agents + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Retrieve agents associated with specific action IDs.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header @@ -23516,52 +38615,246 @@ paths: schema: example: 'true' type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string requestBody: content: application/json: examples: - postGetAgentsByActionsRequestExample: - description: Retrieve agents associated with specific action IDs - value: - actionIds: - - action-id-1 - - action-id-2 + postInstallKibanaAssetsRequestExample: + description: Install Kibana assets for a specific package version + value: {} schema: - additionalProperties: false - type: object - properties: - actionIds: - items: - type: string - maxItems: 1000 - type: array - required: - - actionIds + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request' + nullable: true responses: '200': content: application/json: examples: - postGetAgentsByActionsExample: - description: Agents associated with the given actions + postInstallKibanaAssetsExample: + description: Kibana assets successfully installed value: items: - - active: true - id: agent-id-1 - policy_id: agent-policy-id-1 - status: online - total: 1 + - id: dashboard-id-1 + type: dashboard + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - items: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Install Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install Kibana alert rule assets for a specific package version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + postInstallRuleAssetsRequestExample: + description: Install alert rule assets for a specific package version + value: {} + schema: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request' + nullable: true + responses: + '200': + content: + application/json: + examples: + postInstallRuleAssetsExample: + description: Rule assets successfully installed + value: items: - type: string - maxItems: 10000 - type: array + - id: rule-asset-id-1 + type: security_rule + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - items + - message + - attributes + description: Bad Request + summary: Install Kibana alert rule for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Reauthorize Elasticsearch transforms installed by a package with secondary authorization headers. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name + in: path + name: pkgName + required: true + schema: + type: string + - description: Package version + in: path + name: pkgVersion + required: true + schema: + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + examples: + postReauthorizeTransformsRequestExample: + description: Reauthorize transforms for a package + value: + transforms: + - destinations: + - index: logs-transform-dest + transformId: logs-transform-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request' + responses: + '200': + content: + application/json: + examples: + postReauthorizeTransformsExample: + description: Transforms successfully reauthorized + value: + - success: true + transformId: logs-transform-1 + schema: + items: + additionalProperties: false + type: object + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + maxItems: 10000 + type: array description: Successful response '400': content: @@ -23592,26 +38885,176 @@ paths: - message - attributes description: Bad Request - summary: Get agents by action ids + summary: Authorize transforms tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - description: >- - Delete an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-agents-agentid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/review_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/review_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Review and accept or reject a pending policy upgrade for a package that contains deprecations.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-review-upgrade + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to review upgrade for + in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + acceptUpgrade: + value: + action: accept + target_version: 2.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + success: true + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Review a pending policy upgrade for a package with deprecations + tags: + - Elastic Package Manager (EPM) + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rollback a package to its previously installed version.

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Package name to roll back + in: path + name: pkgName + required: true + schema: + type: string + responses: + '200': + content: + application/json: + examples: + successResponse: + value: + success: true + version: 1.0.0 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_rollback_package_response' + description: 'OK: A successful request.' + '400': + content: + application/json: + examples: + badRequestResponse: + value: + message: Bad Request + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: A bad request. + summary: Rollback a package to previous version + tags: + - Elastic Package Manager (EPM) + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get usage statistics for a specific package, such as the number of agent policies using it.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID + - description: Package name in: path - name: agentId + name: pkgName required: true schema: type: string @@ -23620,21 +39063,13 @@ paths: content: application/json: examples: - deleteAgentExample: - description: Agent successfully deleted + getPackageStatsExample: + description: Usage stats for a specific package value: - id: agent-id-1 - success: true + response: + agent_policy_count: 3 schema: - additionalProperties: false - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' description: Successful response '400': content: @@ -23665,429 +39100,158 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete an agent + summary: Get package stats tags: - - Elastic Agents + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/installed: get: - description: >- - Get an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all currently installed integration packages.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed parameters: - - description: The agent ID - in: path - name: agentId - required: true + - description: Filter by data stream type + in: query + name: dataStreamType + required: false schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling type: string - - description: When true, include CPU and memory metrics in the response + - description: When true, only return packages with active data streams in: query - name: withMetrics + name: showOnlyActiveDataStreams required: false schema: - default: false type: boolean + - description: Filter packages by name + in: query + name: nameQuery + required: false + schema: + type: string + - description: Sort values from the previous page for `search_after` pagination + in: query + name: searchAfter + required: false + schema: + items: + anyOf: + - type: string + - type: number + maxItems: 10 + type: array + - description: Number of results per page + in: query + name: perPage + required: false + schema: + default: 15 + type: number + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string responses: '200': content: application/json: examples: - getAgentExample: - description: Agent details + getInstalledPackagesExample: + description: List of installed integration packages value: - item: - active: true - agent_id: agent-id-1 - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - local_metadata: - elastic: - agent: - version: 8.17.0 - host: - hostname: my-host - os: - name: linux - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + items: + - name: system + status: installed + title: System + version: 1.55.0 + - name: elastic_agent + status: installed + title: Elastic Agent + version: 1.15.0 + searchExcluded: 0 + total: 2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other - type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: - additionalProperties: false - type: object - properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: - type: string - retry_until: - type: string - scheduled_at: - type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number required: - - item + - message + - attributes + description: Bad Request + summary: Get installed packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + '200': + content: + application/json: + examples: + getLimitedPackagesExample: + description: List of packages that cannot be uninstalled + value: + items: + - elastic_agent + - fleet_server + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response' description: Successful response '400': content: @@ -24118,446 +39282,328 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Get an agent + summary: Get a limited package list tags: - - Elastic Agents - put: - description: >- - Update an agent by ID.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: put-fleet-agents-agentid + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an inputs template for a package, used to pre-populate package policy forms.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: Package name + in: path + name: pkgName required: true schema: - example: 'true' type: string - - description: The agent ID + - description: Package version in: path - name: agentId + name: pkgVersion required: true schema: type: string - requestBody: - content: - application/json: - examples: - putAgentRequestExample: - description: Update agent tags - value: - tags: - - production - - linux - schema: - additionalProperties: false - type: object - properties: - tags: - items: + - description: 'Output format for the inputs template: json, yml, or yaml' + in: query + name: format + required: false + schema: + default: json + enum: + - json + - yml + - yaml + type: string + - description: When true, allow prerelease versions + in: query + name: prerelease + required: false + schema: + type: boolean + - description: When true, return inputs even if the package signature cannot be verified + in: query + name: ignoreUnverified + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + getInputsTemplateExample: + description: Inputs template for a package + value: + inputs: + - description: Collect logs from log files + title: Collect logs from files + type: logfile + vars: + - name: paths + required: true + title: Paths + type: text + schema: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: type: string - maxItems: 10 - type: array - user_provided_metadata: - additionalProperties: + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get an inputs template + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] + responses: + '200': + content: + application/json: + examples: + getVerificationKeyIdExample: + description: The GPG key ID used to verify package signatures + value: + id: D27D666CD88E42B4 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response' + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: nullable: true - type: object + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet Server hosts.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] responses: '200': content: application/json: examples: - putAgentExample: - description: Updated agent details + getFleetServerHostsExample: + description: List of Fleet Server hosts value: - item: - active: true - enrolled_at: '2024-01-01T00:00:00.000Z' - id: agent-id-1 - policy_id: agent-policy-id-1 - policy_revision: 1 - status: online - tags: - - production - - linux - type: PERMANENT - updated_at: '2024-01-01T00:00:00.000Z' + items: + - host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - agent: - additionalProperties: true - type: object - properties: - id: - type: string - type: - type: string - version: - type: string - required: - - id - - version - audit_unenrolled_reason: - type: string - capabilities: - items: - type: string - maxItems: 100 - type: array - components: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - type: string - units: - items: - additionalProperties: false - type: object - properties: - id: - type: string - message: - type: string - payload: - additionalProperties: - nullable: true - type: object - status: - enum: - - STARTING - - CONFIGURING - - HEALTHY - - DEGRADED - - FAILED - - STOPPING - - STOPPED - type: string - type: - enum: - - input - - output - - '' - type: string - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - required: - - id - - type - - status - - message - maxItems: 10000 - type: array - default_api_key: - type: string - default_api_key_history: - items: - additionalProperties: false - deprecated: true - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - default_api_key_id: - type: string - effective_config: - nullable: true - enrolled_at: - type: string - health: - additionalProperties: - nullable: true - type: object - id: - type: string - identifying_attributes: - additionalProperties: - type: string - type: object - last_checkin: - type: string - last_checkin_message: - type: string - last_checkin_status: - enum: - - error - - online - - degraded - - updating - - starting - - disconnected - type: string - last_known_status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - local_metadata: - additionalProperties: - nullable: true - type: object - metrics: - additionalProperties: false - type: object - properties: - cpu_avg: - type: number - memory_size_byte_avg: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - non_identifying_attributes: - additionalProperties: - type: string - type: object - outputs: - additionalProperties: - additionalProperties: false - type: object - properties: - api_key_id: - type: string - to_retire_api_key_ids: - items: - additionalProperties: false - type: object - properties: - id: - type: string - retired_at: - type: string - required: - - id - - retired_at - maxItems: 100 - type: array - type: - type: string - type: object - packages: - items: - type: string - maxItems: 10000 - type: array - policy_id: - type: string - policy_revision: - nullable: true - type: number - sequence_num: - type: number - signals: - items: - type: string - maxItems: 50 - type: array - sort: - items: - nullable: true - maxItems: 10 - type: array - status: - enum: - - offline - - error - - online - - inactive - - enrolling - - unenrolling - - unenrolled - - updating - - degraded - - uninstalled - - orphaned - type: string - tags: - items: - type: string - maxItems: 100 - type: array - type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - - OPAMP - type: string - unenrolled_at: - type: string - unenrollment_started_at: - type: string - unhealthy_reason: - items: - enum: - - input - - output - - other + items: + items: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: type: string - maxItems: 3 - nullable: true - type: array - upgrade: - additionalProperties: false - type: object - properties: - rollbacks: - items: + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: additionalProperties: false type: object properties: - valid_until: - type: string - version: - type: string - required: - - valid_until - - version - maxItems: 100 - type: array - upgrade_attempts: - items: - type: string - maxItems: 10000 - nullable: true - type: array - upgrade_details: - additionalProperties: false - nullable: true - type: object - properties: - action_id: - type: string - metadata: - additionalProperties: false - type: object - properties: - download_percent: - type: number - download_rate: - type: number - error_msg: - type: string - failed_state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - reason: - type: string - retry_error_msg: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - retry_until: + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: type: string - scheduled_at: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: type: string - state: - enum: - - UPG_REQUESTED - - UPG_SCHEDULED - - UPG_DOWNLOADING - - UPG_EXTRACTING - - UPG_REPLACING - - UPG_RESTARTING - - UPG_FAILED - - UPG_WATCHING - - UPG_ROLLBACK - type: string - target_version: - type: string - required: - - target_version - - action_id - - state - upgrade_started_at: - nullable: true - type: string - upgraded_at: - nullable: true - type: string - user_provided_metadata: - additionalProperties: - nullable: true - type: object - required: - - id - - packages - - type - - active - - enrolled_at - - local_metadata - - effective_config + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - item + - items + - total + - page + - perPage description: Successful response '400': content: @@ -24588,26 +39634,22 @@ paths: - message - attributes description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No agent was found with the given ID - value: - error: Not Found - message: Agent agent-id-1 not found - statusCode: 404 - description: Not Found - summary: Update an agent by ID + summary: Get Fleet Server hosts tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-actions + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet Server host.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header @@ -24616,134 +39658,325 @@ paths: schema: example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - postAgentActionRequestExample: - description: Create a UNENROLL action for an agent + postFleetServerHostRequestExample: + description: Create a new Fleet Server host value: - action: - type: UNENROLL + host_urls: + - https://fleet-server.example.com:8220 + is_default: false + name: My Fleet Server schema: additionalProperties: false type: object properties: - action: - anyOf: - - additionalProperties: false + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false type: object properties: - ack_data: - nullable: true - data: - nullable: true - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json: + examples: + postFleetServerHostExample: + description: The created Fleet Server host + value: + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-2 + is_default: false + is_preconfigured: false + name: My Fleet Server + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + host_urls: + items: type: string - required: - - type - - data - - ack_data - - additionalProperties: false - type: object - properties: - data: - additionalProperties: false - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: type: string - required: - - log_level - type: - enum: - - SETTINGS - type: string - required: - - type - - data - required: - - action + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id + required: + - item + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response + value: + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Bad Request + summary: Create a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The ID of the Fleet Server host + in: path + name: itemId + required: true + schema: + type: string responses: '200': content: application/json: examples: - postAgentActionExample: - description: Created agent action + deleteFleetServerHostExample: + description: The Fleet Server host was successfully deleted value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: action-id-1 - type: UNENROLL + id: fleet-server-host-id-1 schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data + id: + type: string required: - - item + - id description: Successful response '400': content: @@ -24774,19 +40007,37 @@ paths: - message - attributes description: Bad Request - summary: Create an agent action + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a Fleet Server host tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/effective_config: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get an agent's effective config by ID.

[Required authorization] - Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-effective-config + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid parameters: - - description: The agent ID to get effective config of + - description: The ID of the Fleet Server host in: path - name: agentId + name: itemId required: true schema: type: string @@ -24795,25 +40046,138 @@ paths: content: application/json: examples: - successResponse: + getFleetServerHostExample: + description: A Fleet Server host value: - effective_config: {} + item: + host_urls: + - https://fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: true + is_preconfigured: false + name: Default Fleet Server schema: additionalProperties: false type: object properties: - effective_config: - nullable: true + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - effective_config - description: 'OK: A successful request.' + - item + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -24832,16 +40196,34 @@ paths: required: - message - attributes - description: A bad request. - summary: Get an agent's effective config + description: Bad Request + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a Fleet Server host tags: - - Elastic Agents - /api/fleet/agents/{agentId}/migrate: - post: - description: >- - Migrate a single agent to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-migrate + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -24850,9 +40232,9 @@ paths: schema: example: 'true' type: string - - description: The agent ID + - description: The ID of the Fleet Server host in: path - name: agentId + name: itemId required: true schema: type: string @@ -24860,79 +40242,236 @@ paths: content: application/json: examples: - postMigrateAgentRequestExample: - description: Migrate a single agent to another cluster + putFleetServerHostRequestExample: + description: Update a Fleet Server host value: - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 + host_urls: + - https://updated-fleet-server.example.com:8220 + is_default: false + name: Updated Fleet Server schema: additionalProperties: false type: object properties: - enrollment_token: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: type: string - settings: + proxy_id: + nullable: true + type: string + secrets: additionalProperties: false type: object properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: type: string - elastic_agent_cert_key: + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: type: string - elastic_agent_cert_key_passphrase: + certificate: type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: + certificate_authorities: + items: type: string - type: object - proxy_url: - type: string - replace_token: + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none type: string - staging: + es_certificate: type: string - tags: + es_certificate_authorities: items: type: string maxItems: 10 type: array - uri: - format: uri - type: string + es_key: + type: string + key: + type: string required: - - uri - - enrollment_token + - proxy_id responses: '200': content: application/json: examples: - postMigrateAgentExample: - description: Agent migration initiated + putFleetServerHostExample: + description: The updated Fleet Server host value: - actionId: action-id-1 + item: + host_urls: + - https://updated-fleet-server.example.com:8220 + id: fleet-server-host-id-1 + is_default: false + is_preconfigured: false + name: Updated Fleet Server schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + additionalProperties: false + type: object + properties: + host_urls: + items: + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + agent_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + es_key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + key: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + nullable: true + type: object + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + maxItems: 10 + type: array + es_key: + type: string + key: + type: string + required: + - name + - host_urls + - id required: - - actionId + - item description: Successful response '400': content: @@ -24963,16 +40502,34 @@ paths: - message - attributes description: Bad Request - summary: Migrate a single agent + '404': + content: + application/json: + examples: + notFoundExample: + description: No Fleet Server host was found with the given ID + value: + error: Not Found + message: Fleet server fleet-server-host-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a Fleet Server host tags: - - Elastic Agents - /api/fleet/agents/{agentId}/privilege_level_change: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/health_check: post: - description: >- - Change the privilege level of a single agent to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-privilege-level-change + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header @@ -24981,139 +40538,59 @@ paths: schema: example: 'true' type: string - - description: The agent ID to change privilege level for - in: path - name: agentId - required: true - schema: - type: string requestBody: content: application/json: examples: - changeAgentPrivilegeLevelRequest: + postHealthCheckRequestExample: + description: Check the health of a Fleet Server instance by its host ID value: - user_info: - groupname: groupname - password: password - username: username + id: fleet-server-host-id-1 schema: additionalProperties: false - nullable: true type: object properties: - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string + id: + type: string + required: + - id responses: '200': content: application/json: examples: - successResponse: + postHealthCheckHealthyExample: + description: Fleet Server is online and healthy value: - actionId: actionId - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' - '400': - content: - application/json: - examples: - badRequestResponse: + name: fleet-server-1 + status: ONLINE + postHealthCheckUnreachableExample: + description: Fleet Server host is not reachable (request timed out or aborted) value: - message: Bad Request + host_id: fleet-server-host-id-1 + status: OFFLINE schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: + host_id: type: string - errorType: + name: type: string - message: + status: type: string - statusCode: - type: number required: - - message - - attributes - description: A bad request. - summary: Change agent privilege level - tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents/{agentId}/reassign: - post: - description: >- - Reassign an agent to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-reassign - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postReassignAgentRequestExample: - description: Reassign an agent to a different policy - value: - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - policy_id: - type: string - required: - - policy_id - responses: - '200': - content: - application/json: - examples: - postReassignAgentExample: - description: Agent successfully reassigned - value: {} - schema: - additionalProperties: false - type: object - properties: {} - description: Successful response + - status + description: Successful health check response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestExample: + description: The host ID exists but has no associated host URLs configured value: error: Bad Request - message: An error message describing what went wrong + message: The requested host id fleet-server-host-id-1 does not have associated host urls. statusCode: 400 schema: additionalProperties: false @@ -25134,126 +40611,16 @@ paths: - message - attributes description: Bad Request - summary: Reassign an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/remove_collector: - post: - description: >- - Remove a specific OpAMP collector from the Fleet agents list. Marks the - collector as unenrolled. This action does not invalidate API keys, so - the collector can reconnect on its own.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-remove-collector - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The collector agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - postRemoveCollectorExample: - description: Collector successfully removed - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Remove an OpAMP collector - tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.5.0 - /api/fleet/agents/{agentId}/request_diagnostics: - post: - description: >- - Request a diagnostics bundle from a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-agentid-request-diagnostics - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postRequestDiagnosticsRequestExample: - description: Request a diagnostics bundle from an agent - value: - additional_metrics: - - CPU - schema: - additionalProperties: false - nullable: true - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - responses: - '200': - content: - application/json: - examples: - postRequestDiagnosticsExample: - description: Diagnostics action result - value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No Fleet Server host was found with the given ID value: - error: Bad Request - message: >- - Agent agent-id-1 does not support request diagnostics - action. - statusCode: 400 + error: Not Found + message: The requested host id fleet-server-host-id-1 does not exist. + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -25272,28 +40639,41 @@ paths: required: - message - attributes - description: Bad Request - summary: Request agent diagnostics + description: Not Found + summary: Check Fleet Server health tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/rollback: - post: - description: >- - Rollback an agent to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-rollback + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: - example: 'true' type: string - - description: The agent ID to rollback - in: path - name: agentId - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string responses: @@ -25301,22 +40681,23 @@ paths: content: application/json: examples: - successResponse: + getK8sManifestExample: + description: The Kubernetes manifest for deploying Elastic Agent value: - actionId: actionId + item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_action_id_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_action_message_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -25335,127 +40716,54 @@ paths: required: - message - attributes - description: A bad request. - summary: Rollback an agent - tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - /api/fleet/agents/{agentId}/unenroll: - post: - description: >- - Unenroll a specific agent, optionally revoking its enrollment API - key.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-agentid-unenroll - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postUnenrollAgentRequestExample: - description: Unenroll an agent, optionally revoking the enrollment API key - value: - revoke: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - force: - type: boolean - revoke: - type: boolean - responses: - '200': - content: - application/json: - examples: - postUnenrollAgentExample: - description: Agent successfully unenrolled - value: {} - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 description: Bad Request - summary: Unenroll an agent + summary: Get a full K8s agent manifest tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/upgrade: - post: - description: >- - Upgrade a specific agent to a newer version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-agentid-upgrade + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download the Kubernetes manifest for deploying Elastic Agent.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, returns the manifest as a downloadable file + in: query + name: download + required: false + schema: + type: boolean + - description: Fleet Server host URL to include in the manifest + in: query + name: fleetServer + required: false schema: - example: 'true' type: string - - description: The agent ID - in: path - name: agentId - required: true + - description: Enrollment token to include in the manifest + in: query + name: enrolToken + required: false schema: type: string - requestBody: - content: - application/json: - examples: - postUpgradeAgentRequestExample: - description: Upgrade an agent to a specific version - value: - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - force: - type: boolean - skipRateLimitCheck: - type: boolean - source_uri: - type: string - version: - type: string - required: - - version responses: '200': content: application/json: examples: - postUpgradeAgentExample: - description: Agent upgrade initiated - value: {} + getDownloadK8sManifestExample: + description: The Kubernetes manifest download + value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n' schema: - additionalProperties: false - type: object - properties: {} - description: Successful response + type: string + description: Successful response — returns the Kubernetes manifest as a YAML file download '400': content: application/json: @@ -25485,89 +40793,16 @@ paths: - message - attributes description: Bad Request - summary: Upgrade an agent - tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/uploads: - get: - description: >- - Get a list of files uploaded by a specific agent.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-agentid-uploads - parameters: - - description: The agent ID - in: path - name: agentId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getAgentUploadsExample: - description: List of files uploaded by the agent - value: - items: - - actionId: action-id-1 - createTime: '2024-01-01T00:00:00.000Z' - filePath: /tmp/diagnostics-2024-01-01.zip - id: file-id-1 - name: diagnostics-2024-01-01.zip - status: READY - schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - createTime: - type: string - error: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - EXPIRED - - IN_PROGRESS - - FAILED - type: string - required: - - id - - name - - filePath - - createTime - - status - - actionId - maxItems: 10000 - type: array - required: - - items - description: Successful response - '400': + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFoundExample: + description: No manifest was found value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Not Found + message: Agent manifest not found + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -25586,178 +40821,49 @@ paths: required: - message - attributes - description: Bad Request - summary: Get agent uploads + description: Not Found + summary: Download an agent manifest tags: - - Elastic Agents - /api/fleet/agents/action_status: - get: - description: >- - Get the current status of recent agent actions.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-action-status + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate an API key for Logstash to use with a Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 0 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: Return actions created before this date - in: query - name: date - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: Return only the latest N actions - in: query - name: latest - required: false - schema: - type: number - - description: Number of error details to include per action - in: query - name: errorSize - required: false - schema: - default: 5 - type: number responses: '200': content: application/json: examples: - getActionStatusExample: - description: Status of recent agent actions + postLogstashApiKeyExample: + description: The generated Logstash API key value: - items: - - actionId: action-id-1 - completionTime: '2024-01-01T00:05:00.000Z' - creationTime: '2024-01-01T00:00:00.000Z' - nbAgentsAck: 2 - nbAgentsActioned: 2 - nbAgentsFailed: 0 - status: COMPLETE - type: UPGRADE + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA schema: additionalProperties: false type: object properties: - items: - items: - additionalProperties: false - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - hasRolloutPeriod: - type: boolean - is_automatic: - type: boolean - latestErrors: - items: - additionalProperties: false - description: >- - latest errors that happened when the agents - executed the action - type: object - properties: - agentId: - type: string - error: - type: string - hostname: - type: string - timestamp: - type: string - required: - - agentId - - error - - timestamp - maxItems: 10 - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: number - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - UPGRADE - - UNENROLL - - SETTINGS - - POLICY_REASSIGN - - CANCEL - - FORCE_UNENROLL - - REQUEST_DIAGNOSTICS - - UPDATE_TAGS - - POLICY_CHANGE - - INPUT_ACTION - - MIGRATE - - PRIVILEGE_LEVEL_CHANGE - - ROLLBACK - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - type - - nbAgentsActioned - - status - - creationTime - maxItems: 10000 - type: array + api_key: + type: string required: - - items + - api_key description: Successful response '400': content: @@ -25788,15 +40894,23 @@ paths: - message - attributes description: Bad Request - summary: Get an agent action status + summary: Generate a Logstash API key tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: post: - description: >- - Cancel a pending action for a specific agent.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-actions-actionid-cancel + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header @@ -25805,93 +40919,40 @@ paths: schema: example: 'true' type: string - - description: The ID of the action to cancel - in: path - name: actionId - required: true + - description: Set to true to confirm you understand the risks of rotating the key pair + in: query + name: acknowledge + required: false schema: - type: string - requestBody: - content: - application/json: - examples: - postCancelActionRequestExample: - description: Cancel an agent action - value: {} + default: false + type: boolean responses: '200': content: application/json: examples: - postCancelActionExample: - description: Cancellation action created + rotateKeyPairSuccessExample: + description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key. value: - item: - agents: - - agent-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: cancel-action-id-1 - type: CANCEL + message: Key pair rotated successfully. schema: additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - ack_data: - nullable: true - agents: - items: - type: string - maxItems: 10000 - type: array - created_at: - type: string - data: - nullable: true - expiration: - type: string - id: - type: string - minimum_execution_duration: - type: number - namespaces: - items: - type: string - maxItems: 100 - type: array - rollout_duration_seconds: - type: number - sent_at: - type: string - source_uri: - type: string - start_time: - type: string - total: - type: number - type: - type: string - required: - - id - - type - - data - - created_at - - ack_data + message: + type: string required: - - item - description: Successful response + - message + description: Key pair rotated successfully '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + acknowledgeRequiredExample: + description: Request was rejected because the acknowledge query parameter was not set to true value: error: Bad Request - message: An error message describing what went wrong + message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.' statusCode: 400 schema: additionalProperties: false @@ -25912,40 +40973,96 @@ paths: - message - attributes description: Bad Request - summary: Cancel an agent action + '500': + content: + application/json: + examples: + serviceUnavailableExample: + description: The message signing service is not available + value: + error: Internal Server Error + message: Failed to rotate key pair. Message signing service is unavailable! + statusCode: 500 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Internal Server Error + summary: Rotate a Fleet message signing key pair tags: - - Elastic Agent actions - /api/fleet/agents/available_versions: + - Message Signing Service + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs: get: - description: >- - Get a list of Elastic Agent versions available for - upgrade.

[Required authorization] Route required privileges: - fleet-agents-read. - operationId: get-fleet-agents-available-versions + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet outputs.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs parameters: [] responses: '200': content: application/json: examples: - getAvailableVersionsExample: - description: List of available agent versions for upgrade + getOutputsExample: + description: List of Fleet outputs value: items: - - 8.17.0 - - 8.16.3 - - 8.16.2 + - hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: items: items: - type: string + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: @@ -25976,15 +41093,22 @@ paths: - message - attributes description: Bad Request - summary: Get available agent versions + summary: Get outputs tags: - - Elastic Agents - /api/fleet/agents/bulk_migrate: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Bulk migrate agents to another cluster.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-migrate + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet output.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header @@ -25997,90 +41121,49 @@ paths: content: application/json: examples: - postBulkMigrateAgentsRequestExample: - description: Migrate multiple agents to another cluster + postOutputRequestExample: + description: Create a new Elasticsearch output value: - agents: - - agent-id-1 - - agent-id-2 - enrollment_token: enrollment-token-value - settings: - retry_max: 5 - uri: https://fleet-server.example.com:8220 + hosts: + - https://elasticsearch.example.com:9200 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - enrollment_token: - type: string - settings: - additionalProperties: false - type: object - properties: - ca_sha256: - type: string - certificate_authorities: - type: string - elastic_agent_cert: - type: string - elastic_agent_cert_key: - type: string - elastic_agent_cert_key_passphrase: - type: string - headers: - additionalProperties: - type: string - type: object - insecure: - type: boolean - proxy_disabled: - type: boolean - proxy_headers: - additionalProperties: - type: string - type: object - proxy_url: - type: string - staging: - type: string - tags: - items: - type: string - maxItems: 10 - type: array - uri: - format: uri - type: string - required: - - agents - - uri - - enrollment_token + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' responses: '200': content: application/json: examples: - postBulkMigrateAgentsExample: - description: Bulk agent migration initiated + postOutputExample: + description: The created Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-2 + is_default: false + is_default_monitoring: false + name: My output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26111,16 +41194,23 @@ paths: - message - attributes description: Bad Request - summary: Migrate multiple agents + summary: Create output tags: - - Elastic Agents - /api/fleet/agents/bulk_privilege_level_change: - post: - description: >- - Change multiple agents' privilege level to - unprivileged.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-privilege-level-change + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26129,66 +41219,69 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkChangeAgentPrivilegeLevelRequest: - value: - agents: agent - user_info: - groupname: groupname - password: password - username: username - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - user_info: - additionalProperties: false - type: object - properties: - groupname: - type: string - password: - type: string - username: - type: string - required: - - agents + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string responses: '200': content: application/json: examples: - successResponse: + deleteOutputExample: + description: The output was successfully deleted + value: + id: output-id-1 + schema: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + description: Successful response + '400': + content: + application/json: + examples: + genericErrorResponseExample: + description: Example of a generic error response value: - actionId: actionId + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false + description: Generic Error type: object properties: - actionId: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: type: string + statusCode: + type: number required: - - actionId - description: 'OK: A successful request.' - '400': + - message + - attributes + description: Bad Request + '404': content: application/json: examples: - badRequestResponse: + notFoundExample: + description: No output was found with the given ID value: - message: Bad Request + error: Not Found + message: Output output-id-1 not found + statusCode: 404 schema: additionalProperties: false description: Generic Error @@ -26207,74 +41300,58 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk change agent privilege level + description: Not Found + summary: Delete output tags: - - Elastic Agents - x-state: Technical Preview; added in 9.3.0 - /api/fleet/agents/bulk_reassign: - post: - description: >- - Reassign multiple agents to a different agent policy.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-reassign + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the output + in: path + name: outputId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkReassignAgentsRequestExample: - description: Reassign multiple agents to a different policy - value: - agents: - - agent-id-1 - - agent-id-2 - policy_id: agent-policy-id-2 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - policy_id: - type: string - required: - - policy_id - - agents responses: '200': content: application/json: examples: - postBulkReassignAgentsExample: - description: Bulk reassign action result + getOutputExample: + description: A Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Default output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26305,17 +41382,33 @@ paths: - message - attributes description: Bad Request - summary: Bulk reassign agents + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Get output tags: - - Elastic Agent actions - /api/fleet/agents/bulk_remove_collectors: - post: - description: >- - Remove multiple OpAMP collectors from the Fleet agents list. Marks the - collectors as unenrolled. This action does not invalidate API keys, so - collectors can reconnect on their own.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-remove-collectors + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26324,53 +41417,56 @@ paths: schema: example: 'true' type: string + - description: The ID of the output + in: path + name: outputId + required: true + schema: + type: string requestBody: content: application/json: examples: - postBulkRemoveCollectorsRequestExample: - description: Remove multiple OpAMP collectors + putOutputRequestExample: + description: Update a Fleet output value: - agents: - - collector-id-1 - - collector-id-2 + hosts: + - https://updated-elasticsearch.example.com:9200 + name: Updated output schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: List of collector agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string. Leave empty to target all collectors - type: string - includeInactive: - description: >- - When passing collectors by KQL query, also removes inactive - collectors - type: boolean - required: - - agents + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' responses: '200': content: application/json: examples: - postBulkRemoveCollectorsExample: - description: Bulk remove collectors action result + putOutputExample: + description: The updated Fleet output value: - actionId: action-id-1 + item: + hosts: + - https://updated-elasticsearch.example.com:9200 + id: output-id-1 + is_default: true + is_default_monitoring: true + name: Updated output + type: elasticsearch schema: additionalProperties: false type: object properties: - actionId: - type: string + item: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' required: - - actionId + - item description: Successful response '400': content: @@ -26401,75 +41497,69 @@ paths: - message - attributes description: Bad Request - summary: Bulk remove OpAMP collectors + '404': + content: + application/json: + examples: + notFoundExample: + description: No output was found with the given ID + value: + error: Not Found + message: Output output-id-1 not found + statusCode: 404 + description: Not Found + summary: Update output tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.5.0 - /api/fleet/agents/bulk_request_diagnostics: - post: - description: >- - Request diagnostics bundles from multiple agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: post-fleet-agents-bulk-request-diagnostics + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest health status of an output by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the output + in: path + name: outputId required: true schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkRequestDiagnosticsRequestExample: - description: Request diagnostics bundles from multiple agents - value: - additional_metrics: - - CPU - agents: - - agent-id-1 - - agent-id-2 - schema: - additionalProperties: false - type: object - properties: - additional_metrics: - items: - enum: - - CPU - type: string - maxItems: 1 - type: array - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - required: - - agents responses: '200': content: application/json: examples: - postBulkRequestDiagnosticsExample: - description: Bulk diagnostics action result + getOutputHealthExample: + description: The latest health status of a Fleet output value: - actionId: action-id-1 + message: '' + state: HEALTHY + timestamp: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - actionId: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state type: string required: - - actionId + - state + - message + - timestamp description: Successful response '400': content: @@ -26500,81 +41590,134 @@ paths: - message - attributes description: Bad Request - summary: Bulk request diagnostics from agents + summary: Get the latest output health tags: - - Elastic Agent actions - /api/fleet/agents/bulk_rollback: - post: - description: >- - Rollback multiple agents to the previous version.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-rollback + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all package policies. + operationId: get-fleet-package-policies parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Page number + in: query + name: page + required: false + schema: + type: number + - description: Number of results per page + in: query + name: perPage + required: false + schema: + type: number + - description: Field to sort results by + in: query + name: sortField + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json: - examples: - bulkRollbackAgentsRequest: - value: - agents: - - agent-1 - - agent-2 - batchSize: 100 - includeInactive: false - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - required: - - agents + - description: Sort order, ascending or descending + in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - description: When true, only show policies with available upgrades + in: query + name: showUpgradeable + required: false + schema: + type: boolean + - description: A KQL query string to filter results + in: query + name: kuery + required: false + schema: + type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - description: When true, include the agent count per package policy + in: query + name: withAgentCount + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - successResponse: + getPackagePoliciesExample: + description: List of package policies value: - actionIds: - - actionId1 - - actionId2 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object properties: - actionIds: + items: items: - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - - actionIds - description: 'OK: A successful request.' + - items + - total + - page + - perPage + description: Successful response '400': content: application/json: examples: - badRequestResponse: + genericErrorResponseExample: + description: Example of a generic error response value: - message: Bad Request + error: Bad Request + message: An error message describing what went wrong + statusCode: 400 schema: additionalProperties: false description: Generic Error @@ -26593,18 +41736,23 @@ paths: required: - message - attributes - description: A bad request. - summary: Bulk rollback agents + description: Bad Request + summary: Get package policies tags: - - Elastic Agent actions - x-state: Technical Preview; added in 9.4.0 - /api/fleet/agents/bulk_unenroll: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Unenroll multiple agents, optionally revoking their enrollment API - keys.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-unenroll + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new package policy and assign it to an agent policy. + operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header @@ -26613,62 +41761,59 @@ paths: schema: example: 'true' type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postBulkUnenrollAgentsRequestExample: - description: Unenroll multiple agents + postPackagePolicyRequestExample: + description: Create a new nginx package policy value: - agents: - - agent-id-1 - - agent-id-2 - revoke: false + inputs: {} + name: nginx-1 + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - description: list of agent IDs - type: string - maxItems: 10000 - type: array - - description: KQL query string, leave empty to action all agents - type: string - batchSize: - type: number - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' + description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: examples: - postBulkUnenrollAgentsExample: - description: Bulk unenroll action result + postPackagePolicyExample: + description: The created package policy value: - actionId: action-id-1 - schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-2 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_create_package_policy_response' description: Successful response '400': content: @@ -26699,15 +41844,52 @@ paths: - message - attributes description: Bad Request - summary: Bulk unenroll agents + '409': + content: + application/json: + examples: + conflictExample: + description: A package policy with the same name already exists + value: + error: Conflict + message: An error message describing what went wrong + statusCode: 409 + schema: + additionalProperties: false + description: Generic Error + type: object + properties: + attributes: + nullable: true + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + description: Conflict + summary: Create a package policy tags: - - Elastic Agent actions - /api/fleet/agents/bulk_update_agent_tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/_bulk_get: post: - description: >- - Add or remove tags across multiple agents.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-agents-bulk-update-agent-tags + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get multiple package policies by ID. + operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -26716,65 +41898,63 @@ paths: schema: example: 'true' type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string requestBody: content: application/json: examples: - postBulkUpdateAgentTagsRequestExample: - description: Add and remove tags across multiple agents + postBulkGetPackagePoliciesRequestExample: + description: Retrieve multiple package policies by ID value: - agents: - - agent-id-1 - - agent-id-2 - tagsToAdd: - - production - tagsToRemove: - - staging + ids: + - package-policy-id-1 + - package-policy-id-2 schema: additionalProperties: false type: object properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - includeInactive: - default: false - type: boolean - tagsToAdd: - items: - type: string - maxItems: 10 - type: array - tagsToRemove: + ids: + description: list of package policy ids items: type: string - maxItems: 10 + maxItems: 1000 type: array + ignoreMissing: + type: boolean required: - - agents + - ids responses: '200': content: application/json: examples: - postBulkUpdateAgentTagsExample: - description: Bulk action result + postBulkGetPackagePoliciesExample: + description: The requested package policies value: - actionId: action-id-1 + items: + - created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response' description: Successful response '400': content: @@ -26805,16 +41985,42 @@ paths: - message - attributes description: Bad Request - summary: Bulk update agent tags + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more package policies were not found + value: + error: Not Found + message: Package policy package-policy-id-2 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Bulk get package policies tags: - - Elastic Agent actions - /api/fleet/agents/bulk_upgrade: - post: - description: >- - Upgrade multiple agents to a newer version, with optional rollout - controls.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-agents-bulk-upgrade + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header @@ -26823,67 +42029,29 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradeAgentsRequestExample: - description: Upgrade multiple agents to a specific version - value: - agents: - - agent-id-1 - - agent-id-2 - rollout_duration_seconds: 3600 - version: 8.17.0 - schema: - additionalProperties: false - type: object - properties: - agents: - anyOf: - - items: - type: string - maxItems: 10000 - type: array - - type: string - batchSize: - type: number - force: - type: boolean - includeInactive: - default: false - type: boolean - rollout_duration_seconds: - minimum: 600 - type: number - skipRateLimitCheck: - type: boolean - source_uri: - type: string - start_time: - type: string - version: - type: string - required: - - agents - - version + - description: The ID of the package policy + in: path + name: packagePolicyId + required: true + schema: + type: string + - description: When true, delete the package policy even if it is managed + in: query + name: force + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - postBulkUpgradeAgentsExample: - description: Bulk upgrade action result + deletePackagePolicyExample: + description: The package policy was successfully deleted value: - actionId: action-id-1 + id: package-policy-id-1 schema: - additionalProperties: false - type: object - properties: - actionId: - type: string - required: - - actionId + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response' description: Successful response '400': content: @@ -26914,50 +42082,68 @@ paths: - message - attributes description: Bad Request - summary: Bulk upgrade agents + summary: Delete a package policy tags: - - Elastic Agent actions - /api/fleet/agents/files/{fileId}: - delete: - description: >- - Delete a file uploaded by an agent.

[Required authorization] - Route required privileges: fleet-agents-all. - operationId: delete-fleet-agents-files-fileid + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The ID of the package policy + in: path + name: packagePolicyId required: true schema: - example: 'true' type: string - - description: The ID of the uploaded file - in: path - name: fileId - required: true + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false schema: + enum: + - simplified + - legacy type: string responses: '200': content: application/json: examples: - deleteAgentUploadFileExample: - description: Uploaded file successfully deleted + getPackagePolicyExample: + description: A package policy value: - deleted: true - id: file-id-1 + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1 + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T10:00:00.000Z' schema: additionalProperties: false type: object properties: - deleted: - type: boolean - id: - type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' required: - - id - - deleted + - item description: Successful response '400': content: @@ -26988,39 +42174,115 @@ paths: - message - attributes description: Bad Request - summary: Delete an uploaded file + '404': + content: + application/json: + examples: + notFoundExample: + description: No package policy was found with the given ID + value: + error: Not Found + message: Package policy package-policy-id-1 not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get a package policy tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}/{fileName}: - get: - description: >- - Get a file uploaded by an agent.

[Required authorization] Route - required privileges: fleet-agents-read. - operationId: get-fleet-agents-files-fileid-filename + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid parameters: - - description: The ID of the uploaded file - in: path - name: fileId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string - - description: The name of the uploaded file + - description: The ID of the package policy in: path - name: fileName + name: packagePolicyId required: true schema: type: string + - description: 'Format for the response: simplified or legacy' + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + examples: + putPackagePolicyRequestExample: + description: Update a package policy + value: + enabled: true + inputs: {} + name: nginx-1-updated + namespace: default + package: + name: nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_policy_request' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request' responses: '200': content: application/json: examples: - getAgentUploadFileExample: - description: The uploaded file content as a stream - value: + putPackagePolicyExample: + description: The updated package policy + value: + item: + created_at: '2024-01-15T10:00:00.000Z' + enabled: true + id: package-policy-id-1 + inputs: [] + name: nginx-1-updated + namespace: default + package: + name: nginx + title: Nginx + version: 1.20.0 + policy_ids: + - agent-policy-id-1 + updated_at: '2024-01-15T11:00:00.000Z' schema: + additionalProperties: false type: object - description: Successful response — returns the uploaded file content + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + description: Successful response '400': content: application/json: @@ -27050,103 +42312,16 @@ paths: - message - attributes description: Bad Request - summary: Get an uploaded file - tags: - - Elastic Agents - /api/fleet/agents/setup: - get: - description: >- - Get the current Fleet setup status, including whether Fleet is ready to - enroll agents and which requirements or optional features are - missing.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: get-fleet-agents-setup - parameters: [] - responses: - '200': - content: - application/json: - examples: - agentsSetupNotReadyExample: - description: >- - Fleet is not ready — a Fleet Server and API keys are - required - value: - is_action_secrets_storage_enabled: false - is_secrets_storage_enabled: false - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: false - missing_optional_features: - - encrypted_saved_object_encryption_key_required - missing_requirements: - - fleet_server - - api_keys - agentsSetupReadyExample: - description: Fleet is ready to enroll agents — all requirements are met - value: - is_action_secrets_storage_enabled: true - is_secrets_storage_enabled: true - is_space_awareness_enabled: false - is_ssl_secrets_storage_enabled: false - isReady: true - missing_optional_features: [] - missing_requirements: [] - package_verification_key_id: D88DB4CC - schema: - additionalProperties: false - description: >- - A summary of the agent setup status. `isReady` indicates - whether the setup is ready. If the setup is not ready, - `missing_requirements` lists which requirements are missing. - type: object - properties: - is_action_secrets_storage_enabled: - type: boolean - is_secrets_storage_enabled: - type: boolean - is_space_awareness_enabled: - type: boolean - is_ssl_secrets_storage_enabled: - type: boolean - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - maxItems: 1 - type: array - missing_requirements: - items: - enum: - - security_required - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - maxItems: 5 - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - description: Fleet setup status - '400': + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbiddenExample: + description: The update is not authorized for this package value: - error: Bad Request + error: Forbidden message: An error message describing what went wrong - statusCode: 400 + statusCode: 403 schema: additionalProperties: false description: Generic Error @@ -27165,18 +42340,24 @@ paths: required: - message - attributes - description: Bad Request - summary: Get agent setup info + description: Forbidden + summary: Update a package policy tags: - - Elastic Agents + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/delete: post: - description: >- - Initialize Fleet. This endpoint is used by Elastic Agents to trigger - Fleet setup. Safe to call multiple times; subsequent calls are - idempotent.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-agents-setup + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple package policies by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -27185,47 +42366,36 @@ paths: schema: example: 'true' type: string + requestBody: + content: + application/json: + examples: + postDeletePackagePoliciesRequestExample: + description: Delete multiple package policies by ID + value: + packagePolicyIds: + - package-policy-id-1 + - package-policy-id-2 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request' responses: - '200': - content: - application/json: - examples: - agentsSetupSuccessExample: - description: >- - Fleet setup initialized successfully with no non-fatal - errors - value: - isInitialized: true - nonFatalErrors: [] - schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 - type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + '200': + content: + application/json: + examples: + postDeletePackagePoliciesExample: + description: Results of the bulk delete operation + value: + - id: package-policy-id-1 + success: true + - id: package-policy-id-2 + success: true + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array + description: Successful response '400': content: application/json: @@ -27255,52 +42425,58 @@ paths: - message - attributes description: Bad Request - summary: Initiate Fleet setup + summary: Bulk delete package policies tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - description: >- - Get a list of all tags used across enrolled agents.

[Required - authorization] Route required privileges: fleet-agents-read. - operationId: get-fleet-agents-tags + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade parameters: - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string - - description: When true, include tags from inactive agents - in: query - name: showInactive - required: false - schema: - default: false - type: boolean + requestBody: + content: + application/json: + examples: + postUpgradePackagePoliciesRequestExample: + description: Upgrade package policies to the latest version + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request' responses: '200': content: application/json: examples: - getAgentTagsExample: - description: List of tags used across agents + postUpgradePackagePoliciesExample: + description: Results of the upgrade operation value: - items: - - production - - linux - - datacenter-1 + - id: package-policy-id-1 + name: nginx-1 + success: true schema: - additionalProperties: false - type: object - properties: - items: - items: - type: string - maxItems: 10000 - type: array - required: - - items + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_status_response' + maxItems: 10000 + type: array description: Successful response '400': content: @@ -27331,52 +42507,192 @@ paths: - message - attributes description: Bad Request - summary: Get agent tags + summary: Upgrade a package policy tags: - - Elastic Agents - /api/fleet/check-permissions: - get: - description: >- - Check whether the current user has the required permissions to use - Fleet. Optionally verifies Fleet Server setup privileges. - operationId: get-fleet-check-permissions + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade/dryrun: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the changes that would be applied by upgrading a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun parameters: - - description: >- - When true, check Fleet Server setup privileges in addition to - standard Fleet privileges - in: query - name: fleetServerSetup - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - type: boolean + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + postDryRunPackagePoliciesRequestExample: + description: Dry run an upgrade of a package policy + value: + packagePolicyIds: + - package-policy-id-1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request' responses: '200': content: application/json: examples: - checkPermissionsMissingPrivilegesExample: - description: The current user is missing Fleet privileges - value: - error: MISSING_PRIVILEGES - success: false - checkPermissionsSuccessExample: - description: The current user has all required Fleet permissions + postDryRunPackagePoliciesExample: + description: Preview of the package policy upgrade diff value: - success: true + - diff: + - id: package-policy-id-1 + name: nginx-1 + package: + name: nginx + version: 1.20.0 + - name: nginx-1 + package: + name: nginx + version: 1.21.0 + hasErrors: false + name: nginx-1 schema: - additionalProperties: false - type: object - properties: - error: - enum: - - MISSING_SECURITY - - MISSING_PRIVILEGES - - MISSING_FLEET_SERVER_SETUP_PRIVILEGES - type: string - success: - type: boolean - required: - - success + items: + additionalProperties: false + type: object + properties: + agent_diff: + items: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + required: + - package + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + maxItems: 1 + type: array + body: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + diff: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy' + maxItems: 2 + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + maxItems: 10000 + type: array description: Successful response '400': content: @@ -27407,51 +42723,40 @@ paths: - message - attributes description: Bad Request - summary: Check permissions + summary: Dry run a package policy upgrade tags: - - Fleet internals - /api/fleet/cloud_connectors: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies: get: - description: >- - List all Fleet cloud connectors.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors - parameters: - - description: The page number for pagination. - in: query - name: page - required: false - schema: - type: string - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - type: string - - description: KQL query to filter cloud connectors. - in: query - name: kuery - required: false - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all Fleet proxies.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] responses: '200': content: application/json: examples: - getCloudConnectorsExample: - description: List of Fleet cloud connectors + getFleetProxiesExample: + description: List of Fleet proxies value: items: - - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + - id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 + page: 1 + perPage: 20 + total: 1 schema: additionalProperties: false type: object @@ -27461,44 +42766,49 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at maxItems: 10000 type: array + page: + type: number + perPage: + type: number + total: + type: number required: - items + - total + - page + - perPage description: Successful response '400': content: @@ -27529,15 +42839,22 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connectors + summary: Get proxies tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new Fleet cloud connector.

[Required authorization] - Route required privileges: fleet-agent-policies-all OR integrations-all. - operationId: post-fleet-cloud-connectors + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Fleet proxy.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header @@ -27550,93 +42867,57 @@ paths: content: application/json: examples: - postCloudConnectorRequestExample: - description: Create a new AWS cloud connector + postFleetProxyRequestExample: + description: Create a new Fleet proxy value: - accountType: single-account - cloudProvider: aws - name: My AWS connector - vars: {} + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account + certificate: + nullable: true type: string - cloudProvider: - description: 'The cloud provider type: aws, azure, or gcp.' - enum: - - aws - - azure - - gcp + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: type: string + is_preconfigured: + default: false + type: boolean name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 type: string - vars: + proxy_headers: additionalProperties: anyOf: - - maxLength: 1000 - type: string - - type: number + - type: string - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value + - type: number + nullable: true type: object + url: + type: string required: + - url - name - - cloudProvider - - vars responses: '200': content: application/json: examples: - postCloudConnectorExample: - description: The created Fleet cloud connector + postFleetProxyExample: + description: The created Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-2 - name: My AWS connector - packagePolicyCount: 0 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + id: proxy-id-2 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object @@ -27645,40 +42926,36 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at required: - item description: Successful response @@ -27711,18 +42988,23 @@ paths: - message - attributes description: Bad Request - summary: Create cloud connector + summary: Create a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/cloud_connectors/{cloudConnectorId}: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies/{itemId}: delete: - description: >- - Delete a cloud connector by ID. Use the `force` query parameter to - delete even if package policies are still using it.

[Required - authorization] Route required privileges: fleet-agent-policies-all OR - integrations-all. - operationId: delete-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -27731,27 +43013,21 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to delete. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string - - description: If true, forces deletion even if the cloud connector is in use. - in: query - name: force - required: false - schema: - type: boolean responses: '200': content: application/json: examples: - deleteCloudConnectorExample: - description: The cloud connector was successfully deleted + deleteFleetProxyExample: + description: The Fleet proxy was successfully deleted value: - id: cloud-connector-id-1 + id: proxy-id-1 schema: additionalProperties: false type: object @@ -27790,19 +43066,37 @@ paths: - message - attributes description: Bad Request - summary: Delete cloud connector (supports force deletion) + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Delete a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid parameters: - - description: The unique identifier of the cloud connector. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string @@ -27811,18 +43105,14 @@ paths: content: application/json: examples: - getCloudConnectorExample: - description: A Fleet cloud connector + getFleetProxyExample: + description: A Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: My AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T10:00:00.000Z' - vars: {} + id: proxy-id-1 + is_preconfigured: false + name: My proxy + url: http://proxy.example.com:3128 schema: additionalProperties: false type: object @@ -27831,40 +43121,36 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at required: - item description: Successful response @@ -27897,15 +43183,33 @@ paths: - message - attributes description: Bad Request - summary: Get cloud connector + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Fleet proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Get a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update a cloud connector by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all OR integrations-all. - operationId: put-fleet-cloud-connectors-cloudconnectorid + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header @@ -27914,9 +43218,9 @@ paths: schema: example: 'true' type: string - - description: The unique identifier of the cloud connector to update. + - description: The ID of the proxy in: path - name: cloudConnectorId + name: itemId required: true schema: type: string @@ -27924,80 +43228,53 @@ paths: content: application/json: examples: - putCloudConnectorRequestExample: - description: Update a Fleet cloud connector + putFleetProxyRequestExample: + description: Update a Fleet proxy value: - name: Updated AWS connector - vars: {} + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object properties: - accountType: - description: >- - The account type: single-account (single - account/subscription) or organization-account - (organization-wide). - enum: - - single-account - - organization-account + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true type: string name: - description: The name of the cloud connector. - maxLength: 255 - minLength: 1 type: string - vars: + proxy_headers: additionalProperties: anyOf: - - maxLength: 1000 - type: string - - type: number + - type: string - type: boolean - - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - maxLength: 50 - type: string - value: - anyOf: - - maxLength: 1000 - type: string - - additionalProperties: false - type: object - properties: - id: - maxLength: 255 - type: string - isSecretRef: - type: boolean - required: - - isSecretRef - - id - required: - - type - - value + - type: number + nullable: true type: object + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key responses: '200': content: application/json: examples: - putCloudConnectorExample: - description: The updated Fleet cloud connector + putFleetProxyExample: + description: The updated Fleet proxy value: item: - accountType: single-account - cloudProvider: aws - created_at: '2024-01-15T10:00:00.000Z' - id: cloud-connector-id-1 - name: Updated AWS connector - packagePolicyCount: 2 - updated_at: '2024-01-15T11:00:00.000Z' - vars: {} + id: proxy-id-1 + is_preconfigured: false + name: Updated proxy + url: http://updated-proxy.example.com:3128 schema: additionalProperties: false type: object @@ -28006,40 +43283,36 @@ paths: additionalProperties: false type: object properties: - accountType: + certificate: + nullable: true type: string - cloudProvider: + certificate_authorities: + nullable: true type: string - created_at: + certificate_key: + nullable: true type: string id: type: string + is_preconfigured: + default: false + type: boolean name: type: string - namespace: - type: string - packagePolicyCount: - type: number - updated_at: - type: string - vars: + proxy_headers: additionalProperties: - nullable: true + anyOf: + - type: string + - type: boolean + - type: number + nullable: true type: object - verification_failed_at: - type: string - verification_started_at: - type: string - verification_status: + url: type: string required: - id + - url - name - - cloudProvider - - vars - - packagePolicyCount - - created_at - - updated_at required: - item description: Successful response @@ -28072,119 +43345,165 @@ paths: - message - attributes description: Bad Request - summary: Update cloud connector + '404': + content: + application/json: + examples: + notFoundExample: + description: No proxy was found with the given ID + value: + error: Not Found + message: Proxy proxy-id-1 not found + statusCode: 404 + description: Not Found + summary: Update a proxy tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/cloud_connectors/{cloudConnectorId}/usage: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/{outputId}/remote_status: get: - description: >- - Get a list of package policies that are using a given cloud - connector.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR integrations-read. - operationId: get-fleet-cloud-connectors-cloudconnectorid-usage + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of remote integrations for a specific output by its ID.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-outputid-remote-status parameters: - - description: The unique identifier of the cloud connector. + - description: The ID of the output in: path - name: cloudConnectorId + name: outputId required: true schema: type: string - - description: The page number for pagination. - in: query - name: page - required: false - schema: - minimum: 1 - type: number - - description: The number of items per page. - in: query - name: perPage - required: false - schema: - minimum: 1 - type: number responses: '200': content: application/json: examples: - getCloudConnectorUsageResponseExample: - description: >- - Example response showing package policies using the cloud - connector + getRemoteSyncedIntegrationsInfoExample: + description: Synchronization status of remote integrations for a specific output value: - items: - - created_at: '2025-01-16T09:00:00.000Z' - id: package-policy-1 - name: CSPM AWS Policy - package: - name: cloud_security_posture - title: Cloud Security Posture Management - version: 3.1.1 - policy_ids: - - policy-id-123 - - policy-id-456 - updated_at: '2025-01-16T09:00:00.000Z' - page: 1 - perPage: 20 - total: 2 + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx + package_version: 1.20.0 + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: - items: - items: + custom_assets: + additionalProperties: additionalProperties: false type: object properties: - created_at: - type: string - id: + error: type: string + is_deleted: + type: boolean name: type: string - package: + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: additionalProperties: false type: object properties: - name: + message: type: string title: type: string - version: - type: string required: - - name - title - - version - policy_ids: - items: - type: string - maxItems: 10000 - type: array + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: + items: + additionalProperties: false + type: object + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string updated_at: type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title required: - - id - - name - - policy_ids - - created_at - - updated_at + - sync_status + - install_status maxItems: 10000 type: array - page: - type: number - perPage: - type: number - total: - type: number + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title required: - - items - - total - - page - - perPage - description: 'OK: A successful request.' + - integrations + description: Successful response '400': content: application/json: @@ -28193,7 +43512,7 @@ paths: description: Example of a generic error response value: error: Bad Request - message: Cloud connector not found + message: An error message describing what went wrong statusCode: 400 schema: additionalProperties: false @@ -28213,124 +43532,158 @@ paths: required: - message - attributes - description: A bad request. - summary: Get cloud connector usage (package policies using the connector) + description: Bad Request + summary: Get remote synced integrations status by outputId tags: - - Fleet cloud connectors - x-state: Technical Preview; added in 9.2.0 - /api/fleet/data_streams: + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/status: get: - description: >- - List all Fleet-managed data streams with metadata including package, - namespace, size, and last activity.

[Required authorization] - Route required privileges: fleet-agents-all AND fleet-agent-policies-all - AND fleet-settings-all. - operationId: get-fleet-data-streams + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the synchronization status of all remote integrations across connected remote clusters.

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-status parameters: [] responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of Fleet-managed data streams + getRemoteSyncedIntegrationsStatusExample: + description: Synchronization status of remote integrations across connected remote clusters value: - data_streams: - - dashboards: - - id: nginx-overview - title: Nginx Overview - dataset: nginx.access - index: logs-nginx.access-default - last_activity_ms: 1700000000000 - namespace: default - package: nginx + integrations: + - id: nginx-remote + install_status: + main: installed + remote: installed + package_name: nginx package_version: 1.20.0 - serviceDetails: null - size_in_bytes: 1048576 - size_in_bytes_formatted: 1mb - type: logs - - dashboards: [] - dataset: system.cpu - index: metrics-system.cpu-default - last_activity_ms: 1699999000000 - namespace: default - package: system + sync_status: COMPLETED + updated_at: '2024-01-01T00:00:00.000Z' + - error: Failed to sync package to remote cluster + id: system-remote + install_status: + main: installed + remote: not_installed + package_name: system package_version: 1.38.0 - serviceDetails: null - size_in_bytes: 524288 - size_in_bytes_formatted: 512kb - type: metrics + sync_status: FAILED + updated_at: '2024-01-01T00:00:00.000Z' schema: additionalProperties: false type: object properties: - data_streams: + custom_assets: + additionalProperties: + additionalProperties: false + type: object + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + error: + type: string + integrations: items: additionalProperties: false type: object properties: - dashboards: - items: - additionalProperties: false - type: object - properties: - id: - type: string - title: - type: string - required: - - id - - title - maxItems: 10000 - type: array - dataset: - type: string - index: + error: type: string - last_activity_ms: - type: number - namespace: + id: type: string - package: + install_status: + additionalProperties: false + type: object + properties: + main: + type: string + remote: + type: string + required: + - main + package_name: type: string package_version: type: string - serviceDetails: + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: additionalProperties: false - nullable: true type: object properties: - environment: + message: type: string - serviceName: + title: type: string required: - - environment - - serviceName - size_in_bytes: - type: number - size_in_bytes_formatted: - anyOf: - - type: number - - type: string - type: - type: string + - title required: - - index - - dataset - - namespace - - type - - package - - package_version - - last_activity_ms - - size_in_bytes - - size_in_bytes_formatted - - dashboards - - serviceDetails + - sync_status + - install_status maxItems: 10000 type: array + warning: + additionalProperties: false + type: object + properties: + message: + type: string + title: + type: string + required: + - title required: - - data_streams + - integrations description: Successful response '400': content: @@ -28361,90 +43714,69 @@ paths: - message - attributes description: Bad Request - summary: Get data streams + summary: Get remote synced integrations status tags: - - Data streams - /api/fleet/enrollment_api_keys: - get: - description: >- - List all enrollment API keys.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys + - Fleet remote synced integrations + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/service_tokens: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens parameters: - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - default: 20 - type: number - - description: A KQL query string to filter results - in: query - name: kuery - required: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: + example: 'true' type: string + requestBody: + content: + application/json: + examples: + postGenerateServiceTokenRequestExample: + description: Generate a service token for a remote Fleet Server + value: + remote: true + schema: + additionalProperties: false + nullable: true + type: object + properties: + remote: + default: false + type: boolean responses: '200': content: application/json: examples: - getEnrollmentApiKeysExample: - description: List of enrollment API keys + postGenerateServiceTokenExample: + description: The generated Fleet Server service token value: - items: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - list: - - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - page: 1 - perPage: 20 - total: 1 + name: elastic/fleet-server/token-1234567890 + value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P schema: additionalProperties: false type: object properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number + name: + type: string + value: + type: string required: - - items - - total - - page - - perPage - - list + - name + - value description: Successful response '400': content: @@ -28475,55 +43807,118 @@ paths: - message - attributes description: Bad Request - summary: Get enrollment API keys + summary: Create a service token tags: - - Fleet enrollment API keys - post: - description: >- - Create an enrollment API key for a given agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: post-fleet-enrollment-api-keys - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postEnrollmentApiKeyRequestExample: - description: Create an enrollment API key for an agent policy - value: - expiration: '2025-01-01T00:00:00.000Z' - name: My enrollment key - policy_id: policy-id-1 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_enrollment_api_key' + - Fleet service tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] responses: '200': content: application/json: examples: - postEnrollmentApiKeyExample: - description: The created enrollment API key + getSettingsExample: + description: The current Fleet settings value: - action: created item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: My enrollment key - policy_id: policy-id-1 + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: false + secret_storage_requirements_met: true + version: WzEsMV0= schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - item description: Successful response '400': content: @@ -28554,15 +43949,41 @@ paths: - message - attributes description: Bad Request - summary: Create an enrollment API key + '404': + content: + application/json: + examples: + notFoundExample: + description: Fleet settings have not been initialized + value: + error: Not Found + message: Settings not found + statusCode: 404 + schema: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + description: Not Found + summary: Get settings tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/_bulk_delete: - post: - description: >- - Revoke or delete multiple enrollment API keys.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: post-fleet-enrollment-api-keys-bulk-delete + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the global Fleet settings.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -28575,121 +43996,139 @@ paths: content: application/json: examples: - bulkDeleteByIdsExample: - description: Bulk delete enrollment API keys by IDs - value: - forceDelete: true - tokenIds: - - token-id-1 - - token-id-2 - bulkDeleteByKueryExample: - description: Bulk delete enrollment API keys by KQL query + putSettingsRequestExample: + description: Update Fleet settings to enable pre-release integrations value: - forceDelete: false - kuery: policy_id:"policy-id-1" + prerelease_integrations_enabled: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request + additionalProperties: false + type: object + properties: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + has_seen_add_data_notice: + deprecated: true + type: boolean + integration_knowledge_enabled: + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true + items: + format: uri + type: string + maxItems: 10 + type: array + prerelease_integrations_enabled: + type: boolean responses: '200': content: application/json: examples: - bulkDeleteEnrollmentApiKeysExample: - description: The enrollment API keys were successfully processed - value: - action: deleted - count: 2 - errorCount: 0 - successCount: 2 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + putSettingsExample: + description: The updated Fleet settings value: - error: Bad Request - message: Either tokenIds or kuery must be provided - statusCode: 400 + item: + delete_unenrolled_agents: + enabled: false + is_preconfigured: false + has_seen_add_data_notice: true + id: fleet-default-settings + output_secret_storage_requirements_met: true + prerelease_integrations_enabled: true + secret_storage_requirements_met: true + version: WzIsMV0= schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + item: + additionalProperties: false + type: object + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + download_source_auth_secret_storage_requirements_met: + type: boolean + has_seen_add_data_notice: + type: boolean + id: + type: string + ilm_migration_status: + additionalProperties: false + type: object + properties: + logs: + enum: + - success + nullable: true + type: string + metrics: + enum: + - success + nullable: true + type: string + synthetics: + enum: + - success + nullable: true + type: string + integration_knowledge_enabled: + type: boolean + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + maxItems: 1 + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + ssl_secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string required: - - message - - attributes - description: Bad Request - summary: Bulk revoke or delete enrollment API keys - tags: - - Fleet enrollment API keys - x-state: Generally available; added in 9.5.0 - /api/fleet/enrollment_api_keys/{keyId}: - delete: - description: >- - Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to - remove the document.

[Required authorization] Route required - privileges: fleet-agents-all. - operationId: delete-fleet-enrollment-api-keys-keyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the enrollment API key - in: path - name: keyId - required: true - schema: - type: string - - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. - in: query - name: forceDelete - required: false - schema: - default: false - type: boolean - - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - in: query - name: includeHidden - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - deleteEnrollmentApiKeyExample: - description: The enrollment API key was successfully revoked - value: - action: deleted - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_enrollment_api_key_response + - item description: Successful response '400': content: @@ -28725,97 +44164,37 @@ paths: application/json: examples: notFoundExample: - description: No enrollment API key was found with the given ID + description: Fleet settings have not been initialized value: error: Not Found - message: EnrollmentAPIKey key-id-1 not found + message: Settings not found statusCode: 404 - description: Not Found - summary: Revoke or delete an enrollment API key - tags: - - Fleet enrollment API keys - get: - description: >- - Get an enrollment API key by ID.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-setup. - operationId: get-fleet-enrollment-api-keys-keyid - parameters: - - description: The ID of the enrollment API key - in: path - name: keyId - required: true - schema: - type: string - responses: - '200': - content: - application/json: - examples: - getEnrollmentApiKeyExample: - description: An enrollment API key - value: - item: - active: true - api_key: api-key-value-1 - api_key_id: api-key-id-1 - created_at: '2024-01-01T00:00:00.000Z' - id: key-id-1 - name: Default policy enrollment key - policy_id: policy-id-1 - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_enrollment_api_key_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string message: type: string - statusCode: - type: number required: - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No enrollment API key was found with the given ID - value: - error: Not Found - message: EnrollmentAPIKey key-id-1 not found - statusCode: 404 description: Not Found - summary: Get an enrollment API key + summary: Update settings tags: - - Fleet enrollment API keys - /api/fleet/epm/bulk_assets: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/setup: post: - description: >- - Retrieve multiple Kibana saved object assets by their IDs and - types.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: post-fleet-epm-bulk-assets + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header @@ -28824,37 +44203,48 @@ paths: schema: example: 'true' type: string - requestBody: - content: - application/json: - examples: - postBulkGetAssetsRequestExample: - description: Retrieve multiple assets by their IDs and types - value: - assetIds: - - id: dashboard-id-1 - type: dashboard - - id: index-pattern-id-1 - type: index_pattern - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_request' responses: '200': content: application/json: examples: - postBulkGetAssetsExample: - description: Requested assets + fleetSetupSuccessExample: + description: Fleet initialized successfully with no non-fatal errors value: - items: - - appLink: /app/dashboards#/view/dashboard-id-1 - attributes: - title: My Dashboard - id: dashboard-id-1 - type: dashboard + isInitialized: true + nonFatalErrors: [] + fleetSetupWithNonFatalErrorsExample: + description: Fleet initialized but encountered non-fatal errors during setup + value: + isInitialized: true + nonFatalErrors: + - message: Package fleet_server not found in registry + name: PackageNotFoundError schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_bulk_assets_response' - description: Successful response + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + maxItems: 10000 + type: array + required: + - isInitialized + - nonFatalErrors + description: Fleet setup completed '400': content: application/json: @@ -28884,163 +44274,92 @@ paths: - message - attributes description: Bad Request - summary: Bulk get assets - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: - get: - description: >- - Get a list of integration categories.

[Required authorization] - Route required privileges: integrations-read OR fleet-setup OR - fleet-all. - operationId: get-fleet-epm-categories - parameters: - - description: When true, include prerelease packages in the results - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, include categories that only contain policy templates - in: query - name: include_policy_templates - required: false - schema: - type: boolean - responses: - '200': - content: - application/json: - examples: - getCategoriesExample: - description: List of integration categories - value: - items: - - count: 42 - id: security - title: Security - - count: 38 - id: observability - title: Observability - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_categories_response' - description: Successful response - '400': + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + internalErrorResponseExample: + description: Example of an internal server error response value: - error: Bad Request + error: Internal Server Error message: An error message describing what went wrong - statusCode: 400 + statusCode: 500 schema: additionalProperties: false - description: Generic Error + description: Internal Server Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string message: type: string - statusCode: - type: number required: - message - - attributes - description: Bad Request - summary: Get package categories + description: Internal Server Error + summary: Initiate Fleet setup tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations: - post: - description: >- - Create a new custom integration package with user-defined data - streams.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-custom-integrations - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postCreateCustomIntegrationRequestExample: - description: Create a new custom integration - value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_custom_integration_request + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the Fleet settings for the current Kibana space. + operationId: get-fleet-space-settings + parameters: [] responses: '200': content: application/json: examples: - postCreateCustomIntegrationExample: - description: Custom integration successfully created - value: - _meta: - install_source: custom - items: - - id: my_custom_logs-logs-my_custom_logs.access - type: index_template - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + getSpaceSettingsExample: + description: The Fleet settings for the current Kibana space value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + item: + allowed_namespace_prefixes: + - team-a + - team-b schema: additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes required: - - message - - attributes - description: Bad Request - summary: Create a custom integration - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/custom_integrations/{pkgName}: + - item + description: Successful response + summary: Get space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update the datasets of an existing custom integration - package.

[Required authorization] Route required privileges: - fleet-settings-all AND integrations-all. - operationId: put-fleet-epm-custom-integrations-pkgname + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update Fleet settings for the current Kibana space.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings parameters: - description: A required header to protect against CSRF attacks in: header @@ -29049,54 +44368,177 @@ paths: schema: example: 'true' type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string requestBody: content: application/json: examples: - putUpdateCustomIntegrationRequestExample: - description: Update a custom integration + putSpaceSettingsRequestExample: + description: Update allowed namespace prefixes for the current Kibana space value: - datasets: - - name: my_custom_logs.access - type: logs - integrationName: my_custom_logs + allowed_namespace_prefixes: + - team-a + - team-b schema: additionalProperties: false type: object properties: - categories: + allowed_namespace_prefixes: items: type: string maxItems: 10 type: array - readMeData: - type: string - required: - - readMeData responses: '200': content: application/json: examples: - putUpdateCustomIntegrationExample: - description: Custom integration successfully updated - value: {} + putSpaceSettingsExample: + description: The updated Fleet settings for the current Kibana space + value: + item: + allowed_namespace_prefixes: + - team-a + - team-b + schema: + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + allowed_namespace_prefixes: + items: + type: string + maxItems: 100 + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + required: + - item description: Successful response - '400': + summary: Create space settings + tags: [] + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens + parameters: + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + maxLength: 50 + type: string + - description: Partial match filtering for uninstall token values + in: query + name: search + required: false + schema: + maxLength: 50 + type: string + - description: The number of items to return + in: query + name: perPage + required: false + schema: + minimum: 5 + type: number + - description: Page number + in: query + name: page + required: false + schema: + minimum: 1 + type: number + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + getUninstallTokensExample: + description: List of uninstall token metadata for agent policies + value: + items: + - created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + - created_at: '2024-01-02T00:00:00.000Z' + id: token-id-2 + namespaces: + - production + policy_id: policy-id-2 + policy_name: Production policy + page: 1 + perPage: 20 + total: 2 + schema: + additionalProperties: false + type: object + properties: + items: + items: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + maxItems: 10000 + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: Successful response + '400': + content: + application/json: + examples: + conflictingQueryParamsExample: + description: Both policyId and search query parameters were provided value: error: Bad Request - message: An error message describing what went wrong + message: Query parameters `policyId` and `search` cannot be used at the same time. statusCode: 400 schema: additionalProperties: false @@ -29117,72 +44559,77 @@ paths: - message - attributes description: Bad Request - summary: Update a custom integration + summary: Get metadata for latest uninstall tokens tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/data_streams: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: >- - Get a list of data streams created by installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-data-streams + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - - description: Filter by data stream type - in: query - name: type - required: false - schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: Filter data streams by dataset name - in: query - name: datasetQuery - required: false - schema: - type: string - - description: Sort order, ascending or descending - in: query - name: sortOrder - required: false + - description: The ID of the uninstall token + in: path + name: uninstallTokenId + required: true schema: - default: asc - enum: - - asc - - desc type: string - - description: >- - When true, only return data streams that are not associated with a - package - in: query - name: uncategorisedOnly - required: false - schema: - default: false - type: boolean responses: '200': content: application/json: examples: - getDataStreamsExample: - description: List of data streams from installed packages + getUninstallTokenExample: + description: Decrypted uninstall token for an agent policy value: - data_streams: - - ilm_policy: logs-default - index_template: logs-system.syslog - name: logs-system.syslog-default - package: system - package_version: 1.55.0 - title: System syslog logs + item: + created_at: '2024-01-01T00:00:00.000Z' + id: token-id-1 + namespaces: + - default + policy_id: policy-id-1 + policy_name: Default policy + token: CKHJsJcBqNwIRcRBNDaE schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_data_streams_response + additionalProperties: false + type: object + properties: + item: + additionalProperties: false + type: object + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + token: + type: string + required: + - id + - policy_id + - created_at + - token + required: + - item description: Successful response '400': content: @@ -29213,2796 +44660,2623 @@ paths: - message - attributes description: Bad Request - summary: Get data streams + '404': + content: + application/json: + examples: + notFoundExample: + description: No uninstall token was found with the given ID + value: + error: Not Found + message: Uninstall Token not found with ID token-id-1 + statusCode: 404 + description: Not Found + summary: Get a decrypted uninstall token tags: - - Data streams - /api/fleet/epm/packages: - get: - description: >- - Get a list of integration packages available in the - registry.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/lists: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList parameters: - - description: Filter packages by category - in: query - name: category - required: false - schema: - type: string - - description: When true, include prerelease packages in the results + - description: Value list identifier to delete, including all of its list items. in: query - name: prerelease - required: false + name: id + required: true schema: - type: boolean - - description: When true, exclude the install status from the response + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. in: query - name: excludeInstallStatus + name: deleteReferences required: false schema: + default: false + example: false type: boolean - - description: When true, include the number of package policies per package + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. in: query - name: withPackagePoliciesCount + name: ignoreReferences required: false schema: + default: false + example: false type: boolean responses: '200': content: application/json: examples: - getPackagesExample: - description: List of available integration packages + ipList: value: - items: - - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - id: aws - name: aws - status: not_installed - title: AWS - version: 2.10.0 - searchExcluded: 0 - total: 1 + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: List of bad internet ips. + id: 21b01cfb-058d-44b9-838c-282be16c91cd + immutable: false + name: Bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_packages_response' + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get packages + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"ip_list\" was not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a package by uploading a .zip or .tar.gz archive (max 100MB). - Only available to superusers.

[Required authorization] Route - required privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + - description: Value list identifier (`id`) returned when the list was created. in: query - name: skipDataStreamRollover - required: false + name: id + required: true schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: My bad ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 1 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request query]: id: Required' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList requestBody: content: - application/gzip: + application/json: examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: - application/gzip; application/zip: + patchName: + value: + id: ip_list + name: Bad ips list - UPDATED + schema: + example: + id: ip_list + name: Bad ips list - UPDATED + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + description: Value list's properties + required: true + responses: + '200': + content: + application/json: + examples: + ip: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Bad ips list - UPDATED + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:21:53.843Z' + updated_by: elastic + version: 2 + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: '[request body]: name: Expected string, received number' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList + requestBody: + content: + application/json: examples: - postInstallByUploadRequestExample: - description: Upload a .zip or .tar.gz package archive (max 100MB) - value: + ip: + value: + description: This list describes bad internet ips + id: ip_list + name: Simple list with ips + type: ip + ip_range: + value: + description: This list has ip ranges + id: ip_range_list + name: Simple list with ip ranges + type: ip_range + keyword: + value: + description: This list describes bad host names + id: keyword_list + name: Simple list with a keyword + type: keyword + keyword_custom_format: + value: + description: This parses the first found ipv4 only + id: keyword_custom_format_list + name: Simple list with a keyword using a custom format + type: keyword schema: - format: binary - type: string + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: Value list's properties + required: true responses: '200': content: - application/gzip; application/zip: + application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + ip: value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ips + id: ip_list + immutable: false + name: Simple list with ips + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 + ip_range: + value: + _version: WzAsMV0= + '@timestamp': '2025-01-09T18:23:52.241Z' + created_at: '2025-01-09T18:23:52.241Z' + created_by: elastic + description: This list has ip ranges + id: ip_range_list + immutable: false + name: Simple list with ip ranges + tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 + type: ip_range + updated_at: '2025-01-09T18:23:52.241Z' + updated_by: elastic + version: 1 + keyword: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:24:55.786Z' + created_at: '2025-01-09T18:24:55.786Z' + created_by: elastic + description: This list describes bad host names + id: keyword_list + immutable: false + name: Simple list with a keyword + tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 + type: keyword + updated_at: '2025-01-09T18:24:55.786Z' + updated_by: elastic + version: 1 + keyword_custom_format: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:25:39.604Z' + created_at: '2025-01-09T18:25:39.604Z' + created_by: elastic + description: This parses the first found ipv4 only + id: keyword_custom_format_list + immutable: false + name: Simple list with a keyword using a custom format + tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 + type: keyword + updated_at: '2025-01-09T18:25:39.604Z' + updated_by: elastic + version: 1 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: application/json: examples: - postInstallByUploadExample: - description: Package successfully installed from upload + notFound: value: - _meta: - install_source: upload - items: - - id: my-custom-package-logs-default - type: index_template - description: Successful response - '400': + message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist + status_code: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: - application/gzip; application/zip: + application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + unauthorized: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - description: Bad Request - summary: Install a package by upload - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - description: >- - Install multiple packages from the Elastic Package Registry in a single - request.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - requestBody: - content: - application/json: - examples: - postBulkInstallPackagesRequestExample: - description: Install multiple packages from the registry - value: - packages: - - system - - aws - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_request - responses: - '200': + error: Forbidden + message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - postBulkInstallPackagesExample: - description: Bulk install results + alreadyExists: value: - items: - - name: system - result: - assets: [] - status: installed - - name: aws - result: - assets: [] - status: installed + message: 'list id: "keyword_custom_format_list" already exists' + status_code: 409 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_from_registry_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk install packages + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_namespace_customization: - post: - description: >- - Enable or disable namespace-level index template customization for a - list of packages in one call. Use this for IaC-style declarative - flows.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-namespace-customization - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList requestBody: content: application/json: examples: - bulkNamespaceCustomizationRequest: + replaceList: value: - disable: - - dev - enable: - - production - - staging - packages: - - system - - nginx + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_request + example: + description: Latest list of bad ips + id: ip_list + name: Bad ips - updated + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - name + - description + description: Value list's properties + required: true responses: '200': content: application/json: examples: - successResponse: + ip: value: - items: - - name: system - namespace_customization_enabled_for: - - production - - staging - success: true - - error: Package nginx is not installed - name: nginx - success: false + _version: WzIsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: Latest list of bad ips + id: ip_list + immutable: false + name: Bad ips - updated + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T05:39:39.292Z' + updated_by: elastic + version: 3 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_namespace_customization_response - description: 'OK: A successful request.' + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response '400': content: application/json: examples: - badRequestResponse: + badRequest: value: error: Bad Request - message: >- - Namespaces must not appear in both enable and disable: - production + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk enable/disable namespace-level customization for packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback: - post: - description: >- - Rollback multiple packages to their previous - versions.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - bulkRollbackRequest: - value: - packages: - - name: system - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_request - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - successResponse: + unauthorized: value: - taskId: taskId + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_rollback_packages_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - badRequestResponse: + forbidden: value: - message: Bad Request + error: Forbidden + message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Bulk rollback packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_rollback/{taskId}: - get: - description: >- - Get the status and results of a bulk package rollback - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-rollback-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - successResponse: + notFound: value: - status: success + message: 'list id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': content: application/json: examples: - badRequestResponse: + serverError: value: - message: Bad Request + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get Bulk rollback packages details + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall: - post: - description: >- - Uninstall multiple packages in a single operation.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-uninstall + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: The page number to return. + in: query + name: page + required: false schema: - example: 'true' + example: 1 + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + example: 20 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + example: name + format: nonempty + minLength: 1 type: string - requestBody: - content: - application/json: - examples: - postBulkUninstallPackagesRequestExample: - description: Uninstall multiple packages - value: - packages: - - name: aws - - name: gcp - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_uninstall_packages_request + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + example: asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: - postBulkUninstallPackagesExample: - description: Bulk uninstall task initiated + ipList: value: - taskId: task-id-1 + cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d + data: + - _version: WzAsMV0= + '@timestamp': | + 2025-01-08T04:47:34.273Z + created_at: | + 2025-01-08T04:47:34.273Z + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: | + 2025-01-08T04:47:34.273Z + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk uninstall packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_uninstall/{taskId}: - get: - description: >- - Get the status and results of a bulk package uninstall - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-uninstall-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + unauthorized: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk uninstall packages details + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade: - post: - description: >- - Upgrade multiple packages to their latest versions.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: post-fleet-epm-packages-bulk-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json: - examples: - postBulkUpgradePackagesRequestExample: - description: Upgrade multiple packages to their latest versions - value: - packages: - - name: system - - name: elastic_agent - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_request + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/index: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex responses: '200': content: application/json: examples: - postBulkUpgradePackagesExample: - description: Bulk upgrade task initiated + acknowledged: value: - taskId: task-id-1 + acknowledged: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_upgrade_packages_response + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: 'Unable to delete value list data streams: invalid or missing index metadata' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk upgrade packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk_upgrade/{taskId}: - get: - description: >- - Get the status and results of a bulk package upgrade - operation.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: get-fleet-epm-packages-bulk-upgrade-taskid - parameters: - - description: Task ID of the bulk operation - in: path - name: taskId - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getBulkOperationDetailsExample: - description: Details of the bulk operation task + unauthorized: value: - packages: - - name: system - result: installed - - name: elastic_agent - result: installed - status: success + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_one_bulk_operation_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Bulk upgrade packages details - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}: - delete: - description: >- - Uninstall a package and remove all its assets.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + notFound: value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + message: The value list data stream was not found in this space + status_code: 404 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams tags: - - Elastic Package Manager (EPM) + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get information about a package by name, returning the latest installed - or available version. - operationId: get-fleet-epm-packages-pkgname - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: >- - When true, returns the package even if the signature cannot be - verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - description: When true, include prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return the full package info including assets - in: query - name: full - required: false - schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex responses: '200': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + bothExist: value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + list_index: true + list_item_index: true schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Unable to read value list data stream status for this space + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package - tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install the latest version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: When true, allow installing prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, ignore mapping update errors during installation - in: query - name: ignoreMappingUpdateErrors - required: false - schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation - in: query - name: skipDataStreamRollover - required: false - schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies - in: query - name: skipDependencyCheck - required: false - schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + forbidden: value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + error: Forbidden + message: API [GET /api/lists/index] is not authorized; list read permissions are required + statusCode: 403 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + notFound: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Value list backing indices were not found for this space + status_code: 404 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a package, such as whether policies are kept up to - date automatically.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + **DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space + are now created as part of supported workflows; calling this explicitly is rarely required. + **WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming + indices exist with `GET /api/lists/index`. + + Creates the `.lists` and `.items` data streams in the current Kibana space. + operationId: CreateListIndex responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + acknowledged: value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + acknowledged: true schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - description: >- - Uninstall a specific version of a package and remove all its - assets.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, delete the package even if it has active package policies - in: query - name: force - required: false - schema: - type: boolean - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - deletePackageExample: - description: Package successfully deleted + unauthorized: value: - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + error: Unauthorized + message: | + [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_delete_package_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package - tags: - - Elastic Package Manager (EPM) - get: - description: Get information about a specific version of a package. - operationId: get-fleet-epm-packages-pkgname-pkgversion - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - When true, returns the package even if the signature cannot be - verified - in: query - name: ignoreUnverified - required: false - schema: - type: boolean - - description: When true, include prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean - - description: When true, return the full package info including assets - in: query - name: full - required: false - schema: - type: boolean - - description: >- - When true, include package metadata such as whether it has package - policies - in: query - name: withMetadata - required: false - schema: - default: false - type: boolean - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': content: application/json: examples: - getPackageInfoExample: - description: Package details and installation status + alreadyExists: value: - item: - assets: - kibana: - dashboard: [] - index_pattern: [] - categories: - - cloud - description: Collect logs and metrics from Amazon Web Services - name: aws - status: installed - title: AWS - version: 2.10.0 + message: 'data stream: \".lists-default\" and \".items-default\" already exists' + status_code: 409 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_info_response' - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams tags: - - Elastic Package Manager (EPM) - post: - description: >- - Install a specific version of a package from the Elastic Package - Registry.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow installing prerelease versions + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query - name: prerelease + name: id required: false schema: - type: boolean - - description: When true, ignore mapping update errors during installation + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. in: query - name: ignoreMappingUpdateErrors + name: list_id required: false schema: - default: false - type: boolean - - description: When true, skip data stream rollover after installation + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query - name: skipDataStreamRollover + name: value required: false schema: - default: false - type: boolean - - description: >- - Skip dependency validation when installing a package with - dependencies + example: 255.255.255.255 + type: string + - description: Determines when changes made by the request are made visible to search. in: query - name: skipDependencyCheck + name: refresh required: false schema: - default: false - type: boolean - requestBody: - content: - application/json: - examples: - postInstallPackageRequestExample: - description: Install a package, optionally ignoring constraints - value: - ignore_constraints: false - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_package_from_registry_request - nullable: true + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + example: false + type: string responses: '200': content: application/json: examples: - postInstallPackageExample: - description: Package successfully installed + ip: value: - _meta: - install_source: registry - items: - - id: aws-logs-aws.cloudwatch_logs-default - type: index_template + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_install_package_response' + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install a package from the registry + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item tags: - - Elastic Package Manager (EPM) - put: - description: >- - Update settings for a specific version of a package.

[Required - authorization] Route required privileges: integrations-all AND - fleet-agent-policies-all. - operationId: put-fleet-epm-packages-pkgname-pkgversion + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: Value list item identifier. Required if `list_id` and `value` are not specified. + in: query + name: id + required: false schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. + in: query + name: list_id + required: false schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value + required: false schema: + example: 127.0.0.2 type: string - requestBody: - content: - application/json: - examples: - putUpdatePackageNamespaceCustomizationExample: - description: >- - Enable namespace-level customization for the `production` and - `staging` namespaces - value: - namespace_customization_enabled_for: - - production - - staging - putUpdatePackageRequestExample: - description: Update keep_policies_up_to_date setting for a package - value: - keepPoliciesUpToDate: true - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_request' responses: '200': content: application/json: examples: - putUpdatePackageExample: - description: Updated package settings + ip: value: - item: - keepPoliciesUpToDate: true - name: aws - version: 2.10.0 + _version: WzExLDFd + '@timestamp': '2025-01-08T05:16:25.882Z' + created_at: '2025-01-08T05:16:25.882Z' + created_by: elastic + id: qN1XRJQBs4HAK3VQs3Gc + list_id: ip_list + tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 + type: ip + updated_at: '2025-01-08T05:16:25.882Z' + updated_by: elastic + value: 127.0.0.2 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_package_response' + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either \"list_id\" or \"id\" needs to be defined in the request + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - description: >- - Get the contents of a specific file from a package.

[Required - authorization] Route required privileges: integrations-read OR - fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: File path within the package - in: path - name: filePath - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getPackageFileExample: - description: The content of the requested package file - value: - schema: {} - description: Successful response — returns the file content - '400': + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package file + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list item id: \"foo\" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: - delete: - description: >- - Delete datastream assets for a specific input package, by data stream - name.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: The ID of the package policy - in: query - name: packagePolicyId - required: true - schema: - type: string + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + examples: + changeValue: + value: + id: pd1WRJQBs4HAK3VQeHFI + value: 255.255.255.255 + schema: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - deletePackageDatastreamAssetsExample: - description: Package datastream assets successfully deleted + ipItem: value: - items: - - id: logs-my_package.access-default - type: index_template + _version: WzE5LDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:23:37.602Z' + updated_by: elastic + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_datastream_assets_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete assets for an input package - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies: - get: - description: >- - Get the list of packages that a specific package depends - on.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies - parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - dependenciesResponse: - value: - items: - - name: aws - title: AWS - version: ^2.0.0 - - name: system - title: System - version: ^1.0.0 - noDependenciesResponse: + unauthorized: value: - items: [] + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_dependencies_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - packageNotFoundResponse: + forbidden: value: - message: '[my-package-1.0.0] package not found in registry' + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Get package dependencies - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: - delete: - description: >- - Delete Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - deleteKibanaAssetsExample: - description: Kibana assets successfully deleted + notFound: value: - items: - - id: dashboard-id-1 - type: dashboard + message: 'list item id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + serverError: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete Kibana assets for a package + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item tags: - - Elastic Package Manager (EPM) + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Install Kibana assets (dashboards, visualizations, etc.) for a specific - package version.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a value list item and associate it with the specified value list. + + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem requestBody: content: application/json: examples: - postInstallKibanaAssetsRequestExample: - description: Install Kibana assets for a specific package version - value: {} + ip: + value: + list_id: ip_list + value: 127.0.0.1 + ip_range: + value: + list_id: ip_range_list + value: 192.168.0.0/16 + keyword: + value: + list_id: keyword_list + value: zeek schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_request - nullable: true + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - 'true' + - 'false' + - wait_for + example: wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - postInstallKibanaAssetsExample: - description: Kibana assets successfully installed + ip: value: - items: - - id: dashboard-id-1 - type: dashboard + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + ip_range: + value: + _version: WzEsMV0= + '@timestamp': '2025-01-09T18:33:08.202Z' + created_at: '2025-01-09T18:33:08.202Z' + created_by: elastic + id: ip_range_item + list_id: ip_range_list + tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 + type: ip_range + updated_at: '2025-01-09T18:33:08.202Z' + updated_by: elastic + value: 192.168.0.0/16 + keyword: + value: + _version: WzIsMV0= + '@timestamp': '2025-01-09T18:34:29.422Z' + created_at: '2025-01-09T18:34:29.422Z' + created_by: elastic + id: 7f24737d-1da8-4626-a568-33070591bb4e + list_id: keyword_list + tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 + type: keyword + updated_at: '2025-01-09T18:34:29.422Z' + updated_by: elastic + value: zeek schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana assets for a package - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: - post: - description: >- - Install Kibana alert rule assets for a specific package - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - postInstallRuleAssetsRequestExample: - description: Install alert rule assets for a specific package version - value: {} - schema: - allOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_rule_assets_request - nullable: true - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - postInstallRuleAssetsExample: - description: Rule assets successfully installed + unauthorized: value: - items: - - id: rule-asset-id-1 - type: security_rule + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_install_kibana_assets_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Install Kibana alert rule for a package + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + listNotFound: + value: + message: 'list id: \"ip_list\" does not exist' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + alreadyExists: + value: + message: 'list item id: \"ip_item\" already exists' + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: >- - Reauthorize Elasticsearch transforms installed by a package with - secondary authorization headers. - operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: When true, allow prerelease versions - in: query - name: prerelease - required: false - schema: - type: boolean + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem requestBody: content: application/json: examples: - postReauthorizeTransformsRequestExample: - description: Reauthorize transforms for a package + fullReplace: value: - transforms: - - destinations: - - index: logs-transform-dest - transformId: logs-transform-1 + id: ip_item + value: 255.255.255.255 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_reauthorize_transform_request + example: + id: ip_item + value: 255.255.255.255 + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: Value list item's properties + required: true responses: '200': content: application/json: examples: - postReauthorizeTransformsExample: - description: Transforms successfully reauthorized + ip: value: - - success: true - transformId: logs-transform-1 + _version: WzIwLDFd + '@timestamp': '2025-01-08T05:15:05.159Z' + created_at: '2025-01-08T05:15:05.159Z' + created_by: elastic + id: pd1WRJQBs4HAK3VQeHFI + list_id: ip_list + tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 + type: ip + updated_at: '2025-01-08T05:44:14.009Z' + updated_by: elastic + value: 255.255.255.255 schema: - items: - additionalProperties: false - type: object - properties: - error: - nullable: true - success: - type: boolean - transformId: - type: string - required: - - transformId - - success - - error - maxItems: 10000 - type: array + $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: error: Bad Request - message: An error message describing what went wrong + message: '[request body]: id: Expected string, received number' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/review_upgrade: - post: - description: >- - Review and accept or reject a pending policy upgrade for a package that - contains deprecations.

[Required authorization] Route required - privileges: integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-review-upgrade - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to review upgrade for - in: path - name: pkgName - required: true - schema: - type: string - requestBody: - content: - application/json: - examples: - acceptUpgrade: - value: - action: accept - target_version: 2.0.0 - schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_request' - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - successResponse: + unauthorized: value: - success: true + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_review_upgrade_response' - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - badRequestResponse: + forbidden: value: - message: Bad Request + error: Forbidden + message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Review a pending policy upgrade for a package with deprecations - tags: - - Elastic Package Manager (EPM) - x-state: Generally available; added in 9.4.0 - /api/fleet/epm/packages/{pkgName}/rollback: - post: - description: >- - Rollback a package to its previously installed - version.

[Required authorization] Route required privileges: - integrations-all AND fleet-agent-policies-all. - operationId: post-fleet-epm-packages-pkgname-rollback - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: Package name to roll back - in: path - name: pkgName - required: true - schema: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': content: application/json: examples: - successResponse: + notFound: value: - success: true - version: 1.0.0 + message: 'list item id: \"foo\" not found' + status_code: 404 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_rollback_package_response - description: 'OK: A successful request.' - '400': + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': content: application/json: examples: - badRequestResponse: + serverError: value: - message: Bad Request + message: Internal Server Error + status_code: 500 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: A bad request. - summary: Rollback a package to previous version + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item tags: - - Elastic Package Manager (EPM) - x-state: Technical Preview; added in 9.1.0 - /api/fleet/epm/packages/{pkgName}/stats: - get: - description: >- - Get usage statistics for a specific package, such as the number of agent - policies using it.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-pkgname-stats + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems parameters: - - description: Package name - in: path - name: pkgName + - description: Value list's `id` to export. + in: query + name: list_id required: true schema: - type: string + $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: - application/json: + application/ndjson: examples: - getPackageStatsExample: - description: Usage stats for a specific package - value: - response: - agent_policy_count: 3 + ipLines: + value: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 schema: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_stats_response' + description: A `.txt` file containing list items from the specified list + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong + error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package stats + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json: + examples: + notFound: + value: + message: 'list id: "unknown_list" not found' + status_code: 404 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/installed: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_find: get: - description: >- - Get a list of all currently installed integration - packages.

[Required authorization] Route required privileges: - integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-installed + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems parameters: - - description: Filter by data stream type + - description: Parent value list's `id` to page through items for. in: query - name: dataStreamType + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page required: false schema: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - - description: When true, only return packages with active data streams + example: 1 + type: integer + - description: The number of list items to return per page. in: query - name: showOnlyActiveDataStreams + name: per_page required: false schema: - type: boolean - - description: Filter packages by name + example: 20 + type: integer + - description: Determines which field is used to sort the results. in: query - name: nameQuery + name: sort_field required: false schema: + example: value + format: nonempty + minLength: 1 type: string - - description: Sort values from the previous page for `search_after` pagination + - description: Determines the sort order, which can be `desc` or `asc` in: query - name: searchAfter + name: sort_order required: false schema: - items: - anyOf: - - type: string - - type: number - maxItems: 10 - type: array - - description: Number of results per page + enum: + - desc + - asc + example: asc + type: string + - description: | + Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request. in: query - name: perPage + name: cursor required: false schema: - default: 15 - type: number - - description: Sort order, ascending or descending + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. in: query - name: sortOrder + name: filter required: false schema: - default: asc - enum: - - asc - - desc - type: string + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: - getInstalledPackagesExample: - description: List of installed integration packages + ip: value: - items: - - name: system - status: installed - title: System - version: 1.55.0 - - name: elastic_agent - status: installed - title: Elastic Agent - version: 1.15.0 - searchExcluded: 0 - total: 2 + cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + data: + - _version: WzAsMV0= + '@timestamp': '2025-01-08T04:59:06.154Z' + created_at: '2025-01-08T04:59:06.154Z' + created_by: elastic + id: 21b01cfb-058d-44b9-838c-282be16c91cc + list_id: ip_list + tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a + type: ip + updated_at: '2025-01-08T04:59:06.154Z' + updated_by: elastic + value: 127.0.0.1 + page: 1 + per_page: 20 + total: 1 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_installed_packages_response + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Bad Request, + message: '[request query]: list_id: Required' + statusCode: 400, schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get installed packages - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/limited: - get: - description: >- - Get the list of packages that cannot be uninstalled (e.g. elastic_agent, - fleet_server).

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-packages-limited - parameters: [] - responses: - '200': + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': content: application/json: examples: - getLimitedPackagesExample: - description: List of packages that cannot be uninstalled + unauthorized: value: - items: - - elastic_agent - - fleet_server + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_limited_packages_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a limited package list + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: - get: - description: >- - Get an inputs template for a package, used to pre-populate package - policy forms.

[Required authorization] Route required - privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems parameters: - - description: Package name - in: path - name: pkgName - required: true - schema: - type: string - - description: Package version - in: path - name: pkgVersion - required: true - schema: - type: string - - description: 'Output format for the inputs template: json, yml, or yaml' + - description: | + List's id. + + Required when importing to an existing list. in: query - name: format + name: list_id required: false schema: - default: json - enum: - - json - - yml - - yaml - type: string - - description: When true, allow prerelease versions + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + examples: + ip: + value: ip in: query - name: prerelease + name: type required: false schema: - type: boolean - - description: >- - When true, return inputs even if the package signature cannot be - verified + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: Determines when changes made by the request are made visible to search. in: query - name: ignoreUnverified + name: refresh required: false schema: - type: boolean + enum: + - 'true' + - 'false' + - wait_for + example: true + type: string + requestBody: + content: + multipart/form-data: + examples: + ipLinesFile: + value: + file: list_values.txt + schema: + type: object + properties: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + example: | + 127.0.0.1 + 127.0.0.2 + 127.0.0.3 + 127.0.0.4 + 127.0.0.5 + 127.0.0.6 + 127.0.0.7 + 127.0.0.8 + 127.0.0.9 + format: binary + type: string + required: true responses: '200': content: application/json: examples: - getInputsTemplateExample: - description: Inputs template for a package + ip: value: - inputs: - - description: Collect logs from log files - title: Collect logs from files - type: logfile - vars: - - name: paths - required: true - title: Paths - type: text + _version: WzAsMV0= + '@timestamp': '2025-01-08T04:47:34.273Z' + created_at: '2025-01-08T04:47:34.273Z' + created_by: elastic + description: This list describes bad internet ip + id: ip_list + immutable: false + name: Simple list with an ip + tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: ip + updated_at: '2025-01-08T04:47:34.273Z' + updated_by: elastic + version: 1 schema: - anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_inputs_response' + $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequest: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Either type or list_id need to be defined in the query + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get an inputs template + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: + value: + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json: + examples: + forbidden: + value: + error: Forbidden + message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] + statusCode: 403 + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json: + examples: + conflict: + value: + message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one + status_code: 409 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/verification_key_id: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/privileges: get: - description: >- - Get the GPG key ID used to verify the signatures of packages from the - Elastic Package Registry.

[Required authorization] Route - required privileges: integrations-read OR fleet-setup OR fleet-all. - operationId: get-fleet-epm-verification-key-id - parameters: [] + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application` + privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list + APIs (`read` vs `all` operations) are available before you create or import lists. + operationId: ReadListPrivileges responses: '200': content: application/json: examples: - getVerificationKeyIdExample: - description: The GPG key ID used to verify package signatures + privileges: + value: + is_authenticated: true + listItems: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .items-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + lists: + application: {} + cluster: + all: true + manage: true + manage_api_key: true + manage_index_templates: true + manage_ml: true + manage_own_api_key: true + manage_pipeline: true + manage_security: true + manage_transform: true + monitor: true + monitor_ml: true + monitor_transform: true + has_all_requested: true + index: + .lists-default: + all: true + create: true + create_doc: true + create_index: true + delete: true + delete_index: true + index: true + maintenance: true + manage: true + monitor: true + read: true + view_index_metadata: true + write: true + username: elastic + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json: + examples: + badRequest: + value: + error: Bad Request + message: 'Unable to resolve list privileges: invalid or missing space context for this request' + statusCode: 400 + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json: + examples: + unauthorized: value: - id: D27D666CD88E42B4 + error: Unauthorized + message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' + statusCode: 401 schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_verification_key_id_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + forbidden: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + error: Forbidden + message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] + statusCode: 403 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a package signature verification key ID + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json: + examples: + serverError: + value: + message: Internal Server Error + status_code: 500 + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges tags: - - Elastic Package Manager (EPM) - /api/fleet/fleet_server_hosts: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipeline/{id}: + delete: + description: | + Delete a centrally-managed Logstash pipeline. + If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: delete-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call + summary: Delete a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - List all Fleet Server hosts.

[Required authorization] Route - required privileges: fleet-agents-all OR fleet-settings-read. - operationId: get-fleet-fleet-server-hosts - parameters: [] + description: | + Get information for a centrally-managed Logstash pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - getFleetServerHostsExample: - description: List of Fleet Server hosts - value: - items: - - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server - page: 1 - perPage: 20 - total: 1 + getLogstashPipelineResponseExample1: + value: |- + { + "id": "hello-world", + "description": "Just a simple pipeline", + "username": "elastic", + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persistent" + } + } schema: - additionalProperties: false type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': + description: Indicates a successful call + summary: Get a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + Create a centrally-managed Logstash pipeline or update a pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: put-logstash-pipeline + parameters: + - description: | + An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + putLogstashPipelineRequestExample1: + value: |- + { + "pipeline": "input { stdin {} } output { stdout {} }", + "settings": { + "queue.type": "persisted" + } + } + schema: + type: object + properties: + description: + description: A description of the pipeline. + type: string + pipeline: + description: A definition for the pipeline. + type: string + settings: + description: | + Supported settings, represented as object keys, include the following: + + - `pipeline.workers` + - `pipeline.batch.size` + - `pipeline.batch.delay` + - `pipeline.ecs_compatibility` + - `pipeline.ordered` + - `queue.type` + - `queue.max_bytes` + - `queue.checkpoint.writes` + type: object + required: + - pipeline + responses: + '204': + description: Indicates a successful call + summary: Create or update a Logstash pipeline + tags: + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipelines: + get: + description: | + Get a list of all centrally-managed Logstash pipelines. + + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + > info + > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. + + The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipelines + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + getLogstashPipelinesResponseExample1: + value: |- + { + "pipelines": [ + { + "id": "hello-world", + "description": "Just a simple pipeline", + "last_modified": "2018-04-14T12:23:29.772Z", + "username": "elastic" + }, + { + "id": "sleepy-pipeline", + "description": "", + "last_modified": "2018-03-24T03:41:30.554Z" + } + ] + } schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get Fleet Server hosts + description: Indicates a successful call + summary: Get all Logstash pipelines tags: - - Fleet Server hosts + - logstash + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window: post: - description: >- - Create a new Fleet Server host.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-fleet-server-hosts + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header @@ -32015,282 +47289,217 @@ paths: content: application/json: examples: - postFleetServerHostRequestExample: - description: Create a new Fleet Server host + createMaintenanceWindowRequest: + description: | + Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query. + summary: Create a maintenance window value: - host_urls: - - https://fleet-server.example.com:8220 - is_default: false - name: My Fleet Server + enabled: true + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + title: Weekly Maintenance Window schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_maintenance_window' + responses: + '200': + content: + application/json: + examples: + createMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully created. + summary: Create a maintenance window response + value: + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Create a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find + parameters: + - description: The title of the maintenance window. + in: query + name: title + required: false + schema: + type: string + - description: The user who created the maintenance window. + in: query + name: created_by + required: false + schema: + type: string + - description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled". + in: query + name: status + required: false + schema: + items: + enum: + - running + - finished + - upcoming + - archived + - disabled + type: string + type: array + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + maximum: 100 + minimum: 1 + type: number responses: '200': content: application/json: examples: - postFleetServerHostExample: - description: The created Fleet Server host + findMaintenanceWindowsResponse: + description: | + The response returned when maintenance windows are successfully found. + summary: Find maintenance windows response value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-2 - is_default: false - is_preconfigured: false - name: My Fleet Server + maintenanceWindows: + - created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + - created_at: '2025-03-10T09:00:00.000Z' + created_by: elastic + enabled: true + id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Database Upgrade Window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic + page: 1 + per_page: 10 + total: 2 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_find_maintenance_windows_response' + description: Indicates a successful call. '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create a Fleet Server host + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: + - maintenance-window + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}: delete: - description: >- - Delete a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: delete-fleet-fleet-server-hosts-itemid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header @@ -32299,9 +47508,42 @@ paths: schema: example: 'true' type: string - - description: The ID of the Fleet Server host + - description: The identifier for the maintenance window to be deleted. in: path - name: itemId + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id + parameters: + - description: The identifier for the maintenance window. + in: path + name: id required: true schema: type: string @@ -32310,71 +47552,247 @@ paths: content: application/json: examples: - deleteFleetServerHostExample: - description: The Fleet Server host was successfully deleted + getMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully retrieved. + summary: Get a maintenance window response value: - id: fleet-server-host-id-1 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateMaintenanceWindowRequest: + description: | + Update a maintenance window to change its title, schedule, and scope. + summary: Update a maintenance window + value: + enabled: true + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + title: Updated maintenance window + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_maintenance_window' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + updateMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully updated. + summary: Update a maintenance window response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 1h + recurring: + end: '2025-12-31T00:00:00.000Z' + every: 2w + onWeekDay: + - FR + start: '2025-04-01T10:00:00.000Z' + timezone: US/Eastern + scope: + alerting: + query: + kql: 'kibana.alert.tags: "database"' + status: upcoming + title: Updated maintenance window + updated_at: '2025-03-15T14:30:00.000Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. '404': + description: Indicates a maintenance window with the given ID does not exist. + '409': + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be archived. + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID + archiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully archived. + summary: Archive a maintenance window response value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a Fleet Server host + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: archived + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. tags: - - Fleet Server hosts - get: - description: >- - Get a Fleet Server host by ID.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-fleet-server-hosts-itemid + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/maintenance_window/{id}/_unarchive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive parameters: - - description: The ID of the Fleet Server host + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the maintenance window to be unarchived. in: path - name: itemId + name: id required: true schema: type: string @@ -32383,2074 +47801,2170 @@ paths: content: application/json: examples: - getFleetServerHostExample: - description: A Fleet Server host + unarchiveMaintenanceWindowResponse: + description: | + The response returned when a maintenance window is successfully unarchived. + summary: Unarchive a maintenance window response value: - item: - host_urls: - - https://fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: true - is_preconfigured: false - name: Default Fleet Server + created_at: '2025-02-25T10:00:00.000Z' + created_by: elastic + enabled: true + id: f0cb1780-537a-4e34-8adf-3b4336862858 + schedule: + custom: + duration: 2h + recurring: + every: 1w + occurrences: 10 + onWeekDay: + - MO + - WE + start: '2025-03-01T08:00:00.000Z' + timezone: Europe/Amsterdam + scope: + alerting: + query: + kql: 'kibana.alert.tags: "infra"' + status: upcoming + title: Weekly Maintenance Window + updated_at: '2025-02-25T10:00:00.000Z' + updated_by: elastic schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + description: Indicates a successful call. '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-state: Generally available; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_jobs_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_jobs_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of jobs to add and/or remove them from given spaces. + operationId: mlUpdateJobsSpaces + requestBody: + content: + application/json: + examples: + updateADJobSpacesRequest: + value: + jobIds: + - test-job + jobType: anomaly-detector + spacesToAdd: + - default + spacesToRemove: + - '*' + updateDFAJobSpacesRequest: + value: + jobIds: + - test-job + jobType: data-frame-analytics + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + successADResponse: value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + test-job: + success: true + type: anomaly-detector + successDFAResponse: + value: + test-job: + success: true + type: data-frame-analytics + description: Indicates a successful call + summary: Update jobs spaces + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/ml/saved_objects/update_trained_models_spaces: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/ml/saved_objects/update_trained_models_spaces
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a list of trained models to add and/or remove them from given spaces. + operationId: mlUpdateTrainedModelsSpaces + requestBody: + content: + application/json: + examples: + updateTrainedModelsSpacesRequest: + value: + modelIds: + - test-model + spacesToAdd: + - default + spacesToRemove: + - '*' + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID + successTMResponse: value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a Fleet Server host + test-model: + success: true + type: trained-model" + description: Indicates a successful call + summary: Update trained models spaces tags: - - Fleet Server hosts - put: - description: >- - Update a Fleet Server host by ID.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-fleet-server-hosts-itemid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the Fleet Server host - in: path - name: itemId - required: true - schema: - type: string + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/note: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body. + + The response has HTTP 200 with an empty body on success. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + operationId: DeleteNote requestBody: content: application/json: examples: - putFleetServerHostRequestExample: - description: Update a Fleet Server host + deleteOne: + summary: Delete a single note by id value: - host_urls: - - https://updated-fleet-server.example.com:8220 - is_default: false - name: Updated Fleet Server + noteId: 709f99c6-89b6-4953-9160-35945c8e174e schema: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false + oneOf: + - nullable: true type: object properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true + noteId: + description: Saved object ID of the note to delete. + type: string + required: + - noteId + - nullable: true type: object properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: + noteIds: + description: Saved object IDs of the notes to delete. items: type: string - maxItems: 10 + nullable: true type: array - es_key: - type: string - key: - type: string - required: - - proxy_id + required: + - noteIds + description: | + Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete. + `noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible. + required: true + responses: + '200': + description: The notes were deleted successfully. Response body is empty. + summary: Delete one or more notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns Security Timeline notes as saved objects. + + **Query modes (mutually exclusive branches on the server):** + + 1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes). + + 2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied. + + 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`. + + Requires the **Timeline and Notes** read privilege (`notes_read`). + operationId: GetNotes + parameters: + - description: | + Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`. + examples: + multiple: + summary: Multiple document ids (array) + value: + - id-one + - id-two + single: + summary: Single document id + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - description: | + Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned. + examples: + singleTimeline: + summary: Single timeline id + value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - description: | + Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1. + example: '1' + in: query + name: page + schema: + nullable: true + type: string + - description: | + Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10. + example: '20' + in: query + name: perPage + schema: + nullable: true + type: string + - description: Search string for saved-objects find (list mode only). + in: query + name: search + schema: + nullable: true + type: string + - description: Field to sort by for saved-objects find (list mode only). + in: query + name: sortField + schema: + nullable: true + type: string + - description: Sort order (`asc` or `desc`) for saved-objects find (list mode only). + example: desc + in: query + name: sortOrder + schema: + nullable: true + type: string + - description: | + Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only). + in: query + name: filter + schema: + nullable: true + type: string + - description: | + Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only). + example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 + in: query + name: createdByFilter + schema: + nullable: true + type: string + - description: | + Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used. + in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: examples: - putFleetServerHostExample: - description: The updated Fleet Server host + notesPage: + summary: Paged notes for a timeline value: - item: - host_urls: - - https://updated-fleet-server.example.com:8220 - id: fleet-server-host-id-1 - is_default: false - is_preconfigured: false - name: Updated Fleet Server + notes: + - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd + totalCount: 1 schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - host_urls: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - agent_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - es_key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - key: - anyOf: - - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - nullable: true - type: object - properties: - agent_certificate: - type: string - agent_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - agent_key: - type: string - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - client_auth: - enum: - - optional - - required - - none - type: string - es_certificate: - type: string - es_certificate_authorities: - items: - type: string - maxItems: 10 - type: array - es_key: - type: string - key: - type: string - required: - - name - - host_urls - - id - required: - - item - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Notes and total count for the requested mode. + summary: Get notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new note or updates an existing one. + + **Create:** Send `note` and omit `noteId` to create a new saved object. + + **Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read. + + Requires the **Timeline and Notes** write privilege (`notes_write`). + externalDocs: + description: Add or update a note on a Timeline + url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html + operationId: PersistNoteRoute + requestBody: + content: + application/json: + examples: + addNote: + summary: Add a note on an event + value: + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: Note payload (timeline, text, optional event linkage, metadata). + noteId: + description: The `savedObjectId` of the note to update. Omit when creating a new note. + example: 709f99c6-89b6-4953-9160-35945c8e174e + nullable: true + type: string + version: + description: Saved object version string from a previous read; optional on update. + example: WzQ2LDFd + nullable: true + type: string + required: + - note + description: | + Body must include the `note` object. For updates, include `noteId` (and optionally `version`). + To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules. + required: true + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + persisted: + summary: Persisted note wrapper value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + note: + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + note: Escalated to tier-2 analyst + noteId: 709f99c6-89b6-4953-9160-35945c8e174e + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFd schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No Fleet Server host was found with the given ID - value: - error: Not Found - message: Fleet server fleet-server-host-id-1 not found - statusCode: 404 - description: Not Found - summary: Update a Fleet Server host + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: The persisted note, including `noteId` and `version`. + summary: Add or update a note tags: - - Fleet Server hosts - /api/fleet/health_check: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/observability_ai_assistant/chat/complete: post: - description: >- - Check the health status of a Fleet Server instance by its host ID. - Returns the server status and name if available.

[Required - authorization] Route required privileges: fleet-settings-all. - operationId: post-fleet-health-check - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/observability_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new chat completion by using the Observability AI Assistant. + + The API returns the model's response based on the current conversation context. + + It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: observability-ai-assistant-chat-complete requestBody: content: application/json: examples: - postHealthCheckRequestExample: - description: Check the health of a Fleet Server instance by its host ID - value: - id: fleet-server-host-id-1 + chatCompleteRequestExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample' schema: - additionalProperties: false type: object properties: - id: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. type: string required: - - id + - messages + - connectorId + - persist responses: '200': content: application/json: examples: - postHealthCheckHealthyExample: - description: Fleet Server is online and healthy + chatCompleteResponseExample: + $ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample' + schema: + type: object + description: Successful response + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + in: query + name: nextPage + required: false + schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - description: A search string to filter history entries by pack name, query text, or query ID. + in: query + name: kuery + required: false + schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - description: Comma-separated list of user IDs to filter live query history. + in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + in: query + name: sourceFilters + required: false + schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - description: The start of the time range filter (ISO 8601). + in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - description: The end of the time range filter (ISO 8601). + in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + examples: + unifiedHistoryExample: + summary: Example unified history response value: - name: fleet-server-1 - status: ONLINE - postHealthCheckUnreachableExample: - description: >- - Fleet Server host is not reachable (request timed out or - aborted) + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: Indicates a successful call. + summary: Get unified query history + tags: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - description: A KQL search string to filter live queries. + in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + examples: + liveQueriesList: + summary: A list of recent live queries value: - host_id: fleet-server-host-id-1 - status: OFFLINE + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + user_id: elastic + total: 1 schema: - additionalProperties: false - type: object - properties: - host_id: - type: string - name: - type: string - status: - type: string - required: - - status - description: Successful health check response - '400': + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: Indicates a successful call. + summary: Get live queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + examples: + singleQueryAllAgents: + summary: Run a single query on all agents + value: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; + targetedQuery: + summary: Run a query against specific agents + value: + agent_ids: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + query: select * from processes; + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true + responses: + '200': content: application/json: examples: - badRequestExample: - description: >- - The host ID exists but has no associated host URLs - configured + liveQueryCreated: + summary: Live query created value: - error: Bad Request - message: >- - The requested host id fleet-server-host-id-1 does not have - associated host urls. - statusCode: 400 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: Indicates a successful call. + summary: Create a live query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + responses: + '200': content: application/json: examples: - notFoundExample: - description: No Fleet Server host was found with the given ID + liveQueryDetails: + summary: Live query details with execution status value: - error: Not Found - message: >- - The requested host id fleet-server-host-id-1 does not - exist. - statusCode: 404 + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 1 + failed: 0 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + status: completed + successful: 1 + status: completed + user_id: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Check Fleet Server health + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: Indicates a successful call. + summary: Get live query details tags: - - Fleet internals - /api/fleet/kubernetes: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: get: - description: >- - Get the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults parameters: - - description: If true, returns the manifest as a downloadable file + - description: The ID of the live query. + in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + - description: The ID of the query action. + in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + type: string + - description: A KQL search string to filter results. in: query - name: download + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize required: false schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: fleetServer + name: sort required: false schema: - type: string - - description: Enrollment token to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. in: query - name: enrolToken + name: sortOrder required: false schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getK8sManifestExample: - description: The Kubernetes manifest for deploying Elastic Agent - value: - item: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_get_k8s_manifest_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + liveQueryResults: + summary: Result rows from a live query execution value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + edges: + - _id: doc1 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '12345' + - _id: doc2 + _source: + action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agent: + id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + osquery: + total_seconds: '67890' + total: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get a full K8s agent manifest + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: Indicates a successful call. + summary: Get live query results tags: - - Elastic Agent policies - /api/fleet/kubernetes/download: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs: get: - description: >- - Download the Kubernetes manifest for deploying Elastic - Agent.

[Required authorization] Route required privileges: - fleet-agent-policies-read OR fleet-setup. - operationId: get-fleet-kubernetes-download + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks parameters: - - description: If true, returns the manifest as a downloadable file + - description: The page number to return. in: query - name: download + name: page required: false schema: - type: boolean - - description: Fleet Server host URL to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. in: query - name: fleetServer + name: pageSize required: false schema: - type: string - - description: Enrollment token to include in the manifest + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. in: query - name: enrolToken + name: sort required: false schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getDownloadK8sManifestExample: - description: The Kubernetes manifest download - value: >- - apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: - agent-node-datastreams\n namespace: kube-system\n - schema: - type: string - description: >- - Successful response — returns the Kubernetes manifest as a YAML file - download - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + packsList: + summary: A list of query packs value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + queries: + - id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + page: 1 + per_page: 20 + total: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: Indicates a successful call. + summary: Get packs + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + examples: + createPack: + summary: Create a pack with a single query + value: + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': content: application/json: examples: - notFoundExample: - description: No manifest was found + packCreated: + summary: Pack created value: - error: Not Found - message: Agent manifest not found - statusCode: 404 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Download an agent manifest + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: Indicates a successful call. + summary: Create a pack tags: - - Elastic Agent policies - /api/fleet/logstash_api_keys: - post: - description: >- - Generate an API key for Logstash to use with a Fleet - output.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: post-fleet-logstash-api-keys + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The pack ID. + in: path + name: id required: true schema: - example: 'true' - type: string + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - postLogstashApiKeyExample: - description: The generated Logstash API key - value: - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - schema: - additionalProperties: false - type: object - properties: - api_key: - type: string - required: - - api_key - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + packDeleted: + summary: Pack deleted (empty response body) + value: {} schema: - additionalProperties: false - description: Generic Error type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Generate a Logstash API key + properties: {} + description: Indicates a successful call. + summary: Delete a pack tags: - - Fleet outputs - /api/fleet/message_signing_service/rotate_key_pair: - post: - description: >- - Rotate the key pair used by Fleet to sign messages sent to Elastic - Agents. This operation is irreversible and requires all agents in the - Fleet to be re-enrolled after rotation. You must explicitly acknowledge - the risk by passing `acknowledge=true` as a query - parameter.

[Required authorization] Route required privileges: - fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. - operationId: post-fleet-message-signing-service-rotate-key-pair + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The pack ID. + in: path + name: id required: true schema: - example: 'true' - type: string - - description: >- - Set to true to confirm you understand the risks of rotating the key - pair - in: query - name: acknowledge - required: false - schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: examples: - rotateKeyPairSuccessExample: - description: >- - The key pair was rotated. All agents must be re-enrolled to - receive the new signing key. + packDetails: + summary: Pack details value: - message: Key pair rotated successfully. + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Key pair rotated successfully - '400': + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: Indicates a successful call. + summary: Get pack details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - description: The pack ID. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + examples: + renamePack: + summary: Rename a pack and update its description + value: + description: Updated pack description + enabled: true + name: my_pack_renamed + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': content: application/json: examples: - acknowledgeRequiredExample: - description: >- - Request was rejected because the acknowledge query parameter - was not set to true + packUpdated: + summary: Pack updated value: - error: Bad Request - message: >- - Warning: this API will cause a key pair to rotate and - should not be necessary in normal operation. If you - proceed, you may need to reinstall Agents in your network. - You must acknowledge the risks of rotating the key pair - with acknowledge=true in the request parameters. For more - information, reach out to your administrator. - statusCode: 400 + data: + description: Updated pack description + enabled: true + name: my_pack_renamed + policy_ids: + - my_policy_id + queries: + ports: + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + version: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '500': + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: Indicates a successful call. + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - description: The ID of the pack to copy. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': content: application/json: examples: - serviceUnavailableExample: - description: The message signing service is not available + copyPackExample: + summary: Example response for copying a pack value: - error: Internal Server Error - message: >- - Failed to rotate key pair. Message signing service is - unavailable! - statusCode: 500 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Internal Server Error - summary: Rotate a Fleet message signing key pair + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: Indicates a successful call. + summary: Copy a pack tags: - - Message Signing Service - /api/fleet/outputs: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries: get: - description: >- - List all Fleet outputs.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field to sort results by. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: The sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getOutputsExample: - description: List of Fleet outputs + savedQueriesList: + summary: A list of saved queries value: - items: - - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch + data: + - created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic page: 1 - perPage: 20 + per_page: 20 total: 1 schema: - additionalProperties: false - type: object - properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_logstash - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get outputs + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: Indicates a successful call. + summary: Get saved queries tags: - - Fleet outputs + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - Create a new Fleet output.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-outputs - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and save a query for later use. + operationId: OsqueryCreateSavedQuery requestBody: content: application/json: examples: - postOutputRequestExample: - description: Create a new Elasticsearch output + createSavedQuery: + summary: Create a saved query value: - hosts: - - https://elasticsearch.example.com:9200 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka' + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - postOutputExample: - description: The created Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-2 - is_default: false - is_default_monitoring: false - name: My output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueryCreated: + summary: Saved query created value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Create output + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: Indicates a successful call. + summary: Create a saved query tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}: delete: - description: >- - Delete output by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output + - description: The saved query ID. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - deleteOutputExample: - description: The output was successfully deleted - value: - id: output-id-1 - schema: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 + savedQueryDeleted: + summary: Saved query deleted (empty response body) + value: {} schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Not Found - summary: Delete output + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: Indicates a successful call. + summary: Delete a saved query tags: - - Fleet outputs + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get output by ID.

[Required authorization] Route required - privileges: fleet-settings-read OR fleet-agent-policies-read. - operationId: get-fleet-outputs-outputid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails parameters: - - description: The ID of the output + - description: The saved query ID. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - getOutputExample: - description: A Fleet output - value: - item: - hosts: - - https://elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Default output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + savedQueryDetails: + summary: Saved query details value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID - value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Get output + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: Indicates a successful call. + summary: Get saved query details tags: - - Fleet outputs + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name put: - description: >- - Update output by ID.

[Required authorization] Route required - privileges: fleet-settings-all OR fleet-agent-policies-all. - operationId: put-fleet-outputs-outputid + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the output + - description: The saved query ID. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: examples: - putOutputRequestExample: - description: Update a Fleet output + updateSavedQuery: + summary: Update a saved query value: - hosts: - - https://updated-elasticsearch.example.com:9200 - name: Updated output + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + timeout: 60 schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka' + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + required: true responses: '200': content: application/json: examples: - putOutputExample: - description: The updated Fleet output - value: - item: - hosts: - - https://updated-elasticsearch.example.com:9200 - id: output-id-1 - is_default: true - is_default_monitoring: true - name: Updated output - type: elasticsearch - schema: - additionalProperties: false - type: object - properties: - item: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_elasticsearch - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka' - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No output was found with the given ID + savedQueryUpdated: + summary: Saved query updated value: - error: Not Found - message: Output output-id-1 not found - statusCode: 404 - description: Not Found - summary: Update output + data: + description: Updated saved query description + id: my_saved_query + interval: '120' + platform: linux,darwin + query: select * from osquery_info; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 60 + updated_at: '2025-02-27T10:00:00.000Z' + updated_by: elastic + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: Indicates a successful call. + summary: Update a saved query tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: - get: - description: >- - Get the latest health status of an output by ID.

[Required - authorization] Route required privileges: fleet-settings-read. - operationId: get-fleet-outputs-outputid-health + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery parameters: - - description: The ID of the output + - description: The ID of the saved query to copy. in: path - name: outputId + name: id required: true schema: - type: string + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: examples: - getOutputHealthExample: - description: The latest health status of a Fleet output - value: - message: '' - state: HEALTHY - timestamp: '2024-01-15T10:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - required: - - state - - message - - timestamp - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + copySavedQueryExample: + summary: Example response for copying a saved query value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get the latest output health + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: Indicates a successful call. + summary: Copy a saved query tags: - - Fleet outputs - /api/fleet/package_policies: + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: get: - description: List all package policies. - operationId: get-fleet-package-policies + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults parameters: - - description: Page number - in: query - name: page - required: false - schema: - type: number - - description: Number of results per page - in: query - name: perPage - required: false - schema: - type: number - - description: Field to sort results by - in: query - name: sortField - required: false + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId + required: true schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: Sort order, ascending or descending + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: sortOrder + name: kuery required: false schema: - enum: - - desc - - asc - type: string - - description: When true, only show policies with available upgrades + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. in: query - name: showUpgradeable + name: page required: false schema: - type: boolean - - description: A KQL query string to filter results + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. in: query - name: kuery + name: pageSize required: false schema: - type: string - - description: 'Format for the response: simplified or legacy' + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. in: query - name: format + name: sort required: false schema: - enum: - - simplified - - legacy - type: string - - description: When true, include the agent count per package policy + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. in: query - name: withAgentCount + name: sortOrder required: false schema: - type: boolean + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: examples: - getPackagePoliciesExample: - description: List of package policies - value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response + scheduledActionResultsExample: + summary: Example scheduled action results response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get package policies + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: Indicates a successful call. + summary: Get scheduled action results tags: - - Fleet package policies - post: - description: Create a new package policy and assign it to an agent policy. - operationId: post-fleet-package-policies + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The schedule ID of the scheduled query. + in: path + name: scheduleId required: true schema: - example: 'true' + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime type: string - - description: 'Format for the response: simplified or legacy' + - description: The execution count for this scheduled query run. + in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - description: The kuery to filter the results by. in: query - name: format + name: kuery required: false schema: - enum: - - simplified - - legacy + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - description: The page number to return. The default is 1. + in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - description: The number of results to return per page. The default is 20. + in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - description: The field that is used to sort the results. + in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - description: Specifies the sort order. + in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - description: The start date filter (ISO 8601) to narrow down results. + in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' type: string - requestBody: - content: - application/json: - examples: - postPackagePolicyRequestExample: - description: Create a new nginx package policy - value: - inputs: {} - name: nginx-1 - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - description: >- - You should use inputs as an object and not use the deprecated - inputs array. responses: '200': content: application/json: examples: - postPackagePolicyExample: - description: The created package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-2 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' - schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_create_package_policy_response - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '409': - content: - application/json: - examples: - conflictExample: - description: A package policy with the same name already exists + scheduledQueryResultsExample: + summary: Example scheduled query results response value: - error: Conflict - message: An error message describing what went wrong - statusCode: 409 + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Conflict - summary: Create a package policy + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: Indicates a successful call. + summary: Get scheduled query results tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - description: Get multiple package policies by ID. - operationId: post-fleet-package-policies-bulk-get - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string + - Security Osquery API + x-state: Generally available; Added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute requestBody: content: application/json: examples: - postBulkGetPackagePoliciesRequestExample: - description: Retrieve multiple package policies by ID + pinEvent: + summary: Pin an event value: - ids: - - package-policy-id-1 - - package-policy-id-2 + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: - additionalProperties: false type: object properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array - ignoreMissing: - type: boolean + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string required: - - ids + - eventId + - timelineId + description: The pinned event to add or unpin, along with additional metadata. + required: true responses: '200': content: application/json: examples: - postBulkGetPackagePoliciesExample: - description: The requested package policies + pinnedSaved: + summary: Pinned event saved object value: - items: - - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' + eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzQ2LDFe + unpinned: + summary: Unpin response + value: + unpinned: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_get_package_policies_response - description: Successful response - '400': + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates a successful call. + summary: Pin/unpin an event + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + CleanUpRiskEngineResponse: + summary: Successful cleanup response value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + cleanup_successful: true schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + cleanup_successful: + type: boolean + description: Successful response + '400': content: application/json: examples: - notFoundExample: - description: One or more package policies were not found + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Not Found - message: Package policy package-policy-id-2 not found - statusCode: 404 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Bulk get package policies + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + cleanupFailed: + summary: Cleanup failed + value: + cleanup_successful: false + errors: + - error: Risk engine is disabled or deleted already. + seq: 1 + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - description: >- - Delete a package policy by ID.

[Required authorization] Route - required privileges: fleet-agent-policies-all AND integrations-all. - operationId: delete-fleet-package-policies-packagepolicyid - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: When true, delete the package policy even if it is managed - in: query - name: force - required: false - schema: - type: boolean + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + examples: + ConfigureRiskEngineSavedObjectRequest: + summary: Configure the risk engine saved object + value: + enable_reset_to_zero: false + exclude_alert_statuses: + - closed + exclude_alert_tags: + - low-priority + filters: + - entity_types: + - host + - user + filter: 'host.name: *' + range: + end: now + start: now-30d + schema: + type: object + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + type: object + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: array + page_size: + description: | + Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default). + maximum: 10000 + minimum: 100 + type: integer + range: + type: object + properties: + end: + type: string + start: + type: string + required: true responses: '200': content: application/json: examples: - deletePackagePolicyExample: - description: The package policy was successfully deleted + ConfigureRiskEngineSavedObjectResponse: + summary: Successful configuration response value: - id: package-policy-id-1 + risk_engine_saved_object_configured: true schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_one_package_policy_response + type: object + properties: + risk_engine_saved_object_configured: + type: boolean description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Delete a package policy + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + examples: + configureError: + summary: Configure saved object failed + value: + errors: + - error: Internal server error + seq: 1 + risk_engine_saved_object_configured: false + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object tags: - - Fleet package policies - get: - description: Get a package policy by ID. - operationId: get-fleet-package-policies-packagepolicyid - parameters: - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: + examples: + emptyRequest: + summary: No request body + value: {} + schema: + type: object responses: '200': content: application/json: examples: - getPackagePolicyExample: - description: A package policy + ScheduleRiskEngineNowResponse: + summary: Successful schedule response value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1 - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T10:00:00.000Z' + success: true schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + taskManagerUnavailable: + summary: Task manager is unavailable value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again. + status_code: 400 schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: content: application/json: examples: - notFoundExample: - description: No package policy was found with the given ID + scheduleNowError: + summary: Schedule now failed value: - error: Not Found - message: Package policy package-policy-id-1 not found - statusCode: 404 + full_error: '{}' + message: Internal server error schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get a package policy + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine tags: - - Fleet package policies - put: - description: Update a package policy by ID. - operationId: put-fleet-package-policies-packagepolicyid + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_create: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_create
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates multiple Kibana saved objects in a single request. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-bulk-create parameters: - description: A required header to protect against CSRF attacks in: header @@ -34459,143 +49973,153 @@ paths: schema: example: 'true' type: string - - description: The ID of the package policy - in: path - name: packagePolicyId - required: true - schema: - type: string - - description: 'Format for the response: simplified or legacy' + - description: Overwrite existing saved objects that match the same type and ID. in: query - name: format + name: overwrite required: false schema: - enum: - - simplified - - legacy - type: string + default: false + type: boolean requestBody: content: application/json: examples: - putPackagePolicyRequestExample: - description: Update a package policy + bulkCreateRequest: + summary: Create multiple saved objects (partial success) value: - enabled: true - inputs: {} - name: nginx-1-updated - namespace: default - package: - name: nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + references: [] + type: dashboard + - attributes: + title: Example dashboard 2 + id: example-dashboard-2 + references: [] + type: dashboard schema: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_update_package_policy_request - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_simplified_create_package_policy_request - responses: - '200': - content: - application/json: - examples: - putPackagePolicyExample: - description: The updated package policy - value: - item: - created_at: '2024-01-15T10:00:00.000Z' - enabled: true - id: package-policy-id-1 - inputs: [] - name: nginx-1-updated - namespace: default - package: - name: nginx - title: Nginx - version: 1.20.0 - policy_ids: - - agent-policy-id-1 - updated_at: '2024-01-15T11:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - item: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - required: - - item - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: + items: additionalProperties: false - description: Generic Error type: object properties: attributes: - nullable: true - error: - type: string - errorType: + additionalProperties: + nullable: true + type: object + coreMigrationVersion: type: string - message: + id: type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '403': - content: - application/json: - examples: - forbiddenExample: - description: The update is not authorized for this package - value: - error: Forbidden - message: An error message describing what went wrong - statusCode: 403 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: + initialNamespaces: + items: + type: string + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: + type: string + type: object + references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + maxItems: 1000 + type: array + type: type: string - errorType: + typeMigrationVersion: type: string - message: + version: type: string - statusCode: - type: number required: - - message + - type - attributes - description: Forbidden - summary: Update a package policy + maxItems: 10000 + type: array + responses: + '200': + content: + application/json: + examples: + bulkCreateResponse: + summary: A bulk create response with one conflict + value: + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - error: + error: Conflict + message: Saved object [dashboard/example-dashboard-2] conflict + statusCode: 409 + id: example-dashboard-2 + type: dashboard + description: A bulk create response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: 'Unsupported saved object type(s): unknownType' + statusCode: 400 + description: A bad request. + summary: Create saved objects tags: - - Fleet package policies - /api/fleet/package_policies/delete: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_create?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_create?overwrite=false + [{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_delete: post: - description: >- - Delete multiple package policies by ID.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-delete + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Deletes multiple Kibana saved objects in a single request. + + There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API. + operationId: post-saved-objects-bulk-delete parameters: - description: A required header to protect against CSRF attacks in: header @@ -34604,77 +50128,103 @@ paths: schema: example: 'true' type: string + - description: When true, force deletion of multi-namespace objects from all namespaces. + in: query + name: force + required: false + schema: + type: boolean requestBody: content: application/json: examples: - postDeletePackagePoliciesRequestExample: - description: Delete multiple package policies by ID + bulkDeleteRequest: + summary: Delete multiple saved objects value: - packagePolicyIds: - - package-policy-id-1 - - package-policy-id-2 + - id: example-dashboard-1 + type: dashboard + - id: does-not-exist + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_delete_package_policies_request + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postDeletePackagePoliciesExample: - description: Results of the bulk delete operation + bulkDeleteResponse: + summary: A bulk delete response with one not found result value: - - id: package-policy-id-1 - success: true - - id: package-policy-id-2 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response + statuses: + - id: example-dashboard-1 + success: true + type: dashboard + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + success: false + type: dashboard + description: A bulk delete response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Bulk delete package policies + description: A bad request. + summary: Delete saved objects tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_delete?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_delete?force=false + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_get: post: - description: >- - Upgrade a package policy to a newer package version.

[Required - authorization] Route required privileges: fleet-agent-policies-all AND - integrations-all. - operationId: post-fleet-package-policies-upgrade + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieves multiple Kibana saved objects by type and ID in a single request. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: post-saved-objects-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header @@ -34687,71 +50237,109 @@ paths: content: application/json: examples: - postUpgradePackagePoliciesRequestExample: - description: Upgrade package policies to the latest version + bulkGetRequest: + summary: Get multiple saved objects value: - packagePolicyIds: - - package-policy-id-1 + - id: example-dashboard-1 + type: dashboard + - id: does-not-exist + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_upgrade_package_policies_request + items: + additionalProperties: false + type: object + properties: + fields: + items: + type: string + maxItems: 100 + type: array + id: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postUpgradePackagePoliciesExample: - description: Results of the upgrade operation + bulkGetResponse: + summary: A bulk get response with one not found result value: - - id: package-policy-id-1 - name: nginx-1 - success: true - schema: - items: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_status_response - maxItems: 10000 - type: array - description: Successful response + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + type: dashboard + description: A bulk get response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Upgrade a package policy + description: A bad request. + summary: Get saved objects tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_get" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_get + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_resolve: post: - description: >- - Preview the changes that would be applied by upgrading a package policy - to a newer package version.

[Required authorization] Route - required privileges: fleet-agent-policies-read AND integrations-read. - operationId: post-fleet-package-policies-upgrade-dryrun + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieve multiple Kibana saved objects by ID, using any legacy URL aliases if they exist. + + Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the bulk resolve API using either its new ID or its old ID. + operationId: post-saved-objects-bulk-resolve parameters: - description: A required header to protect against CSRF attacks in: header @@ -34764,312 +50352,246 @@ paths: content: application/json: examples: - postDryRunPackagePoliciesRequestExample: - description: Dry run an upgrade of a package policy + bulkResolveRequest: + summary: Resolve multiple saved objects value: - packagePolicyIds: - - package-policy-id-1 + - id: example-dashboard-1 + type: dashboard + - id: legacy-id + type: dashboard schema: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policies_request + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array responses: '200': content: application/json: examples: - postDryRunPackagePoliciesExample: - description: Preview of the package policy upgrade diff - value: - - diff: - - id: package-policy-id-1 - name: nginx-1 - package: - name: nginx - version: 1.20.0 - - name: nginx-1 - package: - name: nginx - version: 1.21.0 - hasErrors: false - name: nginx-1 - schema: - items: - additionalProperties: false - type: object - properties: - agent_diff: - items: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - required: - - package - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - maxItems: 1 - type: array - body: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - diff: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_package_policy_response - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_dry_run_package_policy - maxItems: 2 - type: array - hasErrors: - type: boolean - name: - type: string - statusCode: - type: number - required: - - hasErrors - maxItems: 10000 - type: array - description: Successful response + bulkResolveResponse: + summary: A bulk resolve response with an exact and alias match + value: + resolved_objects: + - outcome: exactMatch + saved_object: + attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + - alias_target_id: example-dashboard-2 + outcome: aliasMatch + saved_object: + attributes: + title: Example dashboard 2 + id: example-dashboard-2 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMl0= + description: A bulk resolve response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: + description: A bad request. + summary: Resolve saved objects + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_bulk_resolve" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_bulk_resolve + [{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_update: + put: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/saved_objects/_bulk_update
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Updates multiple Kibana saved objects in a single request. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: put-saved-objects-bulk-update + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkUpdateRequest: + summary: Update multiple saved objects (partial success) + value: + - attributes: + title: Updated dashboard title + id: example-dashboard-1 + references: [] + type: dashboard + - attributes: + title: Updated dashboard title + id: does-not-exist + type: dashboard + schema: + items: additionalProperties: false - description: Generic Error type: object properties: attributes: - nullable: true - error: - type: string - errorType: + additionalProperties: + nullable: true + type: object + id: type: string - message: + namespace: + minLength: 1 type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Dry run a package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - description: >- - List all Fleet proxies.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies - parameters: [] - responses: - '200': - content: - application/json: - examples: - getFleetProxiesExample: - description: List of Fleet proxies - value: - items: - - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - page: 1 - perPage: 20 - total: 1 - schema: - additionalProperties: false - type: object - properties: - items: + references: items: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string id: type: string - is_preconfigured: - default: false - type: boolean name: type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: type: string required: - - id - - url - name - maxItems: 10000 + - type + - id + maxItems: 1000 type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + type: + type: string + version: + type: string + required: + - type + - id + - attributes + maxItems: 10000 + type: array + responses: + '200': + content: + application/json: + examples: + bulkUpdateResponse: + summary: A bulk update response with one not found result + value: + saved_objects: + - attributes: + title: Updated dashboard title + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzIsMV0= + - error: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + id: does-not-exist + type: dashboard + description: A bulk update response. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Unsupported saved object type(s): unknownType' statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get proxies + description: A bad request. + summary: Update saved objects tags: - - Fleet proxies + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/saved_objects/_bulk_update" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}]' + - lang: Console + source: | + PUT kbn://api/saved_objects/_bulk_update + [{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}] + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_export: post: - description: >- - Create a new Fleet proxy.

[Required authorization] Route - required privileges: fleet-settings-all. - operationId: post-fleet-proxies + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header @@ -35082,325 +50604,681 @@ paths: content: application/json: examples: - postFleetProxyRequestExample: - description: Create a new Fleet proxy + exportSavedObjectsRequest: + summary: Export a specific saved object value: - name: My proxy - url: http://proxy.example.com:3128 + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: example-dashboard-1 + type: dashboard schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: + excludeExportDetails: default: false + description: Do not add export details entry at the end of the stream. type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - url - - name - responses: - '200': - content: - application/json: - examples: - postFleetProxyExample: - description: The created Fleet proxy - value: - item: - id: proxy-id-2 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: + hasReference: + anyOf: + - additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string id: type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: type: string required: + - type - id - - url - - name - required: - - item - description: Successful response + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. + responses: + '200': + content: + application/x-ndjson: + examples: + exportSavedObjectsResponse: + summary: The export response contains an NDJSON record for each exported object + value: | + {"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false} + {"exportedCount":1,"missingRefCount":0,"missingReferences":[]} + schema: {} + description: Indicates a successfull call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: 'Either `type` or `objects` are required.: Bad Request' statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - summary: Create a proxy + - statusCode + description: Bad request. + summary: Export saved objects tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: - delete: - description: >- - Delete a proxy by ID

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: delete-fleet-proxies-itemid + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}' + - lang: Console + source: | + POST kbn://api/saved_objects/_export + {"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_find: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Searches for Kibana saved objects. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: get-saved-objects-find parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The number of items per page. + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: number + - description: The page index to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 0 + type: number + - description: The saved object type or types to search for. Use multiple `type` values to search across types. + in: query + name: type required: true schema: - example: 'true' + items: + type: string + maxItems: 100 + type: array + - description: A text search string. + in: query + name: search + required: false + schema: type: string - - description: The ID of the proxy - in: path - name: itemId - required: true + - description: The boolean operator to use when combining multiple values. + in: query + name: default_search_operator + required: false schema: + default: OR + enum: + - OR + - AND type: string - responses: - '200': - content: - application/json: - examples: - deleteFleetProxyExample: - description: The Fleet proxy was successfully deleted - value: - id: proxy-id-1 - schema: - additionalProperties: false + - description: The fields to search on. + in: query + name: search_fields + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: The field to sort on. + in: query + name: sort_field + required: false + schema: + type: string + - description: Return only saved objects that have a reference to the specified saved object(s). + in: query + name: has_reference + required: false + schema: + anyOf: + - additionalProperties: false type: object properties: id: type: string + type: + type: string required: + - type - id - description: Successful response - '400': - content: - application/json: - examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + - description: The boolean operator to use when combining multiple values. + in: query + name: has_reference_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: Return only saved objects that do not have a reference to the specified saved object(s). + in: query + name: has_no_reference + required: false + schema: + anyOf: + - additionalProperties: false type: object properties: - attributes: - nullable: true - error: - type: string - errorType: + id: type: string - message: + type: type: string - statusCode: - type: number required: - - message - - attributes - description: Bad Request - '404': + - type + - id + - items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 100 + type: array + - description: The boolean operator to use when combining multiple values. + in: query + name: has_no_reference_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to return for each saved object. + in: query + name: fields + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: A KQL filter to apply to the search. + in: query + name: filter + required: false + schema: + type: string + - description: Aggregations as a JSON string. + in: query + name: aggs + required: false + schema: + type: string + - description: The namespaces (spaces) to search in. + in: query + name: namespaces + required: false + schema: + items: + type: string + maxItems: 100 + type: array + responses: + '200': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + findSavedObjectsResponse: + summary: A page of saved objects value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Delete a proxy + page: 1 + per_page: 20 + saved_objects: + - attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + total: 1 + description: A search response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: 'This type dashboard is not allowed: Bad Request' + statusCode: 400 + description: A bad request. + summary: Search for saved objects tags: - - Fleet proxies - get: - description: >- - Get a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-read. - operationId: get-fleet-proxies-itemid + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1 + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions. + operationId: post-saved-objects-import parameters: - - description: The ID of the proxy - in: path - name: itemId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + importObjectsRequest: + summary: Import saved objects from an NDJSON file + value: + file: file.ndjson + schema: + additionalProperties: false + type: object + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file responses: '200': content: application/json: examples: - getFleetProxyExample: - description: A Fleet proxy + importObjectsResponse: + summary: A successful import response value: - item: - id: proxy-id-1 - is_preconfigured: false - name: My proxy - url: http://proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - id: - type: string - is_preconfigured: - default: false - type: boolean - name: - type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: - type: string - required: - - id - - url - - name + errors: [] + success: true + successCount: 1 + successResults: + - destinationId: example-dashboard-1-copy + id: example-dashboard-1 + managed: false + type: dashboard + schema: + additionalProperties: false + type: object + properties: + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + type: object + properties: {} + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + type: object + properties: {} + type: array required: - - item - description: Successful response + - success + - successCount + - errors + - successResults + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + badRequestResponse: + summary: A bad request error value: error: Bad Request - message: An error message describing what went wrong + message: Invalid file extension .txt statusCode: 400 schema: additionalProperties: false - description: Generic Error + description: Indicates an unsuccessful response. type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: - type: number + enum: + - 400 + type: integer required: + - error - message - - attributes - description: Bad Request - '404': + - statusCode + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson + - lang: Console + source: | + POST kbn://api/saved_objects/_import?createNewCopies=true + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects + operationId: post-saved-objects-resolve-import-errors + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Creates copies of saved objects, regenerates each object ID, and resets the origin. + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: Applies adjustments to maintain compatibility between different Kibana versions. + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + examples: + resolveImportErrorsRequest: + summary: Resolve import errors by retrying objects + value: + file: file.ndjson + retries: + - id: example-dashboard-1 + overwrite: true + replaceReferences: [] + type: dashboard + schema: + additionalProperties: false + type: object + properties: + file: + type: object + retries: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + type: boolean + destinationId: + type: string + id: + type: string + ignoreMissingReferences: + type: boolean + overwrite: + default: false + type: boolean + replaceReferences: + default: [] + items: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + required: + - type + - from + - to + maxItems: 100 + type: array + type: + type: string + required: + - type + - id + maxItems: 10000 + type: array + required: + - file + - retries + responses: + '200': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + resolveImportErrorsResponse: + summary: A successful resolve import errors response value: - error: Not Found - message: Fleet proxy proxy-id-1 not found - statusCode: 404 - description: Not Found - summary: Get a proxy + errors: [] + success: true + successCount: 1 + successResults: + - id: example-dashboard-1 + managed: false + type: dashboard + description: A successful resolve import errors response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: Invalid file extension .txt + statusCode: 400 + description: A bad request. + summary: Resolve import errors tags: - - Fleet proxies - put: - description: >- - Update a proxy by ID.

[Required authorization] Route required - privileges: fleet-settings-all. - operationId: put-fleet-proxies-itemid + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + --form file=@file.ndjson \ + --form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]' + - lang: Console + source: | + POST kbn://api/saved_objects/_resolve_import_errors + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-type parameters: - description: A required header to protect against CSRF attacks in: header @@ -35409,158 +51287,222 @@ paths: schema: example: 'true' type: string - - description: The ID of the proxy + - description: The saved object type. in: path - name: itemId + name: type required: true schema: type: string + - description: Overwrite an existing saved object. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - putFleetProxyRequestExample: - description: Update a Fleet proxy + createDashboardRequest: + summary: Create a dashboard saved object value: - name: Updated proxy - url: http://updated-proxy.example.com:3128 + attributes: + title: Example dashboard + references: [] schema: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string - name: - type: string - proxy_headers: + attributes: additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + nullable: true type: object - url: + coreMigrationVersion: type: string - required: - - certificate_authorities - - certificate - - certificate_key - responses: - '200': - content: - application/json: - examples: - putFleetProxyExample: - description: The updated Fleet proxy - value: - item: - id: proxy-id-1 - is_preconfigured: false - name: Updated proxy - url: http://updated-proxy.example.com:3128 - schema: - additionalProperties: false - type: object - properties: - item: + initialNamespaces: + items: + type: string + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: + type: string + type: object + references: + items: additionalProperties: false type: object properties: - certificate: - nullable: true - type: string - certificate_authorities: - nullable: true - type: string - certificate_key: - nullable: true - type: string id: type: string - is_preconfigured: - default: false - type: boolean name: type: string - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - url: + type: type: string required: - - id - - url - name - required: - - item - description: Successful response - '400': + - type + - id + maxItems: 1000 + type: array + typeMigrationVersion: + type: string + required: + - attributes + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + createDashboardResponse: + summary: A created saved object value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request + attributes: + title: Example dashboard + id: example-dashboard-id + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A successful create response. + '409': + content: + application/json: + examples: + conflictResponse: + summary: A conflict error + value: + error: Conflict + message: Saved object [dashboard/example-dashboard-id] conflict + statusCode: 409 + description: A conflict error. + summary: Create a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Example dashboard"},"references":[]}' + - lang: Console + source: | + POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false + {"attributes":{"title":"Example dashboard"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}/{id}: + delete: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Deletes a single Kibana saved object by type and ID. + + There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API. + operationId: delete-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + - description: When true, force deletion of multi-namespace objects from all namespaces. + in: query + name: force + required: false + schema: + type: boolean + responses: + '200': + content: + application/json: + examples: + deleteSavedObjectResponse: + summary: Successful delete + value: {} + description: A successful delete response. '404': content: application/json: examples: - notFoundExample: - description: No proxy was found with the given ID + notFoundResponse: + summary: A not found error value: error: Not Found - message: Proxy proxy-id-1 not found + message: Saved object [dashboard/does-not-exist] not found statusCode: 404 - description: Not Found - summary: Update a proxy + description: Not found. + summary: Delete a saved object tags: - - Fleet proxies - /api/fleet/remote_synced_integrations/{outputId}/remote_status: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1?force=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/saved_objects/dashboard/example-dashboard-1?force=false + x-metaTags: + - content: Kibana + name: product_name get: - description: >- - Get the synchronization status of remote integrations for a specific - output by its ID.

[Required authorization] Route required - privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-outputid-remote-status + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieves a single Kibana saved object by type and ID. + + For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`). + operationId: get-saved-objects-type-id parameters: - - description: The ID of the output + - description: The saved object type. in: path - name: outputId + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id required: true schema: type: string @@ -35569,3767 +51511,10428 @@ paths: content: application/json: examples: - getRemoteSyncedIntegrationsInfoExample: - description: >- - Synchronization status of remote integrations for a specific - output + getSavedObjectResponse: + summary: A saved object value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: - additionalProperties: false - type: object - properties: - main: - type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: + attributes: + title: Example dashboard 1 + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A saved object. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: 'Unsupported saved object type(s): unknownType' + statusCode: 400 + description: A bad request. + summary: Get a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/dashboard/example-dashboard-1 + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: post-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + - description: Overwrite an existing saved object. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + examples: + createDashboardRequest: + summary: Create a dashboard saved object + value: + attributes: + title: Example dashboard + references: [] + schema: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: + nullable: true + type: object + coreMigrationVersion: + type: string + initialNamespaces: + items: + type: string + maxItems: 100 + minItems: 1 + type: array + migrationVersion: + additionalProperties: + type: string + type: object + references: + items: additionalProperties: false type: object properties: - message: + id: type: string - title: + name: + type: string + type: type: string required: - - title - required: - - integrations - description: Successful response - '400': + - name + - type + - id + maxItems: 1000 + type: array + typeMigrationVersion: + type: string + required: + - attributes + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + createDashboardResponse: + summary: A created saved object value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status by outputId - tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - /api/fleet/remote_synced_integrations/status: - get: - description: >- - Get the synchronization status of all remote integrations across - connected remote clusters.

[Required authorization] Route - required privileges: fleet-settings-read AND integrations-read. - operationId: get-fleet-remote-synced-integrations-status - parameters: [] - responses: - '200': + attributes: + title: Example dashboard + id: example-dashboard-id + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMV0= + description: A successful create response. + '409': content: application/json: examples: - getRemoteSyncedIntegrationsStatusExample: - description: >- - Synchronization status of remote integrations across - connected remote clusters + conflictResponse: + summary: A conflict error value: - integrations: - - id: nginx-remote - install_status: - main: installed - remote: installed - package_name: nginx - package_version: 1.20.0 - sync_status: COMPLETED - updated_at: '2024-01-01T00:00:00.000Z' - - error: Failed to sync package to remote cluster - id: system-remote - install_status: - main: installed - remote: not_installed - package_name: system - package_version: 1.38.0 - sync_status: FAILED - updated_at: '2024-01-01T00:00:00.000Z' - schema: - additionalProperties: false - type: object - properties: - custom_assets: - additionalProperties: - additionalProperties: false - type: object - properties: - error: - type: string - is_deleted: - type: boolean - name: - type: string - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - type: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - type - - name - - package_name - - package_version - - sync_status - type: object - error: - type: string - integrations: - items: - additionalProperties: false - type: object - properties: - error: - type: string - id: - type: string - install_status: - additionalProperties: false - type: object - properties: - main: - type: string - remote: - type: string - required: - - main - package_name: - type: string - package_version: - type: string - sync_status: - enum: - - completed - - synchronizing - - failed - - warning - type: string - updated_at: - type: string - warning: - additionalProperties: false - type: object - properties: - message: - type: string - title: - type: string - required: - - title - required: - - sync_status - - install_status - maxItems: 10000 - type: array - warning: + error: Conflict + message: Saved object [dashboard/example-dashboard-id] conflict + statusCode: 409 + description: A conflict error. + summary: Create a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Example dashboard"},"references":[]}' + - lang: Console + source: | + POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false + {"attributes":{"title":"Example dashboard"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + put: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Updates a single Kibana saved object by type and ID. + + For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`). + operationId: put-saved-objects-type-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateDashboardRequest: + summary: Update a dashboard saved object + value: + attributes: + title: Updated dashboard title + references: [] + schema: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: + nullable: true + type: object + references: + items: additionalProperties: false type: object properties: - message: + id: type: string - title: + name: + type: string + type: type: string required: - - title - required: - - integrations - description: Successful response - '400': + - name + - type + - id + maxItems: 1000 + type: array + upsert: + additionalProperties: + nullable: true + type: object + version: + type: string + required: + - attributes + responses: + '200': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + updateDashboardResponse: + summary: An updated saved object value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 - schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - summary: Get remote synced integrations status + attributes: + title: Updated dashboard title + id: example-dashboard-1 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzIsMV0= + description: A successful update response. + '404': + content: + application/json: + examples: + notFoundResponse: + summary: A not found error + value: + error: Not Found + message: Saved object [dashboard/does-not-exist] not found + statusCode: 404 + description: Not found. + '409': + content: + application/json: + examples: + conflictResponse: + summary: A conflict error + value: + error: Conflict + message: Saved object [dashboard/example-dashboard-1] conflict + statusCode: 409 + description: A conflict error. + summary: Update a saved object tags: - - Fleet remote synced integrations - x-state: Generally available; added in 9.1.0 - /api/fleet/service_tokens: - post: - description: >- - Create a Fleet Server service token. The token is used to enroll Fleet - Server instances with Kibana.

[Required authorization] Route - required privileges: fleet-agents-all. - operationId: post-fleet-service-tokens + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{"attributes":{"title":"Updated dashboard title"},"references":[]}' + - lang: Console + source: | + PUT kbn://api/saved_objects/dashboard/example-dashboard-1 + {"attributes":{"title":"Updated dashboard title"},"references":[]} + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana. + + Retrieve a single Kibana saved object by ID, using any legacy URL alias if it exists. + + Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the resolve API using either its new ID or its old ID. + operationId: get-saved-objects-resolve-type-id parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf + - description: The saved object type. + in: path + name: type + required: true + schema: + type: string + - description: The saved object identifier. + in: path + name: id required: true schema: - example: 'true' type: string + responses: + '200': + content: + application/json: + examples: + resolveSavedObjectResponse: + summary: A resolved saved object (alias match) + value: + alias_target_id: example-dashboard-2 + outcome: aliasMatch + saved_object: + attributes: + title: Example dashboard 2 + id: example-dashboard-2 + managed: false + namespaces: + - default + references: [] + type: dashboard + updated_at: '2026-04-17T12:00:00.000Z' + version: WzEsMl0= + description: A resolve response. + '400': + content: + application/json: + examples: + badRequestResponse: + summary: A bad request error + value: + error: Bad Request + message: 'Unsupported saved object type(s): unknownType' + statusCode: 400 + description: A bad request. + summary: Resolve a saved object + tags: + - saved objects + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/saved_objects/resolve/dashboard/legacy-id" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/saved_objects/resolve/dashboard/legacy-id + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: examples: - postGenerateServiceTokenRequestExample: - description: Generate a service token for a remote Fleet Server + PerformAnonymizationFieldsBulkActionRequest: value: - remote: true + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 schema: - additionalProperties: false - nullable: true + example: + create: + - allowed: true + anonymized: false + field: host.name + - allowed: false + anonymized: true + field: user.name + delete: + ids: + - field5 + - field6 + query: 'field: host.name' + update: + - allowed: true + anonymized: false + id: field8 + - allowed: false + anonymized: true + id: field9 type: object properties: - remote: - default: false - type: boolean + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: Array of anonymization fields to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + type: array responses: '200': content: application/json: examples: - postGenerateServiceTokenExample: - description: The generated Fleet Server service token - value: - name: elastic/fleet-server/token-1234567890 - value: >- - AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P - schema: - additionalProperties: false - type: object - properties: - name: - type: string + PerformAnonymizationFieldsBulkActionResponse200Example: value: - type: string - required: - - name - - value - description: Successful response + anonymization_fields_count: 4 + attributes: + results: + created: + - allowed: false + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: host.name + id: field2 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + deleted: + - field3 + skipped: + - id: field4 + name: user.name + skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED + updated: + - allowed: true + anonymized: false + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: url.domain + id: field8 + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + summary: + failed: 0 + skipped: 1 + succeeded: 3 + total: 4 + message: Bulk action completed successfully + status_code: 200 + success: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + PerformAnonymizationFieldsBulkActionResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request body statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + description: Error type or name. type: string message: + description: Detailed error message. type: string statusCode: + description: Status code of the response. type: number - required: - - message - - attributes - description: Bad Request - summary: Create a service token + description: Bad Request response. + summary: Apply a bulk action to anonymization fields tags: - - Fleet service tokens - /api/fleet/settings: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: get: - description: >- - Get the global Fleet settings.

[Required authorization] Route - required privileges: fleet-settings-read. - operationId: get-fleet-settings - parameters: [] + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - description: Fields to return + example: + - id + - field + - anonymized + - allowed + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + example: 'field: "user.name"' + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + example: created_at + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + example: asc + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + example: 1 + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + example: 20 + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean responses: '200': content: application/json: examples: - getSettingsExample: - description: The current Fleet settings + FindAnonymizationFieldsResponse200Example: value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: false - secret_storage_requirements_met: true - version: WzEsMV0= + aggregations: + field_status: + buckets: + allowed: + doc_count: 1 + anonymized: + doc_count: 1 + denied: + doc_count: 1 + all: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + data: + - allowed: true + anonymized: true + createdAt: '2023-10-31T12:00:00Z' + createdBy: user1 + field: user.name + id: '1' + namespace: default + timestamp: '2023-10-31T12:00:00Z' + updatedAt: '2023-10-31T12:00:00Z' + updatedBy: user1 + page: 1 + perPage: 20 + total: 100 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false + aggregations: type: object properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false + field_status: type: object properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string + buckets: + type: object + properties: + allowed: + type: object + properties: + doc_count: + default: 0 + type: integer + anonymized: + type: object + properties: + doc_count: + default: 0 + type: integer + denied: + type: object + properties: + doc_count: + default: 0 + type: integer + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Indicates a successful call. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindAnonymizationFieldsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid request parameters statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: type: string - errorType: - type: string message: type: string statusCode: type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: Fleet settings have not been initialized - value: - error: Not Found - message: Settings not found - statusCode: 404 - schema: - additionalProperties: false - type: object - properties: - message: - type: string - required: - - message - description: Not Found - summary: Get settings + description: Bad Request response. + summary: Get anonymization fields tags: - - Fleet internals - put: - description: >- - Update the global Fleet settings.

[Required authorization] - Route required privileges: fleet-settings-all. - operationId: put-fleet-settings + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - description: If true, the response will not include content references. + example: false + in: query + name: content_references_disabled + required: false schema: - example: 'true' - type: string + default: false + type: boolean requestBody: content: application/json: examples: - putSettingsRequestExample: - description: Update Fleet settings to enable pre-release integrations + ChatCompleteRequest: value: - prerelease_integrations_enabled: true + connectorId: conn-001 + conversationId: abc123 + isStream: true + langSmithApiKey: + langSmithProject: security_ai_project + messages: + - content: What are some common phishing techniques? + data: + user_id: user_789 + fields_to_anonymize: + - user.name + - source.ip + role: user + model: gpt-4 + persist: true + promptId: prompt_456 + responseLanguage: en schema: - additionalProperties: false - type: object - properties: - additional_yaml_config: - deprecated: true - type: string - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - has_seen_add_data_notice: - deprecated: true - type: boolean - integration_knowledge_enabled: - type: boolean - kibana_ca_sha256: - deprecated: true - type: string - kibana_urls: - deprecated: true - items: - format: uri - type: string - maxItems: 10 - type: array - prerelease_integrations_enabled: - type: boolean + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true responses: '200': content: - application/json: - examples: - putSettingsExample: - description: The updated Fleet settings - value: - item: - delete_unenrolled_agents: - enabled: false - is_preconfigured: false - has_seen_add_data_notice: true - id: fleet-default-settings - output_secret_storage_requirements_met: true - prerelease_integrations_enabled: true - secret_storage_requirements_met: true - version: WzIsMV0= - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - action_secret_storage_requirements_met: - type: boolean - delete_unenrolled_agents: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - required: - - enabled - - is_preconfigured - download_source_auth_secret_storage_requirements_met: - type: boolean - has_seen_add_data_notice: - type: boolean - id: - type: string - ilm_migration_status: - additionalProperties: false - type: object - properties: - logs: - enum: - - success - nullable: true - type: string - metrics: - enum: - - success - nullable: true - type: string - synthetics: - enum: - - success - nullable: true - type: string - integration_knowledge_enabled: - type: boolean - output_secret_storage_requirements_met: - type: boolean - preconfigured_fields: - items: - enum: - - fleet_server_hosts - type: string - maxItems: 1 - type: array - prerelease_integrations_enabled: - type: boolean - secret_storage_requirements_met: - type: boolean - ssl_secret_storage_requirements_met: - type: boolean - use_space_awareness_migration_started_at: - nullable: true - type: string - use_space_awareness_migration_status: - enum: - - pending - - success - - error - type: string - version: - type: string - required: - - item - description: Successful response - '400': - content: - application/json: + application/octet-stream: examples: - genericErrorResponseExample: - description: Example of a generic error response - value: - error: Bad Request - message: An error message describing what went wrong - statusCode: 400 + ChatCompleteResponse200Example: + value: (streaming binary response) schema: - additionalProperties: false - description: Generic Error - type: object - properties: - attributes: - nullable: true - error: - type: string - errorType: - type: string - message: - type: string - statusCode: - type: number - required: - - message - - attributes - description: Bad Request - '404': + format: binary + type: string + description: Indicates a successful model response call. + '400': content: application/json: examples: - notFoundExample: - description: Fleet settings have not been initialized + ChatCompleteResponse400Example: value: - error: Not Found - message: Settings not found - statusCode: 404 + error: Bad Request + message: Invalid request payload. + statusCode: 400 schema: - additionalProperties: false type: object properties: + error: + description: Error type. + example: Bad Request + type: string message: + description: Human-readable error message. + example: Invalid request payload. type: string - required: - - message - description: Not Found - summary: Update settings + statusCode: + description: HTTP status code. + example: 400 + type: number + description: Bad Request response. + summary: Create a model response tags: - - Fleet internals - /api/fleet/setup: - post: - description: >- - Initialize Fleet and create the necessary Elasticsearch resources for - Fleet to operate. Safe to call multiple times (idempotent). Returns the - initialization status and any non-fatal errors encountered during - setup.

[Required authorization] Route required privileges: - fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR - fleet-setup. - operationId: post-fleet-setup - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + examples: + DeleteAllConversationsRequest: + value: + excludedIds: + - abc123 + - def456 + schema: + type: object + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + example: + - abc123 + - def456 + items: + type: string + type: array + required: false responses: '200': content: application/json: examples: - fleetSetupSuccessExample: - description: Fleet initialized successfully with no non-fatal errors - value: - isInitialized: true - nonFatalErrors: [] - fleetSetupWithNonFatalErrorsExample: - description: >- - Fleet initialized but encountered non-fatal errors during - setup + DeleteAllConversationsResponse200Example: value: - isInitialized: true - nonFatalErrors: - - message: Package fleet_server not found in registry - name: PackageNotFoundError + failures: [] + success: true + totalDeleted: 10 schema: - additionalProperties: false - description: >- - A summary of the result of Fleet's `setup` lifecycle. If - `isInitialized` is true, Fleet is ready to accept agent - enrollment. `nonFatalErrors` may include useful insight into - non-blocking issues with Fleet setup. type: object properties: - isInitialized: - type: boolean - nonFatalErrors: + failures: items: - additionalProperties: false - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - maxItems: 10000 + type: string type: array - required: - - isInitialized - - nonFatalErrors - description: Fleet setup completed + success: + example: true + type: boolean + totalDeleted: + example: 10 + type: number + description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + DeleteAllConversationsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid conversation ID statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid conversation ID type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '500': - content: - application/json: - examples: - internalErrorResponseExample: - description: Example of an internal server error response - value: - error: Internal Server Error - message: An error message describing what went wrong - statusCode: 500 - schema: - additionalProperties: false - description: Internal Server Error - type: object - properties: - message: - type: string - required: - - message - description: Internal Server Error - summary: Initiate Fleet setup + description: Bad Request response. + summary: Delete conversations tags: - - Fleet internals - /api/fleet/space_settings: - get: - description: Get the Fleet settings for the current Kibana space. - operationId: get-fleet-space-settings - parameters: [] - responses: - '200': - content: - application/json: - examples: - getSpaceSettingsExample: - description: The Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Get space settings - tags: [] - x-state: Generally available; added in 9.1.0 - put: - description: >- - Create or update Fleet settings for the current Kibana - space.

[Required authorization] Route required privileges: - fleet-settings-all. - operationId: put-fleet-space-settings - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"excludedIds":["abc123"]}' + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation requestBody: content: application/json: examples: - putSpaceSettingsRequestExample: - description: Update allowed namespace prefixes for the current Kibana space + CreateConversationRequest: value: - allowed_namespace_prefixes: - - team-a - - team-b + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + excludeFromLastConversationStorage: false + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + replacements: {} + title: Security Discussion schema: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 10 - type: array - responses: - '200': - content: - application/json: - examples: - putSpaceSettingsExample: - description: The updated Fleet settings for the current Kibana space - value: - item: - allowed_namespace_prefixes: - - team-a - - team-b - schema: - additionalProperties: false - type: object - properties: - item: - additionalProperties: false - type: object - properties: - allowed_namespace_prefixes: - items: - type: string - maxItems: 100 - type: array - managed_by: - type: string - required: - - allowed_namespace_prefixes - required: - - item - description: Successful response - summary: Create space settings - tags: [] - x-state: Generally available; added in 9.1.0 - /api/fleet/uninstall_tokens: - get: - description: >- - List the metadata for the latest uninstall tokens per agent - policy.

[Required authorization] Route required privileges: - fleet-agents-all. - operationId: get-fleet-uninstall-tokens - parameters: - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - maxLength: 50 - type: string - - description: Partial match filtering for uninstall token values - in: query - name: search - required: false - schema: - maxLength: 50 - type: string - - description: The number of items to return - in: query - name: perPage - required: false - schema: - minimum: 5 - type: number - - description: Page number - in: query - name: page - required: false - schema: - minimum: 1 - type: number + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true responses: '200': content: application/json: examples: - getUninstallTokensExample: - description: List of uninstall token metadata for agent policies + CreateConversationResponse200Example: value: - items: - - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - - created_at: '2024-01-02T00:00:00.000Z' - id: token-id-2 - namespaces: - - production - policy_id: policy-id-2 - policy_name: Production policy - page: 1 - perPage: 20 - total: 2 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - additionalProperties: false - type: object - properties: - items: - items: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - required: - - id - - policy_id - - created_at - maxItems: 10000 - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: examples: - conflictingQueryParamsExample: - description: Both policyId and search query parameters were provided + CreateConversationResponse400Example: value: error: Bad Request - message: >- - Query parameters `policyId` and `search` cannot be used at - the same time. + message: 'Missing required parameter: title' statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: 'Missing required parameter: title' type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - summary: Get metadata for latest uninstall tokens + description: Bad Request response. + summary: Create a conversation tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: get: - description: >- - Get one decrypted uninstall token by its ID.

[Required - authorization] Route required privileges: fleet-agents-all. - operationId: get-fleet-uninstall-tokens-uninstalltokenid + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations parameters: - - description: The ID of the uninstall token - in: path - name: uninstallTokenId - required: true + - description: A list of fields to include in the response. If omitted, all fields are returned. + in: query + name: fields + required: false + schema: + example: + - id + - title + - createdAt + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + in: query + name: filter + required: false schema: + example: Security Issue type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + example: created_at + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + example: desc + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + example: true + type: boolean responses: '200': content: application/json: examples: - getUninstallTokenExample: - description: Decrypted uninstall token for an agent policy + FindConversationsResponse200Example: value: - item: - created_at: '2024-01-01T00:00:00.000Z' - id: token-id-1 - namespaces: - - default - policy_id: policy-id-1 - policy_name: Default policy - token: CKHJsJcBqNwIRcRBNDaE + data: + - category: assistant + createdAt: '2023-10-31T12:00:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: conv-abc123 + messages: [] + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:05:00Z' + users: + - id: user1 + name: John Doe + page: 1 + perPage: 20 + total: 5 schema: - additionalProperties: false type: object properties: - item: - additionalProperties: false - type: object - properties: - created_at: - type: string - id: - type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - policy_id: - type: string - policy_name: - nullable: true - type: string - token: - type: string - required: - - id - - policy_id - - created_at - - token + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + type: array + page: + description: The current page of the results. + example: 1 + type: integer + perPage: + description: The number of results returned per page. + example: 20 + type: integer + total: + description: The total number of conversations matching the filter criteria. + example: 100 + type: integer required: - - item - description: Successful response + - page + - perPage + - total + - data + description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: examples: - genericErrorResponseExample: - description: Example of a generic error response + FindConversationsResponse400Example: value: error: Bad Request - message: An error message describing what went wrong + message: Invalid filter parameter. statusCode: 400 schema: - additionalProperties: false - description: Generic Error type: object properties: - attributes: - nullable: true error: - type: string - errorType: + example: Bad Request type: string message: + example: Invalid filter query parameter type: string statusCode: + example: 400 type: number - required: - - message - - attributes - description: Bad Request - '404': - content: - application/json: - examples: - notFoundExample: - description: No uninstall token was found with the given ID - value: - error: Not Found - message: Uninstall Token not found with ID token-id-1 - statusCode: 404 - description: Not Found - summary: Get a decrypted uninstall token + description: Bad Request response. + summary: Get conversations tags: - - Fleet uninstall tokens - /api/lists: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: delete: - description: | - Delete a value list using the list ID. - > info - > When you delete a list, all of its list items are also deleted. - operationId: DeleteList + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation parameters: - - description: Value list identifier to delete, including all of its list items. - in: query + - description: The conversation's `id` value. + example: abc123 + in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Determines whether exception items referencing this value list - should be deleted. - in: query - name: deleteReferences - required: false - schema: - default: false - example: false - type: boolean - - description: >- - Determines whether to delete value list without performing any - additional checks of where this list may be utilized. - in: query - name: ignoreReferences - required: false - schema: - default: false - example: false - type: boolean + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - ipList: + DeleteConversationResponse200Example: value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: List of bad internet ips. - id: 21b01cfb-058d-44b9-838c-282be16c91cd - immutable: false - name: Bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: The conversation has been deleted. + role: system + timestamp: '2023-10-31T12:35:00Z' + namespace: default + replacements: {} + title: Deleted Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: examples: - badRequest: + DeleteConversationResponse400Example: value: error: Bad Request - message: '[request query]: id: Required' + message: Invalid conversation ID statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists?id=ip_list] is unauthorized for - user, this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"ip_list\" was not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Delete a conversation tags: - - Security Lists API + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a value list using the list ID. - operationId: ReadList + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation parameters: - - description: Value list identifier (`id`) returned when the list was created. - in: query + - description: The conversation's `id` value, a unique identifier for the conversation. + example: abc123 + in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - ip: + ReadConversationResponse200Example: value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: My bad ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 1 + apiConfig: + actionTypeId: '67890' + connectorId: '12345' + category: assistant + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: false + id: abc123 + messages: + - content: Hello, how can I assist you today? + role: system + timestamp: '2023-10-31T12:00:00Z' + namespace: default + replacements: {} + title: Security Discussion + updatedAt: '2023-10-31T12:01:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. '400': content: application/json: examples: - badRequest: + ReadConversationResponse400Example: value: error: Bad Request - message: '[request query]: id: Required' + message: Invalid conversation ID statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists?id=ip_list] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list details + type: object + properties: + error: + example: Bad Request + type: string + message: + example: Invalid conversation ID + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get a conversation tags: - - Security Lists API - patch: - description: Update specific fields of an existing list using the list `id`. - operationId: PatchList + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + example: abc123 + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: examples: - patchName: + UpdateConversationRequest: value: - id: ip_list - name: Bad ips list - UPDATED + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + excludeFromLastConversationStorage: true + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + replacements: {} + title: Updated Security Discussion schema: - example: - id: ip_list - name: Bad ips list - UPDATED - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - description: Value list's properties + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: examples: - ip: + UpdateConversationResponse200Example: value: - _version: WzEsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Bad ips list - UPDATED - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:21:53.843Z - updated_by: elastic - version: 2 + apiConfig: + actionTypeId: '09876' + connectorId: '54321' + category: insights + createdAt: '2023-10-31T12:01:00Z' + createdBy: + id: user1 + name: John Doe + excludeFromLastConversationStorage: true + id: abc123 + messages: + - content: The issue was resolved. + role: assistant + timestamp: '2023-10-31T12:30:00Z' + namespace: default + replacements: {} + title: Updated Security Discussion + updatedAt: '2023-10-31T12:31:00Z' + users: + - id: user1 + name: John Doe schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: examples: - badRequest: + UpdateConversationResponse400Example: value: error: Bad Request - message: '[request body]: name: Expected string, received number' + message: 'Missing required field: title' statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Missing required field: title' + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Update a conversation + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: GetKnowledgeBase + responses: + '200': content: application/json: examples: - notFound: - value: - message: 'list id: \"foo\" not found' - status_code: 404 + KnowledgeBaseReadResponse200Example2: + summary: A response that returns information about the knowledge base. + value: + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: + GetKnowledgeBaseResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid resource ID provided. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase tags: - - Security Lists API + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name post: - description: Create a new value list. - operationId: CreateList - requestBody: - content: - application/json: - examples: - ip: - value: - description: This list describes bad internet ips - id: ip_list - name: Simple list with ips - type: ip - ip_range: - value: - description: This list has ip ranges - id: ip_range_list - name: Simple list with ip ranges - type: ip_range - keyword: - value: - description: This list describes bad host names - id: keyword_list - name: Simple list with a keyword - type: keyword - keyword_custom_format: - value: - description: This parses the first found ipv4 only - id: keyword_custom_format_list - name: Simple list with a keyword using a custom format - type: keyword - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: Value list's properties - required: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base. Use this endpoint when no specific resource identifier is needed. + operationId: PostKnowledgeBase + parameters: + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ips - id: ip_list - immutable: false - name: Simple list with ips - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - ip_range: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-09T18:23:52.241Z - created_at: 2025-01-09T18:23:52.241Z - created_by: elastic - description: This list has ip ranges - id: ip_range_list - immutable: false - name: Simple list with ip ranges - tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 - type: ip_range - updated_at: 2025-01-09T18:23:52.241Z - updated_by: elastic - version: 1 - keyword: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:24:55.786Z - created_at: 2025-01-09T18:24:55.786Z - created_by: elastic - description: This list describes bad host names - id: keyword_list - immutable: false - name: Simple list with a keyword - tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 - type: keyword - updated_at: 2025-01-09T18:24:55.786Z - updated_by: elastic - version: 1 - keyword_custom_format: + KnowledgeBaseResponse200Example2: + summary: A response that indicates that the request was successful. value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:25:39.604Z - created_at: 2025-01-09T18:25:39.604Z - created_by: elastic - description: This parses the first found ipv4 only - id: keyword_custom_format_list - immutable: false - name: Simple list with a keyword using a custom format - tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 - type: keyword - updated_at: 2025-01-09T18:25:39.604Z - updated_by: elastic - version: 1 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. '400': content: application/json: examples: - notFound: - value: - message: >- - To create a list, the data stream must exist first. Data - stream \".lists-default\" does not exist - status_code: 400 + KnowledgeBaseResponse400Example2: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a knowledge base with a specific resource identifier. + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - unauthorized: + KnowledgeBaseReadResponse200Example1: + summary: A response that returns information about the knowledge base. value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 + defend_insights_exists: true + elser_exists: false + is_setup_available: true + is_setup_in_progress: true + product_documentation_status: installed + security_labs_exists: false + user_data_exists: true schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200' + description: Indicates a successful call. + '400': content: application/json: examples: - forbidden: + ReadKnowledgeBaseResponse400Example: value: - error: Forbidden - message: >- - API [POST /api/lists] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Bad Request + message: Invalid resource ID provided. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Read a KnowledgeBase for a resource + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a knowledge base with a specific resource identifier. + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + example: kb12345 + in: path + name: resource + required: true + schema: + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + example: elser-model-001 + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + example: true + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + '200': content: application/json: examples: - alreadyExists: + KnowledgeBaseResponse200Example1: + summary: A response that indicates that the request was successful. value: - message: 'list id: "keyword_custom_format_list" already exists' - status_code: 409 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + '400': content: application/json: examples: - serverError: - value: - message: Internal Server Error - status_code: 500 + KnowledgeBaseResponse400Example1: + summary: A response for a request that failed due to an invalid query parameter value. + value: | + statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string" schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400' + description: Bad Request response. + summary: Create a KnowledgeBase for a resource tags: - - Security Lists API - put: - description: > - Update a value list using the list `id`. The original list is replaced, - and all unspecified fields are deleted. + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries: + post: + description: |- + **Spaces method and path for this operation:** - > info +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
- > You cannot modify the `id` value. - operationId: UpdateList + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: examples: - replaceList: + CreateKnowledgeBaseEntryRequest: value: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated + kbResource: user + name: How to reset a password + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document schema: - example: - description: Latest list of bad ips - id: ip_list - name: Bad ips - updated - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - name - - description - description: Value list's properties + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: examples: - ip: + CreateKnowledgeBaseEntryResponse200Example: value: - _version: WzIsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: Latest list of bad ips - id: ip_list - immutable: false - name: Bad ips - updated - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T05:39:39.292Z - updated_by: elastic - version: 3 + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries '400': content: application/json: examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + CreateKnowledgeBaseEntryResponse400Example: value: - error: Forbidden - message: >- - API [PUT /api/lists] is unauthorized for user, this action - is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Invalid input + message: The 'name' field is required. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + examples: + PerformKnowledgeBaseEntryBulkActionRequest: + value: + create: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + delete: + ids: + - '789' + update: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + schema: + type: object + properties: + create: + description: List of Knowledge Base Entries to create. + example: + - kbResource: user + name: New Entry + source: manual + text: This is the content of the new entry. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + type: object + properties: + ids: + description: Array of Knowledge Base Entry IDs. + example: + - '123' + - '456' + - '789' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + example: status:active AND category:technology + type: string + update: + description: List of Knowledge Base Entries to update. + example: + - id: '123' + kbResource: user + name: Updated Entry + source: manual + text: Updated content. + type: document + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array + responses: + '200': content: application/json: examples: - notFound: + PerformKnowledgeBaseEntryBulkActionResponse200Example: value: - message: 'list id: \"foo\" not found' - status_code: 404 + attributes: + results: + created: + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '456' + kbResource: user + name: New Entry + namespace: default + source: manual + text: This is the content of the new entry. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + deleted: + - '789' + skipped: [] + updated: + - createdAt: '2024-01-14T09:00:00.000Z' + createdBy: user@example.com + global: false + id: '123' + kbResource: user + name: Updated Entry + namespace: default + source: manual + text: Updated content. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com + summary: + failed: 0 + skipped: 0 + succeeded: 3 + total: 3 + knowledgeBaseEntriesCount: 3 + message: Bulk action completed successfully. + statusCode: 200 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request + '400': content: application/json: examples: - serverError: + PerformKnowledgeBaseEntryBulkActionResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid request body. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Applies a bulk action to multiple Knowledge Base Entries tags: - - Security Lists API - /api/lists/_find: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: get: - description: >- - Get a paginated subset of value lists. By default, the first page is - returned, with 20 results per page. - operationId: FindLists + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries parameters: - - description: The page number to return. + - description: A list of fields to include in the response. If not provided, all fields will be included. in: query - name: page + name: fields required: false schema: - example: 1 - type: integer - - description: The number of value lists to return per page. + example: + - name + - created_at + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. in: query - name: per_page + name: filter required: false schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. + example: error handling + type: string + - description: Field to sort the Knowledge Base Entries by. in: query name: sort_field required: false schema: - example: name - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + example: created_at + - description: Sort order for the results, either asc or desc. in: query name: sort_order required: false schema: - enum: - - desc - - asc + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: asc - type: string - - description: >- - Returns the lists that come after the last lists returned in the - previous call (use the `cursor` value returned in the previous - call). This parameter uses the `tie_breaker_id` field to ensure all - lists are sorted and returned correctly. + - description: Page number for paginated results. Defaults to 1. in: query - name: cursor + name: page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + default: 1 + example: 2 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query - name: filter + name: per_page required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + default: 20 + example: 10 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - ipList: + FindKnowledgeBaseEntriesResponse200Example: value: - cursor: >- - WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - - _version: WzAsMV0= - '@timestamp': | - 2025-01-08T04:47:34.273Z - created_at: | - 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: | - 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 + - createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com page: 1 - per_page: 20 - total: 1 + perPage: 20 + total: 100 schema: type: object properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: + description: The list of Knowledge Base Entries for the current page. items: - $ref: '#/components/schemas/Security_Lists_API_List' + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: - minimum: 0 + description: The current page number. + example: 1 type: integer - per_page: - minimum: 0 + perPage: + description: The number of Knowledge Base Entries returned per page. + example: 20 type: integer total: - minimum: 0 + description: The total number of Knowledge Base Entries available. + example: 100 type: integer required: - - data - page - - per_page + - perPage - total - - cursor - description: Successful response + - data + description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: examples: - badRequest: + FindKnowledgeBaseEntriesResponse400Example: value: error: Bad Request - message: '[request query]: page: Expected number, received nan' + message: 'Invalid query parameter: sort_order' statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/_find?page=1&per_page=20] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value lists + type: object + properties: + error: + description: A short description of the error. + example: Bad Request + type: string + message: + description: A detailed message explaining the error. + example: 'Invalid query parameter: sort_order' + type: string + statusCode: + description: The HTTP status code of the error. + example: 400 + type: number + description: Bad Request response. + summary: Finds Knowledge Base Entries that match the given query. tags: - - Security Lists API - /api/lists/index: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: delete: - description: Delete the `.lists` and `.items` data streams. - operationId: DeleteListIndex + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - acknowledged: + DeleteKnowledgeBaseEntryResponse200Example: value: - acknowledged: true + id: '12345' + message: Knowledge Base Entry successfully deleted. schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: examples: - badRequest: - value: - message: >- - Unable to delete value list data streams: invalid or - missing index metadata - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [DELETE /api/lists/index] is not authorized; lists-all - (or equivalent) is required to delete data streams - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: The value list data stream was not found in this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json: - examples: - serverError: + DeleteKnowledgeBaseEntryResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete value list data streams + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Deletes a single Knowledge Base Entry using the `id` field tags: - - Security Lists API + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name get: - description: Verify that `.lists` and `.items` data streams exist. - operationId: ReadListIndex + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: examples: - bothExist: + ReadKnowledgeBaseEntryResponse200Example: value: - list_index: true - list_item_index: true + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password + namespace: default + source: manual + text: To reset your password, go to the settings page and click 'Reset Password'. + type: document + updatedAt: '2024-01-15T10:00:00.000Z' + updatedBy: user@example.com schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: examples: - badRequest: - value: - message: >- - Unable to read value list data stream status for this - space - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [GET /api/lists/index] is not authorized; list read - permissions are required - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: Value list backing indices were not found for this space - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json: - examples: - serverError: + ReadKnowledgeBaseEntryResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Not Found + message: No Knowledge Base Entry found with the provided `id`. schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get status of value list data streams + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Read a Knowledge Base Entry tags: - - Security Lists API - post: - deprecated: true - description: > - **DEPRECATED.** `deprecated: true` is set on this operation. Value list - backing data streams for the space - - are now created as part of supported workflows; calling this explicitly - is rarely required. - - **WARNING:** Do not use for new integrations. Prefer the UI or the list - and list-item APIs after confirming + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** - indices exist with `GET /api/lists/index`. +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Creates the `.lists` and `.items` data streams in the current Kibana - space. - operationId: CreateListIndex + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + example: '12345' + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + examples: + UpdateKnowledgeBaseEntryRequest: + value: + kbResource: user + name: How to reset a password (updated) + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + required: true responses: '200': content: application/json: examples: - acknowledged: + UpdateKnowledgeBaseEntryResponse200Example: value: - acknowledged: true + createdAt: '2024-01-15T10:00:00.000Z' + createdBy: user@example.com + global: false + id: '12345' + kbResource: user + name: How to reset a password (updated) + namespace: default + source: manual + text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.' + type: document + updatedAt: '2024-01-15T10:05:00.000Z' + updatedBy: user@example.com schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: examples: - badRequest: - value: - message: >- - Indices exist but the request could not be completed for - the current space. Check that Elasticsearch and Kibana - privileges allow index creation for lists. - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: > - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + UpdateKnowledgeBaseEntryResponse400Example: value: - error: Forbidden - message: >- - API [POST /api/lists/index] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 + error: Invalid input + message: The 'text' field cannot be empty. schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Bad Request response. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + examples: + PerformPromptsBulkActionRequest: + value: + create: + - content: Please verify the security settings. + name: New Security Prompt + promptType: system + delete: + ids: + - prompt1 + - prompt2 + update: + - content: Updated content for security prompt. + id: prompt123 + schema: + type: object + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + type: object + properties: + ids: + description: Array of IDs to apply the action to. + example: + - '1234' + - '5678' + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + example: 'status: ''inactive''' + type: string + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array + responses: + '200': content: application/json: examples: - alreadyExists: + success: value: - message: >- - data stream: \".lists-default\" and \".items-default\" - already exists - status_code: 409 + attributes: + errors: [] + results: + created: + - content: Please verify the security settings. + id: prompt6 + name: New Security Prompt + promptType: system + deleted: + - prompt2 + - prompt3 + skipped: + - id: prompt4 + name: Security Prompt + skip_reason: PROMPT_FIELD_NOT_MODIFIED + updated: + - content: Updated security settings prompt + id: prompt1 + name: Security Prompt + promptType: system + summary: + failed: 0 + skipped: 1 + succeeded: 4 + total: 5 + message: Bulk action completed successfully. + prompts_count: 5 + status_code: 200 + success: true schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + '400': content: application/json: examples: - serverError: + PerformPromptsBulkActionResponse400Example: value: - message: Internal Server Error - status_code: 500 + error: Bad Request + message: Invalid prompt ID or missing required fields. + statusCode: 400 schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create list data streams + type: object + properties: + error: + description: A short error message. + example: Bad Request + type: string + message: + description: A detailed error message. + example: Invalid prompt ID or missing required fields. + type: string + statusCode: + description: The HTTP status code for the error. + example: 400 + type: number + description: Bad Request response. + summary: Apply a bulk action to prompts tags: - - Security Lists API - /api/lists/items: - delete: - description: >- - Delete a value list item using its `id`, or its `list_id` and `value` - fields. - operationId: DeleteListItem + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{"delete":{"query":"name: test","ids":[]}}' + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts parameters: - - description: >- - Value list item's identifier. Required if `list_id` and `value` are - not specified. + - description: List of specific fields to include in each returned prompt. in: query - name: id + name: fields required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - - description: Value list's identifier. Required if `id` is not specified. + example: + - id + - name + - content + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. in: query - name: list_id + name: filter required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + example: error handling + type: string + - description: Field to sort prompts by. in: query - name: value + name: sort_field required: false schema: - example: 255.255.255.255 - type: string - - description: >- - Determines when changes made by the request are made visible to - search. + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. in: query - name: refresh + name: sort_order required: false schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - example: false - type: string + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + example: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + example: 20 + minimum: 0 + type: integer responses: '200': content: application/json: examples: - ip: + FindPromptsResponse200Example: value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' + example: + data: + - categories: + - troubleshooting + - logging + color: '#FF5733' + consumer: security + content: If you encounter an error, check the logs and retry. + createdAt: '2025-04-20T21:00:00Z' + createdBy: jdoe + id: prompt-123 + isDefault: true + isNewConversationDefault: false + name: Error Troubleshooting Prompt + namespace: default + promptType: standard + timestamp: '2025-04-30T22:30:00Z' + updatedAt: '2025-04-30T22:45:00Z' + updatedBy: jdoe + users: + - full_name: John Doe + username: jdoe + page: 1 + perPage: 20 + total: 142 + type: object + properties: + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array - description: Successful response + page: + description: Current page number. + example: 1 + type: integer + perPage: + description: Number of prompts per page. + example: 20 + type: integer + total: + description: Total number of prompts matching the query. + example: 142 + type: integer + required: + - page + - perPage + - total + - data + description: Successful response containing a list of prompts. '400': content: application/json: examples: - badRequest: + FindPromptsResponse400Example: value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 + error: Bad Request + message: Invalid sort order value provided. + statusCode: 400 schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + type: object + properties: + error: + description: Short error message. + example: Bad Request + type: string + message: + description: Detailed description of the error. + example: Invalid sort order value provided. + type: string + statusCode: + description: HTTP status code for the error. + example: 400 + type: number + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + x-codeSamples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ + --header "Authorization: $API_KEY" + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the Entity Store log extraction configuration.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + updateLogExtractionExample: + description: Update the log extraction configuration with a new lookback period and frequency. + summary: Update log extraction settings + value: + logExtraction: + fieldHistoryLength: 15 + frequency: 10m + lookbackPeriod: 6h + schema: + additionalProperties: false + type: object + properties: + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + items: + type: string + type: array + delay: + pattern: '[smdh]$' + type: string + docsLimit: + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + items: + type: string + type: array + fieldHistoryLength: + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + pattern: '[smdh]$' + type: string + lookbackPeriod: + pattern: '[smdh]$' + type: string + maxLogsPerPage: + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + enum: + - defer + - drop + type: string + maxTimeWindowSize: + pattern: '[smdh]$' + type: string + required: + - logExtraction + responses: + '200': content: application/json: examples: - unauthorized: + updateSuccessExample: + description: The Entity Store configuration was successfully updated. + summary: Entity Store updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - forbidden: + invalidDurationExample: + description: A log extraction parameter has an invalid duration format. + summary: Invalid duration parameter value: - error: Forbidden - message: >- - API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + error: Bad Request + message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)' + statusCode: 400 + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: The Entity Store has not been installed yet. + summary: Entity Store not installed value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Delete a value list item + error: Not Found + message: Entity store is not installed + statusCode: 404 + description: Entity Store not found. + summary: Update the Entity Store tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \ + "${KIBANA_URL}/api/security/entity_store" + - lang: Console + source: | + PUT kbn://api/security/entity_store + { + "logExtraction": { + "lookbackPeriod": "6h", + "frequency": "10m", + "fieldHistoryLength": 15 + } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities: get: - description: Get the details of a value list item. - operationId: ReadListItem + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security/entity_store/entities
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-entities parameters: - - description: >- - Value list item identifier. Required if `list_id` and `value` are - not specified. + - description: A Kibana Query Language (KQL) filter for the search-after mode. in: query - name: id + name: filter required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - Value list item list's `id` identfier. Required if `id` is not - specified. + type: string + - description: Number of entities to return in search-after mode. in: query - name: list_id + name: size required: false schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: >- - The value used to evaluate exceptions. Required if `id` is not - specified. + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: JSON-encoded search_after value for cursor-based pagination. in: query - name: value + name: searchAfter + required: false + schema: + type: string + - description: Fields to include in the response source. + in: query + name: source + required: false + schema: + items: + type: string + type: array + - description: Fields to include in the response. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Field to sort results by in page mode. + in: query + name: sort_field + required: false + schema: + type: string + - description: Sort order in page mode. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Page number to return (1-indexed) in page mode. + in: query + name: page + required: false + schema: + maximum: 9007199254740991 + minimum: 1 + type: integer + - description: Number of entities per page in page mode. + in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An Elasticsearch query string to filter entities in page mode. + in: query + name: filterQuery required: false schema: - example: 127.0.0.2 type: string + - description: Entity types to include in the results. + in: query + name: entity_types + required: false + schema: + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - ip: - value: - _version: WzExLDFd - '@timestamp': 2025-01-08T05:16:25.882Z - created_at: 2025-01-08T05:16:25.882Z - created_by: elastic - id: qN1XRJQBs4HAK3VQs3Gc - list_id: ip_list - tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 - type: ip - updated_at: 2025-01-08T05:16:25.882Z - updated_by: elastic - value: 127.0.0.2 - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - Either \"list_id\" or \"id\" needs to be defined in the - request - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + emptyResultExample: + description: No entities matched the query. + summary: Empty result value: - error: Forbidden - message: >- - API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': + page: 1 + per_page: 10 + records: [] + total: 0 + pageModeExample: + description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data. + summary: Page mode response with host entities + value: + inspect: + dsl: + - '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}' + response: + - '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}' + page: 1 + per_page: 10 + records: + - '@timestamp': '2026-04-10T08:30:00.000Z' + asset: + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + lifecycle: + first_seen: '2026-01-15T10:00:00.000Z' + last_activity: '2026-04-10T08:30:00.000Z' + name: web-server-prod-01 + risk: + calculated_level: Moderate + calculated_score: 47.5 + calculated_score_norm: 47.5 + source: + - logs + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 + os: + name: Ubuntu + type: linux + total: 1 + searchAfterModeExample: + description: A cursor-based response with entities and a search_after token for the next page. + summary: Search-after mode response + value: + entities: + - '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + nextSearchAfter: + - 1712736600000 + - 1 + description: Indicates a successful response. + '400': content: application/json: examples: - notFound: + invalidFilterExample: + description: The provided Kibana Query Language filter could not be parsed. + summary: Invalid filter value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + error: Bad Request + message: |- + Invalid filter: Expected "(", "{", value, whitespace but ":" found. + invalid :: query + ---------^ + statusCode: 400 + mixedModesExample: + description: Cannot combine page-based pagination with cursor-based pagination in the same request. + summary: Mixed pagination modes value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get a value list item + error: Bad Request + message: '[request query]: Cannot combine page/per_page with searchAfter' + statusCode: 400 + description: Bad request. + summary: List entities tags: - - Security Lists API - patch: - description: >- - Update specific fields of an existing value list item using the item - `id`. - operationId: PatchListItem + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc" + - lang: Console + source: | + GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security/entity_store/entities/
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.

[Required authorization] Route required privileges: securitySolution. + operationId: delete-security-entity-store-entities + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - changeValue: + deleteEntityExample: + description: Delete a single entity from the Entity Store using its entity identifier. + summary: Delete an entity by identifier value: - id: pd1WRJQBs4HAK3VQeHFI - value: 255.255.255.255 + entityId: host:web-server-prod-01 schema: + additionalProperties: false type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for + entityId: + description: The identifier of the entity to delete. type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - - id - description: Value list item's properties - required: true + - entityId responses: '200': content: application/json: examples: - ipItem: - value: - _version: WzE5LDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:23:37.602Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: >- - {"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] - failed to parse field [ip] of type [ip] in document with - id ip_item. Preview of fields value: - 2","caused_by":{"type":"illegal_argument_exception","reason":"2 - is not an IP string literal."}},"status":400}]} - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + deleteSuccessExample: + description: The entity was found and successfully removed from the latest index. + summary: Entity deleted value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + deleted: true + description: Indicates the entity was successfully deleted. '404': content: application/json: examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No entity with the specified identifier exists in the Entity Store. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patch a value list item + error: Not Found + message: Entity ID 'host:web-server-prod-01' not found + statusCode: 404 + description: Entity not found. + summary: Delete an entity tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityId":"host:web-server-prod-01"}' \ + "${KIBANA_URL}/api/security/entity_store/entities/" + - lang: Console + source: | + DELETE kbn://api/security/entity_store/entities/ + { + "entityId": "host:web-server-prod-01" + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/{entityType}: post: - description: > - Create a value list item and associate it with the specified value list. + description: |- + **Spaces method and path for this operation:** +
post /s/{space_id}/api/security/entity_store/entities/{entityType}
- All value list items in the same list must be the same type. For - example, each list item in an `ip` list must define a specific IP - address. - - > info + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - > Before creating a list item, you must create a list. - operationId: CreateListItem + Create a new entity record in the Entity Store for the specified entity type.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to create. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string requestBody: content: application/json: examples: - ip: - value: - list_id: ip_list - value: 127.0.0.1 - ip_range: - value: - list_id: ip_range_list - value: 192.168.0.0/16 - keyword: + createHostEntityExample: + description: Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type. + summary: Create a host entity value: - list_id: keyword_list - value: zeek + asset: + business_unit: Engineering + criticality: high_impact + environment: production + entity: + attributes: + asset: true + managed: true + id: host:web-server-prod-01 + name: web-server-prod-01 + source: + - manual + type: host + host: + hostname: + - web-server-prod-01.example.com + ip: + - 10.0.1.42 + name: web-server-prod-01 schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search. - enum: - - 'true' - - 'false' - - wait_for - example: wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: Value list item's properties - required: true + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': content: application/json: examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - ip_range: - value: - _version: WzEsMV0= - '@timestamp': 2025-01-09T18:33:08.202Z - created_at: 2025-01-09T18:33:08.202Z - created_by: elastic - id: ip_range_item - list_id: ip_range_list - tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 - type: ip_range - updated_at: 2025-01-09T18:33:08.202Z - updated_by: elastic - value: 192.168.0.0/16 - keyword: + createSuccessExample: + description: The entity record was successfully created in the Entity Store. + summary: Entity created value: - _version: WzIsMV0= - '@timestamp': 2025-01-09T18:34:29.422Z - created_at: 2025-01-09T18:34:29.422Z - created_by: elastic - id: 7f24737d-1da8-4626-a568-33070591bb4e - list_id: keyword_list - tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 - type: keyword - updated_at: 2025-01-09T18:34:29.422Z - updated_by: elastic - value: zeek - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response + ok: true + description: Indicates the entity was successfully created. '400': content: application/json: examples: - badRequest: + euidMismatchExample: + description: The supplied entity identifier does not match the auto-generated identifier derived from the entity fields. + summary: Entity identifier mismatch value: error: Bad Request - message: >- - uri [/api/lists/items] with method [post] exists but is - not available with the current configuration + message: 'Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01' statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items] is unauthorized for user, this - action is granted by the Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - listNotFound: - value: - message: 'list id: \"ip_list\" does not exist' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + description: Bad request. '409': content: application/json: examples: - alreadyExists: - value: - message: 'list item id: \"ip_item\" already exists' - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json: - examples: - serverError: + conflictExample: + description: An entity with the specified identifier already exists. + summary: Entity already exists value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Create a value list item + error: Conflict + message: Entity ID 'host:web-server-prod-01' already exists + statusCode: 409 + description: Conflict. + summary: Create an entity tags: - - Security Lists API + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","source":["manual"],"attributes":{"asset":true}},"host":{"name":"web-server-prod-01","ip":["10.0.1.42"]}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/host" + - lang: Console + source: | + POST kbn://api/security/entity_store/entities/host + { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "source": ["manual"], + "attributes": { "asset": true } + }, + "host": { + "name": "web-server-prod-01", + "ip": ["10.0.1.42"] + } + } + x-metaTags: + - content: Kibana + name: product_name put: - description: > - Update a value list item using the list item ID. The original list item - is replaced, and all unspecified fields are deleted. + description: |- + **Spaces method and path for this operation:** - > info +
put /s/{space_id}/api/security/entity_store/entities/{entityType}
- > You cannot modify the `id` value. - operationId: UpdateListItem + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-entitytype + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The entity type to update. + in: path + name: entityType + required: true + schema: + enum: + - user + - host + - service + - generic + type: string + - description: When true, allows updating protected fields. + in: query + name: force + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false requestBody: content: application/json: examples: - fullReplace: + updateEntityAttributesExample: + description: Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter. + summary: Update entity attributes value: - id: ip_item - value: 255.255.255.255 + entity: + attributes: + managed: true + mfa_enabled: true + id: user:jane.doe@example.com + lifecycle: + last_activity: '2026-04-10T14:30:00.000Z' + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + roles: + - admin + - analyst schema: - example: - id: ip_item - value: 255.255.255.255 - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: Value list item's properties - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzIwLDFd - '@timestamp': 2025-01-08T05:15:05.159Z - created_at: 2025-01-08T05:15:05.159Z - created_by: elastic - id: pd1WRJQBs4HAK3VQeHFI - list_id: ip_list - tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 - type: ip - updated_at: 2025-01-08T05:44:14.009Z - updated_by: elastic - value: 255.255.255.255 - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request - message: '[request body]: id: Expected string, received number' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [PATCH /api/lists/items] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json: - examples: - notFound: - value: - message: 'list item id: \"foo\" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Update a value list item - tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Export list item values from the specified value list. - operationId: ExportListItems - parameters: - - description: Value list's `id` to export. - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array responses: '200': - content: - application/ndjson: - examples: - ipLines: - value: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - schema: - description: A `.txt` file containing list items from the specified list - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: 'Bad Request","message":"[request query]: list_id: Required' - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': content: application/json: examples: - unauthorized: + updateSuccessExample: + description: The entity record was successfully updated. + summary: Entity updated value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': + ok: true + description: Indicates the entity was successfully updated. + '400': content: application/json: examples: - forbidden: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - error: Forbidden - message: >- - API [POST /api/lists/items/_export?list_id=ips.txt] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. '404': content: application/json: examples: - notFound: - value: - message: 'list id: "unknown_list" not found' - status_code: 404 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json: - examples: - serverError: + notFoundExample: + description: No entity with the specified identifier exists. + summary: Entity not found value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Export value list items + error: Not Found + message: Entity ID 'user:jane.doe@example.com' not found + statusCode: 404 + description: Entity not found. + summary: Update an entity tags: - - Security Lists API - /api/lists/items/_find: - get: - description: Get all value list items in the specified list. - operationId: FindListItems + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user","attributes":{"managed":true,"mfa_enabled":true}},"user":{"name":"jane.doe"}}' \ + "${KIBANA_URL}/api/security/entity_store/entities/user?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/user?force=true + { + "entity": { + "id": "user:jane.doe@example.com", + "name": "jane.doe", + "type": "user", + "attributes": { "managed": true, "mfa_enabled": true } + }, + "user": { "name": "jane.doe" } + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/entities/bulk: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update multiple entity records in the Entity Store in a single request.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-entities-bulk parameters: - - description: Parent value list's `id` to page through items for. - in: query - name: list_id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return. - in: query - name: page - required: false - schema: - example: 1 - type: integer - - description: The number of list items to return per page. - in: query - name: per_page - required: false - schema: - example: 20 - type: integer - - description: Determines which field is used to sort the results. - in: query - name: sort_field - required: false - schema: - example: value - format: nonempty - minLength: 1 - type: string - - description: Determines the sort order, which can be `desc` or `asc` - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - example: asc + example: 'true' type: string - - description: > - Opaque cursor returned in a previous response; pass it to continue - listing from the next page. Omit on the first request. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. + - description: When true, allows updating protected fields. in: query - name: filter + name: force required: false schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + requestBody: + content: + application/json: + examples: + bulkUpdateExample: + description: Update a host entity and a user entity in a single request. + summary: Bulk update multiple entities + value: + entities: + - doc: + entity: + attributes: + asset: true + id: host:web-server-prod-01 + name: web-server-prod-01 + type: host + host: + name: web-server-prod-01 + type: host + - doc: + entity: + attributes: + managed: true + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + name: jane.doe + type: user + schema: + additionalProperties: false + type: object + properties: + entities: + description: The entities to update. + items: + type: object + properties: + doc: + anyOf: + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + user: + additionalProperties: false + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + roles: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + host: + additionalProperties: false + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + os: + additionalProperties: false + type: object + properties: + family: + type: string + full: + type: string + kernel: + type: string + name: + anyOf: + - type: string + - items: + type: string + type: array + platform: + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + version: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + type: + items: + type: string + type: array + labels: + additionalProperties: {} + type: object + properties: {} + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + service: + additionalProperties: false + type: object + properties: + address: + type: string + environment: + type: string + ephemeral_id: + type: string + id: + type: string + name: + type: string + node: + additionalProperties: false + type: object + properties: + name: + type: string + role: + type: string + roles: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + state: + type: string + type: + type: string + version: + type: string + tags: + items: + type: string + type: array + - additionalProperties: false + type: object + properties: + '@timestamp': + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + asset: + additionalProperties: false + type: object + properties: + business_unit: + type: string + criticality: + anyOf: + - enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + - nullable: true + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + cloud: + additionalProperties: false + type: object + properties: + account: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + availability_zone: + type: string + instance: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + machine: + additionalProperties: false + type: object + properties: + type: + type: string + project: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + provider: + type: string + region: + type: string + service: + additionalProperties: false + type: object + properties: + name: + type: string + entity: + additionalProperties: false + type: object + properties: + attributes: + additionalProperties: false + type: object + properties: + asset: + type: boolean + known_redirects: + items: + type: string + type: array + managed: + type: boolean + mfa_enabled: + type: boolean + oauth_consent_restriction: + type: string + permissions: + items: + type: string + type: array + storage_class: + type: string + watchlists: + items: + type: string + type: array + behaviors: + additionalProperties: false + type: object + properties: + anomaly_job_ids: + items: + type: string + type: array + rule_names: + items: + type: string + type: array + EngineMetadata: + additionalProperties: false + type: object + properties: + Type: + type: string + id: + type: string + lifecycle: + additionalProperties: false + type: object + properties: + first_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_activity: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + last_seen: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + name: + type: string + relationships: + additionalProperties: false + type: object + properties: + accesses_frequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + accesses_infrequently: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + administers: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + communicates_with: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + depends_on: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + owns_inferred: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + resolution: + additionalProperties: false + type: object + properties: + resolved_to: + type: string + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + supervises: + additionalProperties: false + type: object + properties: + ids: + items: + type: string + type: array + raw_identifiers: + additionalProperties: false + type: object + properties: + entity.id: + items: + type: string + type: array + host.id: + items: + type: string + type: array + host.name: + items: + type: string + type: array + service.name: + items: + type: string + type: array + user.email: + items: + type: string + type: array + user.id: + items: + type: string + type: array + user.name: + items: + type: string + type: array + risk: + additionalProperties: false + type: object + properties: + calculated_level: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + calculated_score: + type: number + calculated_score_norm: + maximum: 100 + minimum: 0 + type: number + schema_version: + type: string + source: + items: + type: string + type: array + sub_type: + type: string + type: + type: string + url: + type: string + event: + additionalProperties: false + type: object + properties: + ingested: + format: date-time + pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$ + type: string + labels: + additionalProperties: {} + type: object + properties: {} + orchestrator: + additionalProperties: false + type: object + properties: + api_version: + type: string + cluster: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + url: + type: string + version: + type: string + namespace: + type: string + organization: + type: string + resource: + additionalProperties: false + type: object + properties: + annotation: + type: string + id: + type: string + ip: + type: string + label: + type: string + name: + type: string + parent: + additionalProperties: false + type: object + properties: + type: + type: string + type: + type: string + type: + type: string + tags: + items: + type: string + type: array + type: + description: The entity type of this record. + enum: + - user + - host + - service + - generic + type: string + required: + - type + type: array + required: + - entities responses: '200': content: application/json: examples: - ip: - value: - cursor: >- - WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - data: - - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:59:06.154Z - created_at: 2025-01-08T04:59:06.154Z - created_by: elastic - id: 21b01cfb-058d-44b9-838c-282be16c91cc - list_id: ip_list - tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a - type: ip - updated_at: 2025-01-08T04:59:06.154Z - updated_by: elastic - value: 127.0.0.1 - page: 1 - per_page: 20 - total: 1 - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - error: Bad Request, - message: '[request query]: list_id: Required' - statusCode: 400, - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: + bulkUpdatePartialExample: + description: Some entities were updated but others encountered Elasticsearch-level errors. + summary: Partial success with errors value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: + errors: + - _id: 5de9f93a68a72532e736bf5a6184b06300b9cabf + reason: '[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing' + status: 404 + type: document_missing_exception + ok: true + bulkUpdateSuccessExample: + description: All entities were successfully updated with no errors. + summary: All entities updated value: - error: Forbidden - message: >- - API [GET - /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] - is unauthorized for user, this action is granted by the - Kibana privileges [lists-read] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': + errors: [] + ok: true + description: Indicates a successful response. + '400': content: application/json: examples: - serverError: + protectedFieldsExample: + description: The request attempts to update protected fields without the force query parameter. + summary: Protected fields without force value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list items + error: Bad Request + message: 'Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type' + statusCode: 400 + description: Bad request. + summary: Bulk update entities tags: - - Security Lists API - /api/lists/items/_import: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entities":[{"type":"host","doc":{"entity":{"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host","attributes":{"asset":true}},"host":{"name":"web-server-prod-01"}}}]}' \ + "${KIBANA_URL}/api/security/entity_store/entities/bulk?force=true" + - lang: Console + source: | + PUT kbn://api/security/entity_store/entities/bulk?force=true + { + "entities": [ + { + "type": "host", + "doc": { + "entity": { + "id": "host:web-server-prod-01", + "name": "web-server-prod-01", + "type": "host", + "attributes": { "asset": true } + }, + "host": { "name": "web-server-prod-01" } + } + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/install: post: - description: > - Import value list items from a TXT or CSV file. The maximum file size is - 9 million bytes. - + description: |- + **Spaces method and path for this operation:** - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. +
post /s/{space_id}/api/security/entity_store/install
- Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: | - Type of the importing list. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Required when importing a new list whose list `id` is not specified. - examples: - ip: - value: ip - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - description: >- - Determines when changes made by the request are made visible to - search. - in: query - name: refresh - required: false + Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-install + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - enum: - - 'true' - - 'false' - - wait_for - example: true + example: 'true' type: string requestBody: content: - multipart/form-data: + application/json: examples: - ipLinesFile: + installDefaultExample: + description: Install the Entity Store for all entity types with default log extraction settings. + summary: Install with default entity types value: - file: list_values.txt + entityTypes: + - user + - host + - service + - generic + logExtraction: {} + installWithCustomSettingsExample: + description: Install the Entity Store for host entities only with a custom lookback period and field history length. + summary: Install with custom log extraction + value: + entityTypes: + - host + logExtraction: + delay: 2m + fieldHistoryLength: 20 + frequency: 5m + lookbackPeriod: 12h schema: + additionalProperties: false type: object properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items. - example: | - 127.0.0.1 - 127.0.0.2 - 127.0.0.3 - 127.0.0.4 - 127.0.0.5 - 127.0.0.6 - 127.0.0.7 - 127.0.0.8 - 127.0.0.9 - format: binary - type: string - required: true - responses: - '200': - content: - application/json: - examples: - ip: - value: - _version: WzAsMV0= - '@timestamp': 2025-01-08T04:47:34.273Z - created_at: 2025-01-08T04:47:34.273Z - created_by: elastic - description: This list describes bad internet ip - id: ip_list - immutable: false - name: Simple list with an ip - tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: ip - updated_at: 2025-01-08T04:47:34.273Z - updated_by: elastic - version: 1 - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json: - examples: - badRequest: - value: - message: Either type or list_id need to be defined in the query - status_code: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json: - examples: - unauthorized: - value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json: - examples: - forbidden: - value: - error: Forbidden - message: >- - API [POST /api/lists/items/_import?list_id=ip_list] is - unauthorized for user, this action is granted by the - Kibana privileges [lists-all] - statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json: - examples: - conflict: - value: - message: >- - List with the specified list_id does not exist, create the - list or fix list_id to import to an existing one - status_code: 409 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Import value list items - tags: - - Security Lists API - /api/lists/privileges: - get: - description: > - Returns the caller's authentication state and the Elasticsearch - `cluster`, `index`, and `application` - - privileges for `.lists` and `.items` data streams in the current Kibana - space. Use this to decide which list - - APIs (`read` vs `all` operations) are available before you create or - import lists. - operationId: ReadListPrivileges + entityTypes: + default: + - user + - host + - service + - generic + items: + enum: + - user + - host + - service + - generic + type: string + type: array + historySnapshot: + additionalProperties: false + type: object + properties: + frequency: + default: 24h + pattern: '[smdh]$' + type: string + logExtraction: + additionalProperties: false + type: object + properties: + additionalIndexPatterns: + default: [] + items: + type: string + type: array + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsLimit: + default: 10000 + maximum: 9007199254740991 + minimum: 1 + type: integer + excludedIndexPatterns: + default: [] + items: + type: string + type: array + fieldHistoryLength: + default: 10 + maximum: 9007199254740991 + minimum: -9007199254740991 + type: integer + frequency: + default: 1m + pattern: '[smdh]$' + type: string + lookbackPeriod: + default: 3h + pattern: '[smdh]$' + type: string + maxLogsPerPage: + default: 50000 + maximum: 9007199254740991 + minimum: 1 + type: integer + maxLogsPerWindow: + default: 100000 + maximum: 9007199254740991 + minimum: 0 + type: integer + maxLogsPerWindowCapBehavior: + default: drop + enum: + - defer + - drop + type: string + maxTimeWindowSize: + default: 15m + pattern: '[smdh]$' + type: string responses: '200': content: application/json: examples: - privileges: - value: - is_authenticated: true - listItems: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .items-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - lists: - application: {} - cluster: - all: true - manage: true - manage_api_key: true - manage_index_templates: true - manage_ml: true - manage_own_api_key: true - manage_pipeline: true - manage_security: true - manage_transform: true - monitor: true - monitor_ml: true - monitor_transform: true - has_all_requested: true - index: - .lists-default: - all: true - create: true - create_doc: true - create_index: true - delete: true - delete_index: true - index: true - maintenance: true - manage: true - monitor: true - read: true - view_index_metadata: true - write: true - username: elastic - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json: - examples: - badRequest: + alreadyInstalledExample: + description: All requested entity types were already installed. + summary: Already installed value: - error: Bad Request - message: >- - Unable to resolve list privileges: invalid or missing - space context for this request - statusCode: 400 - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': + ok: true + description: Indicates all requested entity types are already installed. + '201': content: application/json: examples: - unauthorized: + installSuccessExample: + description: The Entity Store was installed and engines are being created. + summary: Entity Store installed value: - error: Unauthorized - message: >- - [security_exception\n\tRoot - causes:\n\t\tsecurity_exception: unable to authenticate - user [elastic] for REST request - [/_security/_authenticate]]: unable to authenticate user - [elastic] for REST request [/_security/_authenticate] - statusCode: 401 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response + ok: true + description: Indicates the Entity Store was successfully installed. '403': content: application/json: examples: - forbidden: + forbiddenExample: + description: The user does not have the required Elasticsearch privileges. + summary: Insufficient privileges value: error: Forbidden - message: >- - API [GET /api/lists/privileges] is unauthorized for user, - this action is granted by the Kibana privileges - [lists-read] + message: User 'analyst' has insufficient privileges statusCode: 403 - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json: - examples: - serverError: - value: - message: Internal Server Error - status_code: 500 - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get value list privileges - tags: - - Security Lists API - /api/logstash/pipeline/{id}: - delete: - description: > - Delete a centrally-managed Logstash pipeline. - - If your Elasticsearch cluster is protected with basic authentication, - you must have either the `logstash_admin` built-in role or a customized - Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: delete-logstash-pipeline - parameters: - - description: An identifier for the pipeline. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call - summary: Delete a Logstash pipeline + description: Insufficient privileges. + summary: Install the Entity Store tags: - - logstash - x-state: Technical Preview + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \ + "${KIBANA_URL}/api/security/entity_store/install" + - lang: Console + source: | + POST kbn://api/security/entity_store/install + { + "entityTypes": ["user", "host", "service", "generic"], + "logExtraction": {} + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/group: get: - description: > - Get information for a centrally-managed Logstash pipeline. + description: |- + **Spaces method and path for this operation:** - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipeline +
get /s/{space_id}/api/security/entity_store/resolution/group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: get-security-entity-store-resolution-group parameters: - - description: An identifier for the pipeline. - in: path - name: id + - description: The entity identifier to look up the resolution group for. + in: query + name: entity_id required: true schema: type: string @@ -39338,3311 +61941,5069 @@ paths: content: application/json: examples: - getLogstashPipelineResponseExample1: - value: |- - { - "id": "hello-world", - "description": "Just a simple pipeline", - "username": "elastic", - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persistent" - } - } - schema: - type: object - description: Indicates a successful call - summary: Get a Logstash pipeline + resolutionGroupExample: + description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size. + summary: Resolution group with linked entities + value: + aliases: + - '@timestamp': '2026-04-10T08:25:00.000Z' + entity: + id: user:jdoe@example.com + name: jdoe + relationships: + resolution: + resolved_to: user:jane.doe@example.com + type: user + user: + name: jdoe + group_size: 2 + target: + '@timestamp': '2026-04-10T08:30:00.000Z' + entity: + id: user:jane.doe@example.com + name: jane.doe + type: user + user: + email: + - jane.doe@example.com + name: jane.doe + description: Indicates a successful response. + '400': + content: + application/json: + examples: + truncatedSearchExample: + description: The resolution search returned too many results and was truncated. + summary: Search results truncated + value: + error: Bad Request + message: Resolution search truncated + statusCode: 400 + description: Bad request. + '404': + content: + application/json: + examples: + notFoundExample: + description: The specified entity does not exist or has no resolution group. + summary: Entity not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entity not found. + summary: Get resolution group tags: - - logstash - x-state: Technical Preview - put: - description: > - Create a centrally-managed Logstash pipeline or update a pipeline. + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com" + - lang: Console + source: | + GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/link: + post: + description: |- + **Spaces method and path for this operation:** - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash writer role. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: put-logstash-pipeline +
post /s/{space_id}/api/security/entity_store/resolution/link
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Link one or more entities to a target entity, creating a resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-link parameters: - - description: > - An identifier for the pipeline. Pipeline ID must begin with a letter - or underscore and can contain only letters, underscores, dashes, - hyphens, and numbers. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - putLogstashPipelineRequestExample1: - value: |- - { - "pipeline": "input { stdin {} } output { stdout {} }", - "settings": { - "queue.type": "persisted" - } - } + linkEntitiesExample: + description: Link two user entities to a target entity, creating a resolution group. + summary: Link entities to a target + value: + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + target_id: user:jane.doe@example.com schema: + additionalProperties: false type: object properties: - description: - description: A description of the pipeline. - type: string - pipeline: - description: A definition for the pipeline. + entity_ids: + description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + target_id: + description: The entity identifier to resolve the linked entities to. type: string - settings: - description: > - Supported settings, represented as object keys, include the - following: - - - - `pipeline.workers` - - - `pipeline.batch.size` - - - `pipeline.batch.delay` - - - `pipeline.ecs_compatibility` - - - `pipeline.ordered` - - - `queue.type` - - - `queue.max_bytes` - - - `queue.checkpoint.writes` - type: object required: - - pipeline - responses: - '204': - description: Indicates a successful call - summary: Create or update a Logstash pipeline - tags: - - logstash - x-state: Technical Preview - /api/logstash/pipelines: - get: - description: > - Get a list of all centrally-managed Logstash pipelines. - - - To use this API, you must have either the `logstash_admin` built-in role - or a customized Logstash reader role. - - > info - - > Limit the number of pipelines to 10,000 or fewer. As the number of - pipelines nears and surpasses 10,000, you may see performance issues on - Kibana. - - - The `username` property appears in the response when security is enabled - and depends on when the pipeline was created or last updated. - externalDocs: - description: Secure your connection - url: https://www.elastic.co/docs/reference/logstash/secure-connection - operationId: get-logstash-pipelines + - target_id + - entity_ids responses: '200': content: application/json: examples: - getLogstashPipelinesResponseExample1: - value: |- - { - "pipelines": [ - { - "id": "hello-world", - "description": "Just a simple pipeline", - "last_modified": "2018-04-14T12:23:29.772Z", - "username": "elastic" - }, - { - "id": "sleepy-pipeline", - "description": "", - "last_modified": "2018-03-24T03:41:30.554Z" - } - ] - } - schema: - type: object - description: Indicates a successful call - summary: Get all Logstash pipelines - tags: - - logstash - x-state: Technical Preview - /api/ml/saved_objects/sync: - get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': + linkSuccessExample: + description: The entities were successfully linked to the target entity. + summary: Entities linked + value: + linked: + - user:jdoe@example.com + - user:j.doe@example.com + skipped: [] + target_id: user:jane.doe@example.com + description: Indicates a successful response. + '400': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': + mixedTypesExample: + description: All entities in a resolution group must be of the same type. + summary: Mixed entity types + value: + error: Bad Request + message: Cannot link entities of different types + statusCode: 400 + selfLinkExample: + description: Cannot link an entity to itself. + summary: Self-link error + value: + error: Bad Request + message: Cannot link entity 'user:jane.doe@example.com' to itself. + statusCode: 400 + description: Bad request. + '404': content: application/json: examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSync401Example' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found + value: + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Link entities tags: - - ml - /api/ml/saved_objects/update_jobs_spaces: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/link" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/link + { + "target_id": "user:jane.doe@example.com", + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/resolution/unlink: post: - description: Update a list of jobs to add and/or remove them from given spaces. - operationId: mlUpdateJobsSpaces + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security/entity_store/resolution/unlink
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove one or more entities from their resolution group. Changes become visible on subsequent reads after the next index refresh (typically <1s). Requires an enterprise license.

[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics. + operationId: post-security-entity-store-resolution-unlink + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateADJobSpacesRequest: - value: - jobIds: - - test-job - jobType: anomaly-detector - spacesToAdd: - - default - spacesToRemove: - - '*' - updateDFAJobSpacesRequest: + unlinkEntitiesExample: + description: Remove entities from their resolution group, restoring them as standalone entities. + summary: Unlink entities from their resolution group value: - jobIds: - - test-job - jobType: data-frame-analytics - spacesToAdd: - - default - spacesToRemove: - - '*' + entity_ids: + - user:jdoe@example.com + - user:j.doe@example.com + schema: + additionalProperties: false + type: object + properties: + entity_ids: + description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - entity_ids responses: '200': content: application/json: examples: - successADResponse: + unlinkSuccessExample: + description: The entities were successfully removed from their resolution group. + summary: Entities unlinked value: - test-job: - success: true - type: anomaly-detector - successDFAResponse: + skipped: [] + unlinked: + - user:jdoe@example.com + - user:j.doe@example.com + description: Indicates a successful response. + '404': + content: + application/json: + examples: + notFoundExample: + description: One or more of the specified entity identifiers were not found. + summary: Entities not found value: - test-job: - success: true - type: data-frame-analytics - description: Indicates a successful call - summary: Update jobs spaces + error: Not Found + message: 'Entities not found: [user:nonexistent@example.com]' + statusCode: 404 + description: Entities not found. + summary: Unlink entities tags: - - ml - /api/ml/saved_objects/update_trained_models_spaces: - post: - description: >- - Update a list of trained models to add and/or remove them from given - spaces. - operationId: mlUpdateTrainedModelsSpaces + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entity_ids":["user:jdoe@example.com"]}' \ + "${KIBANA_URL}/api/security/entity_store/resolution/unlink" + - lang: Console + source: | + POST kbn://api/security/entity_store/resolution/unlink + { + "entity_ids": ["user:jdoe@example.com"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/start: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security/entity_store/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Start previously stopped entity engines, resuming data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-start + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - updateTrainedModelsSpacesRequest: + startAllExample: + description: Start all stopped entity engines. + summary: Start all entity engines value: - modelIds: - - test-model - spacesToAdd: - - default - spacesToRemove: - - '*' + entityTypes: + - user + - host + - service + - generic + startSingleExample: + description: Start only the host entity engine. + summary: Start a single entity engine + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to start. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': content: application/json: examples: - successTMResponse: + startSuccessExample: + description: The specified entity engines were successfully started. + summary: Engines started value: - test-model: - success: true - type: trained-model" - description: Indicates a successful call - summary: Update trained models spaces + ok: true + description: Indicates a successful response. + summary: Start Entity Store engines tags: - - ml - /api/note: - delete: - description: > - Deletes notes by saved object ID. Send either `noteId` (single ID) or - `noteIds` (array of IDs) in the JSON body. + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/start" + - lang: Console + source: | + PUT kbn://api/security/entity_store/start + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** +
get /s/{space_id}/api/security/entity_store/status
- The response has HTTP 200 with an empty body on success. + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.

[Required authorization] Route required privileges: securitySolution. + operationId: get-security-entity-store-status + parameters: + - description: If true, returns a detailed status of each engine including all its components. + in: query + name: include_components + required: false + schema: + anyOf: + - enum: + - 'true' + - 'false' + type: string + - type: boolean + default: false + responses: + '200': + content: + application/json: + examples: + notInstalledExample: + description: The Entity Store has not been installed. + summary: Entity Store not installed + value: + engines: [] + status: not_installed + runningStatusExample: + description: The Entity Store is running with two started engines using default settings. + summary: Entity Store running + value: + engines: + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: host + - delay: 1m + docsPerSecond: -1 + enrichPolicyExecutionInterval: null + fieldHistoryLength: 10 + filter: '' + frequency: 30s + indexPattern: '' + lastExecutionTimestamp: '2026-04-10T08:30:00.000Z' + lookbackPeriod: 3h + maxLogsPerPage: 40000 + maxLogsPerWindow: 500000 + maxLogsPerWindowCapBehavior: defer + maxPageSearchSize: 10000 + maxTimeWindowSize: 15m + status: started + timeout: 25s + timestampField: '@timestamp' + type: user + status: running + description: Indicates a successful response. + summary: Get Entity Store status + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X GET -H "Authorization: ApiKey ${API_KEY}" \ + "${KIBANA_URL}/api/security/entity_store/status?include_components=false" + - lang: Console + source: | + GET kbn://api/security/entity_store/status?include_components=false + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/stop: + put: + description: |- + **Spaces method and path for this operation:** +
put /s/{space_id}/api/security/entity_store/stop
- Requires the **Timeline and Notes** write privilege (`notes_write`). - operationId: DeleteNote + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Stop running entity engines, pausing data processing for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: put-security-entity-store-stop + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - deleteOne: - summary: Delete a single note by id + stopAllExample: + description: Stop all running entity engines. + summary: Stop all entity engines value: - noteId: 709f99c6-89b6-4953-9160-35945c8e174e + entityTypes: + - user + - host + - service + - generic schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - description: Saved object ID of the note to delete. - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - description: Saved object IDs of the notes to delete. - items: - type: string - nullable: true - type: array - required: - - noteIds - description: > - Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ - "noteIds": ["", ...] }` for bulk delete. - - `noteIds` may be null in some clients; prefer an empty array or omit - unused fields when possible. - required: true + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to stop. Defaults to all running types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array responses: '200': - description: The notes were deleted successfully. Response body is empty. - summary: Delete one or more notes + content: + application/json: + examples: + stopSuccessExample: + description: The specified entity engines were successfully stopped. + summary: Engines stopped + value: + ok: true + description: Indicates a successful response. + summary: Stop Entity Store engines tags: - - Security Timeline API - - access:securitySolution - get: - description: > - Returns Security Timeline notes as saved objects. - - - **Query modes (mutually exclusive branches on the server):** - - - 1. **`documentIds` is set** — Returns notes whose `eventId` matches the - given Elasticsearch document `_id` (single string or array). Pagination - query parameters (`page`, `perPage`, etc.) are **not** applied; the - server uses a fixed page size (up to 10000 notes). - - - 2. **`savedObjectIds` is set** — Returns notes linked to the given - Timeline saved object id(s). Same fixed cap as above; list-mode query - parameters are **not** applied. - + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/stop" + - lang: Console + source: | + PUT kbn://api/security/entity_store/stop + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/entity_store/uninstall: + post: + description: |- + **Spaces method and path for this operation:** - 3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using - saved-objects find semantics: `page` (default 1), `perPage` (default - 10), optional `search`, `sortField`, `sortOrder`, `filter`, - `createdByFilter`, and `associatedFilter`. +
post /s/{space_id}/api/security/entity_store/uninstall
+ Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - Requires the **Timeline and Notes** read privilege (`notes_read`). - operationId: GetNotes + Uninstall the Entity Store, removing engines and associated resources for the specified entity types.

[Required authorization] Route required privileges: securitySolution. + operationId: post-security-entity-store-uninstall parameters: - - description: > - Event document `_id` values to match against each note's `eventId`. - When this parameter is present, the response is all matching notes - (up to the server's hard limit), not a paged list using - `page`/`perPage`. - examples: - multiple: - summary: Multiple document ids (array) - value: - - id-one - - id-two - single: - summary: Single document id - value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - in: query - name: documentIds + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - description: > - Timeline `savedObjectId` value(s). Returns notes that reference - those timelines. When present, list-mode pagination parameters are - not used; up to the server's hard limit of notes may be returned. - examples: - singleTimeline: - summary: Single timeline id - value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + uninstallAllExample: + description: Uninstall all entity engines from the Entity Store. + summary: Uninstall all entity types + value: + entityTypes: + - user + - host + - service + - generic + uninstallSingleExample: + description: Uninstall only the host engine from the Entity Store. + summary: Uninstall a single entity type + value: + entityTypes: + - host + schema: + additionalProperties: false + type: object + properties: + entityTypes: + default: + - user + - host + - service + - generic + description: Entity types to uninstall. Defaults to all installed types. + items: + enum: + - user + - host + - service + - generic + type: string + type: array + responses: + '200': + content: + application/json: + examples: + uninstallSuccessExample: + description: The specified entity engines were successfully uninstalled. + summary: Entity Store uninstalled + value: + ok: true + description: Indicates a successful response. + summary: Uninstall the Entity Store + tags: + - Security entity store + x-codeSamples: + - lang: curl + source: | + curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \ + -H "Content-Type: application/json" \ + -d '{"entityTypes":["user","host","service","generic"]}' \ + "${KIBANA_URL}/api/security/entity_store/uninstall" + - lang: Console + source: | + POST kbn://api/security/entity_store/uninstall + { + "entityTypes": ["user", "host", "service", "generic"] + } + x-metaTags: + - content: Kibana + name: product_name + /api/security/role: + get: + description: Retrieve all Kibana roles. + operationId: get-security-role + parameters: + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query - name: savedObjectIds + name: replaceDeprecatedPrivileges + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - description: > - Page number for list mode (when `documentIds` and `savedObjectIds` - are omitted). Passed as a string; default 1. - example: '1' - in: query - name: page + type: boolean + responses: + '200': + content: + application/json: + examples: + getAllRolesResponse: + value: + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + getRolesResponse1: + $ref: '#/components/examples/get_roles_response1' + schema: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + type: array + description: Indicates a successful call. + summary: Get all roles + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/_query: + post: + description: Query Kibana roles with optional filters, paging, and sorting. + operationId: post-security-role-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - nullable: true + example: 'true' type: string - - description: > - Page size for list mode (when `documentIds` and `savedObjectIds` are - omitted). Passed as a string; default 10. - example: '20' - in: query - name: perPage + requestBody: + content: + application/json: + examples: + queryRolesRequest: + value: + from: 0 + query: kibana + size: 25 + sort: + direction: asc + field: name + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body' + responses: + '200': + content: + application/json: + examples: + queryRolesResponse: + value: + count: 1 + roles: + - _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + total: 1 + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_response' + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/{name}: + delete: + description: Delete a Kibana role by its name. + operationId: delete-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - nullable: true + example: 'true' type: string - - description: Search string for saved-objects find (list mode only). - in: query - name: search + - description: The role name. + in: path + name: name + required: true schema: - nullable: true + minLength: 1 type: string - - description: Field to sort by for saved-objects find (list mode only). - in: query - name: sortField + responses: + '204': + description: Indicates a successful call. + summary: Delete a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + get: + description: Retrieve a Kibana role by its name. + operationId: get-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true schema: - nullable: true + minLength: 1 type: string - - description: >- - Sort order (`asc` or `desc`) for saved-objects find (list mode - only). - example: desc + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query - name: sortOrder + name: replaceDeprecatedPrivileges + required: false schema: - nullable: true - type: string - - description: > - Kuery filter string combined with other list-mode filters (for - example `createdByFilter` or `associatedFilter`). Typed as a string - for API compatibility; interpreted by the saved-objects layer (list - mode only). - in: query - name: filter + type: boolean + responses: + '200': + content: + application/json: + examples: + getRoleResponse: + value: + _unrecognized_applications: [] + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + run_as: [] + kibana: + - base: + - read + feature: {} + spaces: + - default + metadata: {} + name: my_kibana_role + transient_metadata: + enabled: true + getRoleResponse1: + $ref: '#/components/examples/get_role_response1' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' + description: Indicates a successful call. + summary: Get a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + put: + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - nullable: true + example: 'true' type: string - - description: > - Kibana user profile **UID** (UUID). The server resolves the user's - display identifiers and returns notes whose `createdBy` matches any - of them (list mode only). - example: f1c2d3e4-5b6a-7890-abcd-ef1234567890 - in: query - name: createdByFilter + - description: The role name. + in: path + name: name + required: true schema: - nullable: true + maxLength: 1024 + minLength: 1 type: string - - description: > - Restricts notes by how they relate to a Timeline and/or an event - document (list mode only). Some values apply extra filtering after - the query. Ignored when `documentIds` or `savedObjectIds` is used. + - description: When true, a role is not overwritten if it already exists. in: query - name: associatedFilter + name: createOnly + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + default: false + type: boolean + requestBody: + content: + application/json: + examples: + createOrUpdateRoleRequest: + value: + description: My custom Kibana role. + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default + createRoleRequest1: + $ref: '#/components/examples/create_role_request1' + createRoleRequest2: + $ref: '#/components/examples/create_role_request2' + createRoleRequest3: + $ref: '#/components/examples/create_role_request3' + createRoleRequest4: + $ref: '#/components/examples/create_role_request4' + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + responses: + '204': + description: Indicates a successful call. + summary: Create or update a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/roles: + post: + description: Create or update multiple Kibana roles in a single request. + operationId: post-security-roles + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: + bulkCreateOrUpdateRoles: + value: + roles: + my_kibana_role: + elasticsearch: + cluster: + - monitor + indices: + - names: + - logs-* + privileges: + - read + kibana: + - base: + - read + feature: {} + spaces: + - default + schema: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload' responses: '200': content: application/json: examples: - notesPage: - summary: Paged notes for a timeline + bulkCreateOrUpdateRolesResponse: value: - notes: - - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd - totalCount: 1 + created: + - my_kibana_role + noop: [] + updated: [] schema: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - description: Notes and total count for the requested mode. - summary: Get notes + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response' + description: Indicates a successful call. + summary: Create or update roles tags: - - Security Timeline API - - access:securitySolution - patch: - description: > - Creates a new note or updates an existing one. - - - **Create:** Send `note` and omit `noteId` to create a new saved object. - - - **Update:** Send `note` with the changed fields and set `noteId` to the - note's saved object ID. Optionally include `version` for optimistic - concurrency when the client has it from a prior read. - - - Requires the **Timeline and Notes** write privilege (`notes_write`). - externalDocs: - description: Add or update a note on a Timeline - url: >- - https://www.elastic.co/guide/en/security/current/timeline-api-update.html - operationId: PersistNoteRoute + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/session/_invalidate: + post: + description: | + Invalidate user sessions that match a query. To use this API, you must be a superuser. + operationId: post-security-session-invalidate + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - addNote: - summary: Add a note on an event - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + invalidateRequestExample1: + description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. + summary: Invalidate all sessions + value: |- + { + "match" : "all" + } + invalidateRequestExample2: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. + summary: Invalidate all SAML sessions + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml" } + } + } + invalidateRequestExample3: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. + summary: Invalidate sessions for a provider + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "saml", "name": "saml1" } + } + } + invalidateRequestExample4: + description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. + summary: Invalidate sessions for a user + value: |- + { + "match" : "query", + "query": { + "provider" : { "type": "oidc" }, + "username": "user@my-oidc-sso.com" + } + } schema: type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - description: >- - Note payload (timeline, text, optional event linkage, - metadata). - noteId: - description: >- - The `savedObjectId` of the note to update. Omit when - creating a new note. - example: 709f99c6-89b6-4953-9160-35945c8e174e - nullable: true - type: string - version: - description: >- - Saved object version string from a previous read; optional - on update. - example: WzQ2LDFd - nullable: true + match: + description: | + The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. + enum: + - all + - query type: string + query: + description: | + The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. + type: object + properties: + provider: + description: The authentication providers that will have their user sessions invalidated. + type: object + properties: + name: + description: The authentication provider name. + type: string + type: + description: | + The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. + type: string + required: + - type + username: + description: The username that will have its sessions invalidated. + type: string + required: + - provider required: - - note - description: > - Body must include the `note` object. For updates, include `noteId` - (and optionally `version`). - - To attach a note to a specific event, set `note.eventId` to that - event's document `_id`; for a timeline-wide note, omit or clear - `eventId` per product rules. - required: true + - match responses: '200': content: application/json: - examples: - persisted: - summary: Persisted note wrapper - value: - note: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - note: Escalated to tier-2 analyst - noteId: 709f99c6-89b6-4953-9160-35945c8e174e - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFd schema: - $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' - description: The persisted note, including `noteId` and `version`. - summary: Add or update a note + type: object + properties: + total: + description: The number of sessions that were successfully invalidated. + type: integer + description: Indicates a successful call + '403': + description: Indicates that the user may not be authorized to invalidate sessions for other users. + summary: Invalidate user sessions tags: - - Security Timeline API - - access:securitySolution - /api/observability_ai_assistant/chat/complete: + - user session + x-metaTags: + - content: Kibana + name: product_name + /api/short_url: post: - description: > - Create a new chat completion by using the Observability AI Assistant. - - - The API returns the model's response based on the current conversation - context. - - - It also handles any tool requests within the conversation, which may - trigger multiple calls to the underlying large language model (LLM). - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: observability-ai-assistant-chat-complete + description: | + Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. + Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. + operationId: post-url requestBody: content: application/json: examples: - chatCompleteRequestExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample + createShortUrlRequest: + description: Request a short URL that resolves to a dashboard with a preset time range. + summary: Create a short URL for a dashboard locator + value: + locatorId: DASHBOARD_APP_LOCATOR + params: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + slug: my-dashboard schema: type: object properties: - actions: - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Function - type: array - connectorId: - description: A unique identifier for the connector. - type: string - conversationId: - description: >- - A unique identifier for the conversation if you are - continuing an existing conversation. - type: string - disableFunctions: - description: >- - Flag indicating whether all function calls should be - disabled for the conversation. If true, no calls to - functions will be made. - type: boolean - instructions: - description: >- - An array of instruction objects, which can be either simple - strings or detailed objects. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Instruction - type: array - messages: - description: >- - An array of message objects containing the conversation - history. - items: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_Message - type: array - persist: - description: >- - Indicates whether the conversation should be saved to - storage. If true, the conversation will be saved and will be - available in Kibana. + humanReadableSlug: + description: | + When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. type: boolean - title: - description: A title for the conversation. + locatorId: + description: The identifier for the locator. + type: string + params: + description: | + An object which contains all necessary parameters for the given locator to resolve to a Kibana location. + > warn + > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + type: object + slug: + description: | + A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. type: string required: - - messages - - connectorId - - persist + - locatorId + - params + required: true responses: '200': content: application/json: examples: - chatCompleteResponseExample: - $ref: >- - #/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample + createShortUrlResponse: + description: The created short URL record. + summary: Short URL created + value: + accessCount: 0 + accessDate: 1767225600000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard schema: - type: object - description: Successful response - summary: Generate a chat completion + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Create a short URL tags: - - observability_ai_assistant - x-codeSamples: - - lang: cURL - source: > - curl --request POST - 'localhost:5601/api/observability_ai_assistant/chat/complete' -u - : -H 'kbn-xsrf: true' -H "Content-Type: - application/json" --data ' - - { - - "connectorId": "", - - "disableFunctions": false, - "messages": [ - { - "@timestamp": "2025-06-25T23:45:00.000Z", - "message": { - "role": "user", - "content": "Is my Elasticsearch cluster healthy right now?" - } - } - ], - "persist": false, - - "actions": [ - { - "name": "get_cluster_health", - "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", - "parameters": { - "type": "object", - "properties": { - "includeShardStats": { - "type": "boolean", - "default": false - } - } - } - } - ], - - "instructions": ["When the user asks about Elasticsearch cluster - health, use the get_cluster_health tool to retrieve cluster health, - then summarize the response in plain English."] - - }' + - short url x-state: Technical Preview - /api/osquery/history: + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/_slug/{slug}: get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory + description: | + Resolve a Kibana short URL by its slug. + operationId: resolve-url parameters: - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - description: >- - A search string to filter history entries by pack name, query text, - or query ID. - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - description: Comma-separated list of user IDs to filter live query history. - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - description: The start of the time range filter (ISO 8601). - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - description: The end of the time range filter (ISO 8601). - in: query - name: endDate - required: false + - description: The slug of the short URL. + in: path + name: slug + required: true schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' type: string responses: '200': content: application/json: examples: - unifiedHistoryExample: - summary: Example unified history response + resolveShortUrlResponse: + description: The short URL record matching the given slug. + summary: Short URL resolved by slug value: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + accessCount: 12 + accessDate: 1767744000000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Resolve a short URL + tags: + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/short_url/{id}: + delete: + description: | + Delete a Kibana short URL. + operationId: delete-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + '200': description: Indicates a successful call. - summary: Get unified query history + summary: Delete a short URL tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/live_queries: + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries + description: | + Get a single Kibana short URL. + operationId: get-url parameters: - - description: A KQL search string to filter live queries. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: examples: - liveQueriesList: - summary: A list of recent live queries + getShortUrlResponse: + description: The short URL record matching the given identifier. + summary: Short URL retrieved by ID value: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - user_id: elastic - total: 1 + accessCount: 12 + accessDate: 1767744000000 + createDate: 1767225600000 + id: c54b04f5d4b3aa3c + locator: + id: DASHBOARD_APP_LOCATOR + state: + dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b + timeRange: + from: now-7d + to: now + version: 9.4.0 + slug: my-dashboard schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryResponse + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. - summary: Get live queries + summary: Get a short URL tags: - - Security Osquery API + - short url + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_copy_saved_objects: post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery + description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-copy-saved-objects + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: - examples: - singleQueryAllAgents: - summary: Run a single query on all agents - value: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; - targetedQuery: - summary: Run a query against specific agents - value: - agent_ids: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - query: select * from processes; schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. + type: boolean + createNewCopies: + default: true + description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. + type: boolean + includeReferences: + default: false + description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to copy. + type: string + type: + description: The type of the saved object to copy. + type: string + required: + - type + - id + maxItems: 1000 + type: array + overwrite: + default: false + description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. + type: boolean + spaces: + items: + description: The identifiers of the spaces where you want to copy the specified objects. + type: string + maxItems: 100 + type: array + required: + - spaces + - objects + examples: + copySavedObjectsRequestExample1: + $ref: '#/components/examples/copy_saved_objects_request1' + copySavedObjectsRequestExample2: + $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - liveQueryCreated: - summary: Live query created - value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryResponse + copySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + copySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + copySavedObjectsResponseExample3: + $ref: '#/components/examples/copy_saved_objects_response3' + copySavedObjectsResponseExample4: + $ref: '#/components/examples/copy_saved_objects_response4' + summary: Copy saved objects between spaces + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_disable_legacy_url_aliases: + post: + description: Disable one or more legacy URL aliases so that they no longer resolve to their target saved objects. + operationId: post-spaces-disable-legacy-url-aliases + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + aliases: + items: + additionalProperties: false + type: object + properties: + sourceId: + description: The alias source object identifier. This is the legacy object identifier. + type: string + targetSpace: + description: The space where the alias target object exists. + type: string + targetType: + description: 'The type of alias target object. ' + type: string + required: + - targetSpace + - targetType + - sourceId + maxItems: 1000 + type: array + required: + - aliases + examples: + disableLegacyURLRequestExample1: + $ref: '#/components/examples/disable_legacy_url_request1' + responses: + '204': description: Indicates a successful call. - summary: Create a live query + summary: Disable legacy URL aliases tags: - - Security Osquery API - /api/osquery/live_queries/{id}: - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_get_shareable_references: + post: + description: Collect references and space contexts for saved objects. + operationId: post-spaces-get-shareable-references parameters: - - description: The ID of the live query. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 + example: 'true' type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 + type: array + required: + - objects + examples: + getShareableReferencesRequestExample1: + $ref: '#/components/examples/get_shareable_references_request1' responses: '200': + description: Indicates a successful call. content: application/json: examples: - liveQueryDetails: - summary: Live query details with execution status - value: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 1 - failed: 0 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - status: completed - successful: 1 - status: completed - user_id: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse - description: Indicates a successful call. - summary: Get live query details + getShareableReferencesResponseExample1: + $ref: '#/components/examples/get_shareable_references_response1' + summary: Get shareable references tags: - - Security Osquery API - /api/osquery/live_queries/{id}/results/{actionId}: - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_resolve_copy_saved_objects_errors: + post: + description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - - description: The ID of the live query. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the live query result you want to retrieve. - example: 3c42c847-eb30-4452-80e0-728584042334 + example: 'true' type: string - - description: The ID of the query action. - in: path - name: actionId + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + type: boolean + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + maxItems: 1000 + type: array + retries: + additionalProperties: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. + type: boolean + destinationId: + description: Specifies the destination identifier that the copied object should have, if different from the current identifier. + type: string + id: + description: The saved object identifier. + type: string + ignoreMissingReferences: + description: When set to true, any missing references errors are ignored. + type: boolean + overwrite: + default: false + description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. + type: boolean + type: + description: The saved object type. + type: string + required: + - type + - id + maxItems: 1000 + type: array + type: object + required: + - retries + - objects + examples: + resolveCopySavedObjectsRequestExample1: + $ref: '#/components/examples/resolve_copy_saved_objects_request1' + resolveCopySavedObjectsRequestExample2: + $ref: '#/components/examples/resolve_copy_saved_objects_request2' + responses: + '200': + description: 'OK: A successful request.' + content: + application/json: + examples: + resolveCopySavedObjectsResponseExample1: + $ref: '#/components/examples/copy_saved_objects_response1' + resolveCopySavedObjectsResponseExample2: + $ref: '#/components/examples/copy_saved_objects_response2' + summary: Resolve conflicts copying saved objects + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_update_objects_spaces: + post: + description: Update one or more saved objects to add or remove them from some spaces. + operationId: post-spaces-update-objects-spaces + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The ID of the query action that generated the live query results. - example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + example: 'true' type: string - - description: A KQL search string to filter results. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + requestBody: + content: + application/json: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + description: The identifier of the saved object to update. + type: string + type: + description: The type of the saved object to update. + type: string + required: + - type + - id + maxItems: 1000 + type: array + spacesToAdd: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + spacesToRemove: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + maxItems: 1000 + type: array + required: + - objects + - spacesToAdd + - spacesToRemove + examples: + updateObjectSpacesRequestExample1: + $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': + description: 'OK: A successful request.' content: application/json: examples: - liveQueryResults: - summary: Result rows from a live query execution - value: - data: - edges: - - _id: doc1 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '12345' - - _id: doc2 - _source: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agent: - id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - osquery: - total_seconds: '67890' - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse - description: Indicates a successful call. - summary: Get live query results + updateObjectSpacesResponseExample1: + $ref: '#/components/examples/update_saved_objects_spaces_response1' + summary: Update saved objects in spaces tags: - - Security Osquery API - /api/osquery/packs: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space: get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks + description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access. + operationId: get-spaces-space parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query - name: sort + name: purpose required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter. in: query - name: sortOrder + name: include_authorized_purposes required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: boolean responses: '200': + description: Indicates a successful call. content: application/json: examples: - packsList: - summary: A list of query packs - value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - queries: - - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 - page: 1 - per_page: 20 - total: 1 - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' - description: Indicates a successful call. - summary: Get packs + getSpacesResponseExample1: + $ref: '#/components/examples/get_spaces_response1' + getSpacesResponseExample2: + $ref: '#/components/examples/get_spaces_response2' + summary: Get all spaces tags: - - Security Osquery API + - spaces + x-metaTags: + - content: Kibana + name: product_name post: - description: Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json: - examples: - createPack: - summary: Create a pack with a single query - value: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 + description: Create a new Kibana space. + operationId: post-spaces-space + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + createSpaceRequest: + $ref: '#/components/examples/create_space_request' responses: '200': content: application/json: - examples: - packCreated: - summary: Pack created - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + createSpaceResponseExample: + $ref: '#/components/examples/get_space_response' description: Indicates a successful call. - summary: Create a pack + summary: Create a space tags: - - Security Osquery API - /api/osquery/packs/{id}: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space/{id}: delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id parameters: - - description: The pack ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + type: string responses: - '200': - content: - application/json: - examples: - packDeleted: - summary: Pack deleted (empty response body) - value: {} - schema: - type: object - properties: {} + '204': description: Indicates a successful call. - summary: Delete a pack + '404': + description: Indicates that the request failed. + summary: Delete a space tags: - - Security Osquery API + - spaces + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails + description: Retrieve a single Kibana space by its identifier. + operationId: get-spaces-space-id parameters: - - description: The pack ID. + - description: The space identifier. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + type: string responses: '200': content: application/json: examples: - packDetails: - summary: Pack details + getSpaceResponse: + description: A response that contains the full configuration for a single Kibana space. + summary: Get details about a marketing space value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + color: '#aabbcc' + description: This is the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name description: Indicates a successful call. - summary: Get pack details + summary: Get a space tags: - - Security Osquery API + - spaces + x-metaTags: + - content: Kibana + name: product_name put: - description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks + description: Update an existing Kibana space. + operationId: put-spaces-space-id parameters: - - description: The pack ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The space identifier. You are unable to change the ID with the update operation. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + type: string requestBody: content: application/json: - examples: - renamePack: - summary: Rename a pack and update its description - value: - description: Updated pack description - enabled: true - name: my_pack_renamed schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true - responses: - '200': - content: - application/json: - examples: - packUpdated: - summary: Pack updated - value: - data: - description: Updated pack description - enabled: true - name: my_pack_renamed - policy_ids: - - my_policy_id - queries: - ports: - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - version: 2 - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' - description: Indicates a successful call. - summary: Update a pack - tags: - - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks - parameters: - - description: The ID of the pack to copy. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + examples: + updateSpaceRequest: + $ref: '#/components/examples/update_space_request' responses: '200': content: application/json: examples: - copyPackExample: - summary: Example response for copying a pack + updateSpaceResponse: + description: A response that contains the updated configuration of the Kibana space. + summary: Update the marketing space value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] - queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic + color: '#aabbcc' + description: An updated description for the Marketing Space + disabledFeatures: [] + id: marketing + imageUrl: '' + initials: MK + name: Marketing + solution: es schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + maxItems: 100 + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + projectRouting: + description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments. + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name description: Indicates a successful call. - summary: Copy a pack + summary: Update a space tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/saved_queries: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/status: get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries + description: Returns Kibana's overall operational status and a per-service breakdown for Elasticsearch, Saved Objects, and registered plugins. The endpoint is intended for liveness and readiness checks (for example, by Kubernetes probes) and for operators monitoring a Kibana deployment. Unauthenticated callers receive a redacted response that exposes only the overall status level. + operationId: get-status parameters: - - description: The page number to return. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field to sort results by. + - description: Set to "true" to get the response in v7 format. in: query - name: sort + name: v7format required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: The sort order. + type: boolean + - description: Set to "true" to get the response in v8 format. in: query - name: sortOrder + name: v8format required: false schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + type: boolean responses: '200': content: application/json: examples: - savedQueriesList: - summary: A list of saved queries + statusAvailableResponse: + description: A successful response when Kibana and its core services are operating normally. + summary: Kibana is available value: - data: - - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - page: 1 - per_page: 20 - total: 1 + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 4 + totalIdleSockets: 2 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: available + summary: Elasticsearch is available + savedObjects: + level: available + summary: SavedObjects service has completed migrations and is available + overall: + level: available + summary: All services are available + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + statusRedactedResponse: + description: A redacted response returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + summary: Kibana is available (redacted) + value: + status: + overall: + level: available schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryResponse - description: Indicates a successful call. - summary: Get saved queries + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json: + examples: + statusUnavailableResponse: + description: A response when one or more core services are unavailable. + summary: Kibana is unavailable + value: + metrics: + collection_interval_in_millis: 5000 + elasticsearch_client: + totalActiveSockets: 0 + totalIdleSockets: 0 + totalQueuedRequests: 0 + last_updated: '2026-04-30T12:00:05.000Z' + name: kibana + status: + core: + elasticsearch: + level: unavailable + summary: Unable to connect to Elasticsearch + savedObjects: + level: unavailable + summary: SavedObjects service depends on Elasticsearch + overall: + level: unavailable + summary: Some services are unavailable + plugins: {} + uuid: 5b2de169-2785-441b-ae8c-186a1936b17d + version: + build_date: '2026-04-30T12:00:00.000Z' + build_flavor: traditional + build_hash: ad8f0fa4d5022f56bbe2c4d51e9d0fcfa1ee67fc + build_number: 100200 + build_snapshot: false + number: 9.3.0 + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of its essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status tags: - - Security Osquery API - post: - description: Create and save a query for later use. - operationId: OsqueryCreateSavedQuery + - system + x-metaTags: + - content: Kibana + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] requestBody: content: application/json: - examples: - createSavedQuery: - summary: Create a saved query - value: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 + examples: {} schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - savedQueryCreated: - summary: Saved query created - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryResponse - description: Indicates a successful call. - summary: Create a saved query + listStreams: + value: + streams: + - description: Root logs stream + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-10T08:00:00.000Z' + settings: {} + wired: + fields: + '@timestamp': + type: date + log.level: + type: keyword + message: + type: match_only_text + routing: + - destination: logs.nginx + status: enabled + where: + eq: nginx + field: host.name + name: logs + type: wired + updated_at: '2025-01-10T08:00:00.000Z' + - description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + - description: Legacy application logs + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + updated_at: '2024-12-01T09:00:00.000Z' + settings: {} + name: logs-myapp-default + type: classic + updated_at: '2024-12-01T09:00:00.000Z' + - description: All error-level logs across every stream + name: logs.errors + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + updated_at: '2025-01-20T14:00:00.000Z' + description: A list of all streams. + summary: Get stream list tags: - - Security Osquery API - /api/osquery/saved_queries/{id}: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were disabled successfully. + summary: Disable streams + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were enabled successfully. + summary: Enable streams + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Streams were resynced successfully. + summary: Resync streams + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}: delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name parameters: - - description: The saved query ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - savedQueryDeleted: - summary: Saved query deleted (empty response body) - value: {} - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: Indicates a successful call. - summary: Delete a saved query + description: The stream was deleted successfully. + summary: Delete a stream tags: - - Security Osquery API + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name parameters: - - description: The saved query ID. + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - savedQueryDetails: - summary: Saved query details + getWiredStream: value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse - description: Indicates a successful call. - summary: Get saved query details + dashboards: [] + data_stream_exists: true + effective_failure_store: + disabled: {} + from: logs + effective_lifecycle: + dsl: + data_retention: 7d + from: logs + effective_settings: {} + inherited_fields: + '@timestamp': + from: logs + type: date + log.level: + from: logs + type: keyword + privileges: + create_snapshot_repository: false + lifecycle: true + manage: true + manage_failure_store: true + monitor: true + read_failure_store: true + simulate: true + text_structure: true + view_index_metadata: true + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + name: logs.nginx + type: wired + updated_at: '2025-01-15T10:30:00.000Z' + description: Stream definition and associated metadata. + summary: Get a stream tags: - - Security Osquery API + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name put: - description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name parameters: - - description: The saved query ID. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string requestBody: content: application/json: examples: - updateSavedQuery: - summary: Update a saved query + createQueryStream: value: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - timeout: 60 + dashboards: [] + queries: [] + rules: [] + stream: + description: All error-level logs across every stream + query: + esql: FROM logs* | WHERE log.level == "error" + view: logs.errors-view + type: query + createWiredStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Web server access logs, routed by severity + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: [] + settings: {} + wired: + fields: + host.name: + type: keyword + http.response.status_code: + type: long + message: + type: match_only_text + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + type: wired + updateClassicStream: + value: + dashboards: [] + queries: [] + rules: [] + stream: + description: Legacy application logs managed as a classic data stream + ingest: + classic: {} + failure_store: + disabled: {} + lifecycle: + dsl: + data_retention: 30d + processing: + steps: + - action: grok + from: message + ignore_missing: true + patterns: + - '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}' + settings: {} + type: classic schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest' responses: '200': - content: - application/json: - examples: - savedQueryUpdated: - summary: Saved query updated - value: - data: - description: Updated saved query description - id: my_saved_query - interval: '120' - platform: linux,darwin - query: select * from osquery_info; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 60 - updated_at: '2025-02-27T10:00:00.000Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse - description: Indicates a successful call. - summary: Update a saved query + description: The stream was created or updated successfully. + summary: Create or update a stream tags: - - Security Osquery API - /api/osquery/saved_queries/{id}/copy: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_fork: post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork parameters: - - description: The ID of the saved query to copy. + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the parent stream to fork from. in: path - name: id + name: name required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + type: string + requestBody: + content: + application/json: + examples: + forkStream: + value: + status: enabled + stream: + name: logs.nginx.errors + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - stream + - where responses: '200': - content: - application/json: - examples: - copySavedQueryExample: - summary: Example response for copying a saved query - value: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - removed: false - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CopySavedQueryResponse - description: Indicates a successful call. - summary: Copy a saved query + description: The stream was forked successfully. + summary: Fork a stream tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_ingest: get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest parameters: - - description: The schedule ID of the scheduled query. + - description: The name of the stream. in: path - name: scheduleId + name: name required: true schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime type: string - - description: The execution count for this scheduled query run. - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - scheduledActionResultsExample: - summary: Example scheduled action results response - value: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 + getWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + updated_at: '2025-01-15T10:30:00.000Z' + settings: {} + wired: fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse - description: Indicates a successful call. - summary: Get scheduled action results + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + field: http.response.status_code + gte: 500 + description: Ingest settings for the stream. + summary: Get ingest stream settings tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest parameters: - - description: The schedule ID of the scheduled query. - in: path - name: scheduleId + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime + example: 'true' type: string - - description: The execution count for this scheduled query run. + - description: The name of the stream. in: path - name: executionCount + name: name required: true schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - description: The kuery to filter the results by. - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - description: The page number to return. The default is 1. - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - description: The number of results to return per page. The default is 20. - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - description: The field that is used to sort the results. - in: query - name: sort - required: false + type: string + requestBody: + content: + application/json: + examples: + upsertWiredIngest: + value: + ingest: + failure_store: + inherit: {} + lifecycle: + inherit: {} + processing: + steps: + - action: grok + from: message + ignore_missing: false + patterns: + - '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)' + settings: {} + wired: + fields: + client.ip: + type: ip + http.method: + type: keyword + http.response.body.bytes: + type: long + http.response.status_code: + type: long + url.original: + type: wildcard + routing: + - destination: logs.nginx.errors + status: enabled + where: + eq: '500' + field: http.response.status_code + schema: + additionalProperties: false + type: object + properties: + ingest: + anyOf: + - additionalProperties: false + type: object + properties: + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + - additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + required: + - ingest + responses: + '200': + description: The ingest settings were updated successfully. + summary: Update ingest stream settings + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/_query: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the query settings of a query stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-query + parameters: + - description: The name of the query stream. + in: path + name: name + required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - description: Specifies the sort order. - in: query - name: sortOrder - required: false + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Query settings for the stream. + summary: Get query stream settings + tags: + - streams + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_query
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the query settings of a query stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-query + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - description: The start date filter (ISO 8601) to narrow down results. - in: query - name: startDate - required: false + example: 'true' + type: string + - description: The name of the query stream. + in: path + name: name + required: true schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' type: string + requestBody: + content: + application/json: + examples: + upsertQueryStream: + value: + query: + esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level + schema: + additionalProperties: false + type: object + properties: + field_descriptions: + additionalProperties: + type: string + type: object + query: + additionalProperties: false + type: object + properties: + esql: + type: string + required: + - esql + required: + - query responses: '200': - content: - application/json: - examples: - scheduledQueryResultsExample: - summary: Example scheduled query results response - value: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse - description: Indicates a successful call. - summary: Get scheduled query results + description: The query stream settings were updated successfully. + summary: Upsert query stream settings tags: - - Security Osquery API - x-state: Generally available; Added in 9.4.0 - /api/pinned_event: - patch: - description: Pin/unpin an event to/from an existing Timeline. - operationId: PersistPinnedEventRoute + - streams + x-state: Experimental; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to export content from. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - pinEvent: - summary: Pin an event + exportContent: value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + description: Nginx stream content pack + include: + objects: + all: {} + name: nginx-pack + version: 1.0.0 schema: + additionalProperties: false type: object properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + description: type: string - pinnedEventId: - description: The `savedObjectId` of the pinned event you want to unpin. - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - nullable: true + include: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + name: type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that you want this - pinned event unpinned from. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: type: string required: - - eventId - - timelineId - description: The pinned event to add or unpin, along with additional metadata. - required: true + - name + - description + - version + - include responses: '200': - content: - application/json: - examples: - pinnedSaved: - summary: Pinned event saved object - value: - eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzQ2LDFe - unpinned: - summary: Unpin response - value: - unpinned: true - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - description: Indicates a successful call. - summary: Pin/unpin an event + description: Content pack archive for the stream. + summary: Export stream content tags: - - Security Timeline API - - access:securitySolution - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream to import content into. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + examples: + importContent: + value: + content: + include: '{"objects":{"all":{}}}' + schema: + additionalProperties: false + type: object + properties: + content: {} + include: + type: string + required: + - include + - content + responses: + '200': + description: Content was imported into the stream successfully. + summary: Import content into a stream + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - CleanUpRiskEngineResponse: - summary: Successful cleanup response - value: - cleanup_successful: true - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - cleanupFailed: - summary: Cleanup failed + listQueries: value: - cleanup_successful: false - errors: - - error: Risk engine is disabled or deleted already. - seq: 1 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine + queries: + - description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + severity_score: 75 + title: Error count by host + type: match + - description: Requests with response time above 2 seconds + esql: + query: FROM logs.nginx | WHERE http.response_time > 2000 + id: high-latency-requests + severity_score: 50 + title: High latency requests + type: match + description: List of queries linked to the stream. + summary: Get stream queries tags: - - Security Entity Analytics API - /api/risk_score/engine/saved_object/configure: - patch: - description: Configuring the Risk Engine Saved Object - operationId: ConfigureRiskEngineSavedObject + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string requestBody: content: application/json: examples: - ConfigureRiskEngineSavedObjectRequest: - summary: Configure the risk engine saved object + bulkQueries: value: - enable_reset_to_zero: false - exclude_alert_statuses: - - closed - exclude_alert_tags: - - low-priority - filters: - - entity_types: - - host - - user - filter: 'host.name: *' - range: - end: now - start: now-30d + operations: + - index: + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + title: Error count by host + - delete: + id: old-query-id schema: + additionalProperties: false type: object properties: - enable_reset_to_zero: - type: boolean - exclude_alert_statuses: - items: - type: string - type: array - exclude_alert_tags: - items: - type: string - type: array - filters: + operations: items: - type: object - properties: - entity_types: - items: - enum: - - host - - user - - service - type: string - type: array - filter: - description: KQL filter string - type: string - required: - - entity_types - - filter + anyOf: + - type: object + properties: + index: + type: object + properties: + description: + default: '' + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + - id + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + required: + - id + required: + - delete type: array - page_size: - description: > - Number of entities to score per page. Higher values reduce - total scoring time by reducing the number of alert-index - scans, but cannot exceed the ES|QL result limit (10,000 by - default). - maximum: 10000 - minimum: 100 - type: integer - range: - type: object - properties: - end: - type: string - start: - type: string - required: true + required: + - operations responses: '200': - content: - application/json: - examples: - ConfigureRiskEngineSavedObjectResponse: - summary: Successful configuration response - value: - risk_engine_saved_object_configured: true - schema: - type: object - properties: - risk_engine_saved_object_configured: - type: boolean - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - configureError: - summary: Configure saved object failed - value: - errors: - - error: Internal server error - seq: 1 - risk_engine_saved_object_configured: false - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse - description: Unexpected error - summary: Configure the Risk Engine Saved Object + description: Bulk operation completed successfully. + summary: Bulk update queries tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - description: >- - Schedule the risk scoring engine to run as soon as possible. You can use - this to recalculate entity risk scores after updating their asset - criticality. - operationId: ScheduleRiskEngineNow + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/queries/{queryId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query to remove. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: - examples: - emptyRequest: - summary: No request body - value: {} + examples: {} schema: - type: object + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/json: - examples: - ScheduleRiskEngineNowResponse: - summary: Successful schedule response - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json: - examples: - taskManagerUnavailable: - summary: Task manager is unavailable - value: - message: >- - Task Manager is unavailable, but is required by the risk - engine. Please enable the taskManager plugin and try - again. - status_code: 400 - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json: - examples: - scheduleNowError: - summary: Schedule now failed - value: - full_error: '{}' - message: Internal server error - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Run the risk scoring engine + description: The query was removed successfully. + summary: Remove a query from a stream tags: - - Security Entity Analytics API - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: The identifier of the query. + in: path + name: queryId + required: true + schema: + type: string requestBody: content: application/json: examples: - PerformAnonymizationFieldsBulkActionRequest: + upsertQuery: value: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + description: Count error-level log events grouped by host name + esql: + query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + title: Error count by host schema: - example: - create: - - allowed: true - anonymized: false - field: host.name - - allowed: false - anonymized: true - field: user.name - delete: - ids: - - field5 - - field6 - query: 'field: host.name' - update: - - allowed: true - anonymized: false - id: field8 - - allowed: false - anonymized: true - id: field9 + additionalProperties: false type: object properties: - create: - description: Array of anonymization fields to create. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - description: >- - Object containing the query to filter anonymization fields - and/or an array of anonymization field IDs to delete. + description: + default: '' + type: string + esql: + additionalProperties: false type: object properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' type: string - update: - description: Array of anonymization fields to update. + required: + - query + evidence: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionResponse200Example: - value: - anonymization_fields_count: 4 - attributes: - results: - created: - - allowed: false - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: host.name - id: field2 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - deleted: - - field3 - skipped: - - id: field4 - name: user.name - skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED - updated: - - allowed: true - anonymized: false - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: url.domain - id: field8 - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - summary: - failed: 0 - skipped: 1 - succeeded: 3 - total: 4 - message: Bulk action completed successfully - status_code: 200 - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - PerformAnonymizationFieldsBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type or name. - type: string - message: - description: Detailed error message. type: string - statusCode: - description: Status code of the response. - type: number - description: Bad Request response. - summary: Apply a bulk action to anonymization fields + type: array + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + required: + - title + - esql + responses: + '200': + description: The query was added or updated successfully. + summary: Upsert a query to a stream tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"field":"host.name","allowed":true,"anonymized":false}]}' - /api/security_ai_assistant/anonymization_fields/_find: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events: get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events parameters: - - description: Fields to return - example: - - id - - field - - anonymized - - allowed - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - example: 'field: "user.name"' - in: query - name: filter - required: false + - description: The name of the stream. + in: path + name: name + required: true schema: type: string - - description: Field to sort by - example: created_at + - description: Start of the time range as an ISO 8601 date string. in: query - name: sort_field - required: false + name: from + required: true schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - example: asc + type: string + - description: End of the time range as an ISO 8601 date string. in: query - name: sort_order - required: false + name: to + required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - example: 1 + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). in: query - name: page - required: false + name: bucketSize + required: true schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - example: 20 + pattern: ^(\d+)([smhd])$ + type: string + - description: Query string to filter significant events on metadata fields in: query - name: per_page + name: query required: false schema: - default: 20 - minimum: 0 - type: integer - - description: >- - If true, additionally fetch all anonymization fields, otherwise - fetch only the provided page + type: string + - description: 'Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). When omitted, defaults to hybrid with a silent keyword fallback on failure. When set explicitly, failures propagate as errors.' in: query - name: all_data + name: searchMode required: false schema: - type: boolean + enum: + - keyword + - semantic + - hybrid + type: string + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - FindAnonymizationFieldsResponse200Example: - value: - aggregations: - field_status: - buckets: - allowed: - doc_count: 1 - anonymized: - doc_count: 1 - denied: - doc_count: 1 - all: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - data: - - allowed: true - anonymized: true - createdAt: '2023-10-31T12:00:00Z' - createdBy: user1 - field: user.name - id: '1' - namespace: default - timestamp: '2023-10-31T12:00:00Z' - updatedAt: '2023-10-31T12:00:00Z' - updatedBy: user1 - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - aggregations: - type: object - properties: - field_status: - type: object - properties: - buckets: - type: object - properties: - allowed: - type: object - properties: - doc_count: - default: 0 - type: integer - anonymized: - type: object - properties: - doc_count: - default: 0 - type: integer - denied: - type: object - properties: - doc_count: - default: 0 - type: integer - all: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Indicates a successful call. - '400': - content: - application/json: - examples: - FindAnonymizationFieldsResponse400Example: + significantEvents: value: - error: Bad Request - message: Invalid request parameters - statusCode: 400 - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Get anonymization fields + aggregated_occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + significant_events: + - change_points: + type: + spike: + change_point: 1 + p_value: 0.002 + description: Count error-level log events grouped by host name + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name + id: error-count-by-host + occurrences: + - count: 42 + date: '2025-01-15T10:00:00.000Z' + - count: 18 + date: '2025-01-15T11:00:00.000Z' + - count: 7 + date: '2025-01-15T12:00:00.000Z' + rule_backed: false + severity_score: 75 + stream_name: logs.nginx + title: Error count by host + type: match + description: Significant events for the stream. + summary: Read the significant events tags: - - Security AI Assistant API - - AnonymizationFields API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/anonymization_fields/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/chat/complete: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_generate: post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate parameters: - - description: If true, the response will not include content references. - example: false + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Optional connector ID. If not provided, the default AI connector from settings will be used. in: query - name: content_references_disabled + name: connectorId required: false schema: - default: false - type: boolean + type: string + - description: Start of the time range as an ISO 8601 date string. + in: query + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: Number of sample documents to use for generation from the current data of stream + in: query + name: sampleDocsSize + required: false + schema: + type: number + requestBody: + content: + application/json: + examples: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': + description: Generated significant event query definitions. + summary: Generate significant events + tags: + - streams + x-state: Experimental; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream. + in: path + name: name + required: true + schema: + type: string + - description: Start of the time range as an ISO 8601 date string. + in: query + name: from + required: true + schema: + type: string + - description: End of the time range as an ISO 8601 date string. + in: query + name: to + required: true + schema: + type: string + - description: The bucket size for aggregating events (e.g. "1m", "1h"). + in: query + name: bucketSize + required: true + schema: + pattern: ^(\d+)([smhd])$ + type: string requestBody: content: application/json: examples: - ChatCompleteRequest: + previewSignificantEvents: value: - connectorId: conn-001 - conversationId: abc123 - isStream: true - langSmithApiKey: - langSmithProject: security_ai_project - messages: - - content: What are some common phishing techniques? - data: - user_id: user_789 - fields_to_anonymize: - - user.name - - source.ip - role: user - model: gpt-4 - persist: true - promptId: prompt_456 - responseLanguage: en + query: + esql: + query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + esql: + additionalProperties: false + type: object + properties: + query: + type: string + required: + - query + required: + - esql + required: + - query + responses: + '200': + description: Significant event preview results. + summary: Preview significant events + tags: + - streams + x-state: Experimental; added in 9.1.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{streamName}/attachments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-streamname-attachments + parameters: + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: Search query to filter attachments by title + in: query + name: query + required: false + schema: + type: string + - description: Filter by attachment types (single value or array) + in: query + name: attachmentTypes + required: false + schema: + items: + enum: + - dashboard + - rule + - slo + type: string + type: array + - description: Filter by tags (single value or array) + in: query + name: tags + required: false + schema: + items: + type: string + type: array + requestBody: + content: + application/json: + examples: + listAttachmentsExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': - content: - application/octet-stream: - examples: - ChatCompleteResponse200Example: - value: (streaming binary response) - schema: - format: binary - type: string - description: Indicates a successful model response call. - '400': content: application/json: examples: - ChatCompleteResponse400Example: + listAttachmentsResponse: value: - error: Bad Request - message: Invalid request payload. - statusCode: 400 - schema: - type: object - properties: - error: - description: Error type. - example: Bad Request - type: string - message: - description: Human-readable error message. - example: Invalid request payload. - type: string - statusCode: - description: HTTP status code. - example: 400 - type: number - description: Bad Request response. - summary: Create a model response + attachments: + - createdAt: '2023-02-23T16:15:47.275Z' + description: Dashboard for monitoring production services + id: dashboard-123 + streamNames: + - logs.awsfirehose + - logs.nginx + tags: + - monitoring + - production + title: My Dashboard + type: dashboard + updatedAt: '2023-03-24T14:39:17.636Z' + description: Successfully retrieved attachments + summary: Get stream attachments tags: - - Security AI Assistant API - - Chat Complete API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/chat/complete' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"connectorId":"conn-001","persist":true,"messages":[{"role":"user","content":"What are common phishing techniques?"}]}' - /api/security_ai_assistant/current_user/conversations: - delete: - description: This endpoint allows users to permanently delete all conversations. - operationId: DeleteAllConversations + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{streamName}/attachments/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-streamname-attachments-bulk + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string requestBody: content: application/json: examples: - DeleteAllConversationsRequest: + bulkAttachmentsExample: value: - excludedIds: - - abc123 - - def456 + operations: + - index: + id: dashboard-123 + type: dashboard + - delete: + id: rule-456 + type: rule schema: + additionalProperties: false type: object properties: - excludedIds: - description: Optional list of conversation IDs to delete. - example: - - abc123 - - def456 + operations: items: - type: string + anyOf: + - type: object + properties: + index: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - index + - type: object + properties: + delete: + type: object + properties: + id: + type: string + type: + enum: + - dashboard + - rule + - slo + type: string + required: + - id + - type + required: + - delete type: array - required: false + required: + - operations responses: '200': content: application/json: examples: - DeleteAllConversationsResponse200Example: + bulkAttachmentsResponse: value: - failures: [] - success: true - totalDeleted: 10 - schema: - type: object - properties: - failures: - items: - type: string - type: array - success: - example: true - type: boolean - totalDeleted: - example: 10 - type: number - description: >- - Indicates a successful call. The conversations were deleted - successfully. - '400': + acknowledged: true + description: Successfully performed bulk operations + summary: Bulk update attachments + tags: + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + unlinkAttachmentExample: + value: {} + schema: + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} + responses: + '200': content: application/json: examples: - DeleteAllConversationsResponse400Example: + unlinkAttachmentResponse: value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 - schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete conversations + acknowledged: true + description: Successfully unlinked attachment + summary: Unlink an attachment from a stream tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"excludedIds":["abc123"]}' - post: - description: >- - Create a new Security AI Assistant conversation. This endpoint allows - the user to initiate a conversation with the Security AI Assistant by - providing the required parameters. - operationId: CreateConversation + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{streamName}/attachments/{attachmentType}/{attachmentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links an attachment to a stream. Noop if the attachment is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-streamname-attachments-attachmenttype-attachmentid + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The name of the stream + in: path + name: streamName + required: true + schema: + type: string + - description: The type of the attachment + in: path + name: attachmentType + required: true + schema: + enum: + - dashboard + - rule + - slo + type: string + - description: The ID of the attachment + in: path + name: attachmentId + required: true + schema: + type: string requestBody: content: application/json: examples: - CreateConversationRequest: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - excludeFromLastConversationStorage: false - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - replacements: {} - title: Security Discussion + linkAttachmentExample: + value: {} schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true + anyOf: + - additionalProperties: false + type: object + properties: {} + - nullable: true + - {} responses: '200': content: application/json: examples: - CreateConversationResponse200Example: + linkAttachmentResponse: value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was created - successfully. - '400': + acknowledged: true + description: Successfully linked attachment + summary: Link an attachment to a stream + tags: + - streams + x-state: Experimental; added in 9.3.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitor/test/{monitorId}: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. + operationId: post-synthetics-monitor-test + parameters: + - description: The ID (config_id) of the monitor to test. + in: path + name: monitorId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - CreateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required parameter: title' - statusCode: 400 + testNowMonitorResponseExample1: + value: |- + { + "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", + "errors": [ + { + "locationId": "us_central_staging", + "error": { + "status": 401, + "reason": "no auth credentials provided", + "failed_monitors": null + } + } + ] + } schema: type: object properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required parameter: title' + errors: + description: Array of errors encountered while triggering the test, one per service location. + items: + type: object + properties: + error: + type: object + properties: + failed_monitors: + description: Optional list of monitors that failed at the location. + items: + type: object + nullable: true + type: array + reason: + description: Human-readable explanation of the failure. + type: string + status: + description: HTTP status code returned by the agent. + type: integer + required: + - status + - reason + - failed_monitors + locationId: + description: Identifier of the service location where the error occurred. + type: string + required: + - locationId + - error + type: array + testRunId: + description: Unique identifier for the triggered test run. type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Create a conversation + required: + - testRunId + description: Test run triggered successfully. + '404': + description: Monitor not found. + summary: Trigger an on-demand test run for a monitor tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/current_user/conversations' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Security Discussion","category":"assistant","messages":[{"content":"Hello","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"apiConfig":{"connectorId":"12345","actionTypeId":"67890"},"replacements":{},"excludeFromLastConversationStorage":false}' - /api/security_ai_assistant/current_user/conversations/_find: + - synthetics + x-state: Generally available; added in 9.2.0 + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors: get: - description: >- - Get a list of all conversations for the current user. This endpoint - allows users to search, filter, sort, and paginate through their - conversations. - operationId: FindConversations + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of monitors. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-synthetic-monitors parameters: - - description: >- - A list of fields to include in the response. If omitted, all fields - are returned. - in: query - name: fields - required: false - schema: - example: - - id - - title - - createdAt - items: - type: string - type: array - - description: >- - A search query to filter the conversations. Can match against - titles, messages, or other conversation attributes. + - description: Additional filtering criteria. in: query name: filter - required: false schema: - example: Security Issue type: string - - description: >- - The field by which to sort the results. Valid fields are - `created_at`, `title`, and `updated_at`. + - description: The locations to filter by. in: query - name: sort_field - required: false + name: locations schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - example: created_at - - description: >- - The order in which to sort the results. Can be either `asc` for - ascending or `desc` for descending. + oneOf: + - type: string + - items: + type: string + type: array + - description: The monitor types to filter. in: query - name: sort_order - required: false + name: monitorTypes schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: desc - - description: The page number of the results to retrieve. Default is 1. + oneOf: + - enum: + - browser + - http + - icmp + - tcp + type: string + - items: + enum: + - browser + - http + - icmp + - tcp + type: string + type: array + - description: The page number for paginated results. in: query name: page - required: false schema: - default: 1 - example: 1 - minimum: 1 type: integer - - description: The number of conversations to return per page. Default is 20. + - description: The number of items to return per page. in: query name: per_page - required: false schema: - default: 20 - example: 20 - minimum: 0 type: integer - - description: >- - Whether to return conversations that the current user owns. If true, - only conversations owned by the user are returned. + - description: The projects to filter by. in: query - name: is_owner - required: false + name: projects schema: - default: false - example: true - type: boolean + oneOf: + - type: string + - items: + type: string + type: array + - description: A free-text query string. + in: query + name: query + schema: + type: string + - description: The schedules to filter by. + in: query + name: schedules + schema: + oneOf: + - items: + type: string + type: array + - type: string + - description: The field to sort the results by. + in: query + name: sortField + schema: + enum: + - name + - createdAt + - updatedAt + - status + type: string + - description: The sort order. + in: query + name: sortOrder + schema: + enum: + - asc + - desc + type: string + - description: The status to filter by. + in: query + name: status + schema: + oneOf: + - items: + type: string + type: array + - type: string + - description: Tags to filter monitors. + in: query + name: tags + schema: + oneOf: + - type: string + - items: + type: string + type: array + - description: | + Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. + in: query + name: useLogicalAndFor + schema: + oneOf: + - enum: + - tags + - locations + type: string + - items: + enum: + - tags + - locations + type: string + type: array responses: '200': content: application/json: examples: - FindConversationsResponse200Example: - value: - data: - - category: assistant - createdAt: '2023-10-31T12:00:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: conv-abc123 - messages: [] - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:05:00Z' - users: - - id: user1 - name: John Doe - page: 1 - perPage: 20 - total: 5 + getSyntheticMonitorsResponseExample1: + description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. + value: |- + { + "page": 1, + "total": 24, + "monitors": [ + { + "type": "icmp", + "enabled": false, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "timeout": "16", + "name": "8.8.8.8:80", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", + "max_attempts": 2, + "wait": "7", + "revision": 3, + "mode": "all", + "ipv4": true, + "ipv6": true, + "created_at": "2023-11-07T09:57:04.152Z", + "updated_at": "2023-12-04T19:19:34.039Z", + "host": "8.8.8.8:80" + } + ], + "absoluteTotal": 24, + "perPage": 10, + } schema: type: object - properties: - data: - description: A list of conversations. + description: A successful response. + summary: Get monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-synthetic-monitors + requestBody: + content: + application/json: + examples: + postSyntheticMonitorsRequestExample1: + description: Create an HTTP monitor to check a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample2: + description: Create a TCP monitor to monitor a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + postSyntheticMonitorsRequestExample3: + description: Create an ICMP monitor to perform ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + postSyntheticMonitorsRequestExample4: + description: Create a browser monitor to check a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: | + The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + required: true + responses: + '200': + content: + application/json: + examples: + postSyntheticMonitorsResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } + schema: + type: object + properties: + warnings: + description: | + An optional array of warnings about the monitor configuration. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse + $ref: '#/components/schemas/Synthetics_monitorWarning' type: array - page: - description: The current page of the results. - example: 1 - type: integer - perPage: - description: The number of results returned per page. - example: 20 - type: integer - total: - description: >- - The total number of conversations matching the filter - criteria. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: >- - Successful response, returns a paginated list of conversations - matching the specified criteria. + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect. '400': content: application/json: examples: - FindConversationsResponse400Example: - value: - error: Bad Request - message: Invalid filter parameter. - statusCode: 400 + invalidBrowserTimeout: + description: A 400 error when a browser monitor timeout is below 30 seconds. + summary: Invalid browser timeout + value: |- + { + "statusCode": 400, + "error": "Bad Request", + "message": "Browser Monitor timeout is invalid", + "attributes": { + "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." + } + } schema: type: object properties: + attributes: + type: object + properties: + details: + example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds. + type: string error: example: Bad Request type: string message: - example: Invalid filter query parameter + example: Browser Monitor timeout is invalid type: string statusCode: example: 400 - type: number - description: Bad Request response. - summary: Get conversations + type: integer + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Create a monitor tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/current_user/conversations/{id}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple monitors by sending a list of config IDs. + operationId: delete-synthetic-monitors + requestBody: + content: + application/json: + examples: + bulkDeleteRequestExample1: + description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. + value: |- + { + "ids": [ + "monitor1-id", + "monitor2-id" + ] + } + schema: + type: object + properties: + ids: + description: An array of monitor IDs to delete. + items: + type: string + type: array + required: + - ids + required: true + responses: + '200': + content: + application/json: + examples: + deleteMonitorsResponseExample1: + description: A response from successfully deleting multiple monitors. + value: |- + [ + { + "id": "monitor1-id", + "deleted": true + }, + { + "id": "monitor2-id", + "deleted": true + } + ] + schema: + items: + description: The API response includes information about the deleted monitors. + type: object + properties: + deleted: + description: | + If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. + type: boolean + ids: + description: The unique identifier of the deleted monitor. + type: string + type: array + description: A successful response. + summary: Delete monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/{id}: delete: - description: >- - Delete an existing conversation using the conversation ID. This endpoint - allows users to permanently delete a conversation. - operationId: DeleteConversation + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a monitor from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-synthetic-monitor parameters: - - description: The conversation's `id` value. - example: abc123 + - description: The identifier for the monitor that you want to delete. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string + responses: + '200': + description: OK + summary: Delete a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + get: + operationId: get-synthetic-monitor + parameters: + - description: The ID of the monitor. + in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json: examples: - DeleteConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: The conversation has been deleted. - role: system - timestamp: '2023-10-31T12:35:00Z' - namespace: default - replacements: {} - title: Deleted Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was deleted - successfully. - '400': - content: - application/json: - examples: - DeleteConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 + getSyntheticMonitorResponseExample1: + description: A successful response from `GET /api/synthetics/monitors/`. + value: |- + { + "type": "http", + "enabled": true, + "alert": { + "status": { + "enabled": true + }, + "tls": { + "enabled": true + } + }, + "schedule": { + "number": "3", + "unit": "m" + }, + "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "timeout": "16", + "name": "am i something", + "locations": [ + { + "id": "us_central", + "label": "North America - US Central", + "geo": { + "lat": 41.25, + "lon": -95.86 + }, + "isServiceManaged": true + } + ], + "namespace": "default", + "origin": "ui", + "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", + "max_attempts": 2, + "__ui": { + "is_tls_enabled": false + }, + "max_redirects": "0", + "response.include_body": "on_error", + "response.include_headers": true, + "check.request.method": "GET", + "mode": "any", + "response.include_body_max_bytes": "1024", + "ipv4": true, + "ipv6": true, + "ssl.verification_mode": "full", + "ssl.supported_protocols": [ + "TLSv1.1", + "TLSv1.2", + "TLSv1.3" + ], + "revision": 13, + "created_at": "2023-11-08T08:45:29.334Z", + "updated_at": "2023-12-18T20:31:44.770Z", + "url": "https://fast.com" + } schema: type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Delete a conversation + description: A successful response. + '404': + description: If the monitor is not found, the API returns a 404 error. + summary: Get a monitor tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - get: - description: >- - Get the details of an existing conversation using the conversation ID. - This allows users to fetch the specific conversation data by its unique - ID. - operationId: ReadConversation + - synthetics + x-metaTags: + - content: Kibana + name: product_name + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. + operationId: put-synthetic-monitor parameters: - - description: >- - The conversation's `id` value, a unique identifier for the - conversation. - example: abc123 + - description: The identifier for the monitor that you want to update. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string + requestBody: + content: + application/json: + examples: + putSyntheticMonitorsRequestExample1: + description: Update an HTTP monitor that checks a website's availability. + summary: HTTP monitor + value: |- + { + "type": "http", + "name": "Website Availability", + "url": "https://example.com", + "tags": ["website", "availability"], + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample2: + description: Update a TCP monitor that monitors a server's availability. + summary: TCP monitor + value: |- + { + "type": "tcp", + "name": "Server Availability", + "host": "example.com", + "private_locations": ["my_private_location"] + } + putSyntheticMonitorsRequestExample3: + description: Update an ICMP monitor that performs ping checks. + summary: ICMP monitor + value: |- + { + "type": "icmp", + "name": "Ping Test", + "host": "example.com", + "locations": ["united_kingdom"] + } + putSyntheticMonitorsRequestExample4: + description: Update a browser monitor that checks a website. + summary: Browser monitor + value: |- + { + "type": "browser", + "name": "Example journey", + "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", + "locations": ["united_kingdom"] + } + schema: + description: | + The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + required: true responses: '200': content: application/json: examples: - ReadConversationResponse200Example: - value: - apiConfig: - actionTypeId: '67890' - connectorId: '12345' - category: assistant - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: false - id: abc123 - messages: - - content: Hello, how can I assist you today? - role: system - timestamp: '2023-10-31T12:00:00Z' - namespace: default - replacements: {} - title: Security Discussion - updatedAt: '2023-10-31T12:01:00Z' - users: - - id: user1 - name: John Doe + putSyntheticMonitorResponseWithWarning: + description: A response when a browser monitor specifies a timeout but has no private locations. + summary: Response with warning + value: |- + { + "type": "browser", + "name": "Example journey", + "enabled": true, + "warnings": [ + { + "id": "monitor-id", + "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", + "publicLocationIds": ["public-1", "public-2"] + } + ] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. The conversation details are returned. + type: object + properties: + warnings: + description: | + An optional array of warnings about the monitor configuration. + items: + $ref: '#/components/schemas/Synthetics_monitorWarning' + type: array + description: | + A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. '400': + description: | + Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds. + summary: Update a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameters + responses: + '200': content: application/json: examples: - ReadConversationResponse400Example: - value: - error: Bad Request - message: Invalid conversation ID - statusCode: 400 + getParametersResponseExample1: + description: A successful response for a user with read-only permissions to get a list of parameters. + summary: Read access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"] + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"] + } + ] + getParametersResponseExample2: + description: A successful response for a user with write permissions to get a list of parameters. + summary: Write access + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "description": "Description for param1", + "tags": ["tag1", "tag2"], + "namespaces": ["namespace1"], + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "description": "Description for param2", + "tags": ["tag3"], + "namespaces": ["namespace2"], + "value": "value2" + } + ] schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: Invalid conversation ID - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get a conversation + items: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + type: array + description: A successful response. + summary: Get parameters tags: - - Security AI Assistant API - - Conversations API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" - put: - description: >- - Update an existing conversation using the conversation ID. This endpoint - allows users to modify the details of an existing conversation. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - example: abc123 - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add one or more parameters to the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-parameters requestBody: content: application/json: examples: - UpdateConversationRequest: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - excludeFromLastConversationStorage: true - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - replacements: {} - title: Updated Security Discussion + postParametersRequestExample1: + description: Add a single parameter. + summary: Single parameter + value: |- + { + "key": "your-key-name", + "value": "your-parameter-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersRequestExample2: + description: Add multiple parameters. + summary: Multiple parameters + value: |- + [ + { + "key": "param1", + "value": "value1" + }, + { + "key": "param2", + "value": "value2" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_parameterRequest' + type: array + - $ref: '#/components/schemas/Synthetics_parameterRequest' + description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: examples: - UpdateConversationResponse200Example: - value: - apiConfig: - actionTypeId: '09876' - connectorId: '54321' - category: insights - createdAt: '2023-10-31T12:01:00Z' - createdBy: - id: user1 - name: John Doe - excludeFromLastConversationStorage: true - id: abc123 - messages: - - content: The issue was resolved. - role: assistant - timestamp: '2023-10-31T12:30:00Z' - namespace: default - replacements: {} - title: Updated Security Discussion - updatedAt: '2023-10-31T12:31:00Z' - users: - - id: user1 - name: John Doe - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: >- - Indicates a successful call. The conversation was updated - successfully. - '400': - content: - application/json: - examples: - UpdateConversationResponse400Example: - value: - error: Bad Request - message: 'Missing required field: title' - statusCode: 400 + postParametersResponseExample1: + description: A successful response for a single added parameter. + summary: Single parameter + value: |- + { + "id": "unique-parameter-id", + "key": "your-key-name", + "value": "your-param-value", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "share_across_spaces": true + } + postParametersResponseExample2: + description: A successful response for multiple added parameters. + summary: Multiple parameters + value: |- + [ + { + "id": "param1-id", + "key": "param1", + "value": "value1" + }, + { + "id": "param2-id", + "key": "param2", + "value": "value2" + } + ] schema: - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Missing required field: title' - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Update a conversation + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_postParameterResponse' + type: array + - $ref: '#/components/schemas/Synthetics_postParameterResponse' + description: A successful response. + summary: Add parameters tags: - - Security AI Assistant API - - Conversation API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"title":"Updated Security Discussion","category":"insights","messages":[{"content":"Resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"apiConfig":{"connectorId":"54321","actionTypeId":"09876"},"replacements":{},"excludeFromLastConversationStorage":true}' - /api/security_ai_assistant/knowledge_base: - get: - description: Read a single KB - operationId: GetKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete parameters from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameters + requestBody: + content: + application/json: + examples: + deleteParametersRequestExample1: + description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. + value: |- + { + "ids": ["param1-id", "param2-id"] + } + schema: + type: object + properties: + ids: + description: An array of parameter IDs to delete. + items: + type: string + type: array + required: true responses: '200': content: application/json: examples: - KnowledgeBaseReadResponse200Example2: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - GetKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 + deleteParametersResponseExample1: + value: |- + [ + { + "id": "param1-id", + "deleted": true + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase + items: + type: object + properties: + deleted: + description: | + Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. + type: boolean + id: + description: The unique identifier for the deleted parameter. + type: string + type: array + description: A successful response. + summary: Delete parameters tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base' \ - --header "Authorization: $API_KEY" - post: - description: >- - Create a knowledge base. Use this endpoint when no specific resource - identifier is needed. - operationId: PostKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a parameter from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameter parameters: - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false + - description: The ID for the parameter to delete. + in: path + name: id + required: true schema: type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean responses: '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example2: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example2: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase + description: OK + summary: Delete a parameter tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/{resource}: + - synthetics + x-metaTags: + - content: Kibana + name: product_name get: - description: Read a knowledge base with a specific resource identifier. - operationId: ReadKnowledgeBase + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a parameter from the Synthetics app. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameter parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 + - description: The unique identifier for the parameter. in: path - name: resource + name: id required: true schema: type: string @@ -42651,1825 +67012,1313 @@ paths: content: application/json: examples: - KnowledgeBaseReadResponse200Example1: - summary: >- - A response that returns information about the knowledge - base. - value: - defend_insights_exists: true - elser_exists: false - is_setup_available: true - is_setup_in_progress: true - product_documentation_status: installed - security_labs_exists: false - user_data_exists: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseReadResponse200 - description: Indicates a successful call. - '400': - content: - application/json: - examples: - ReadKnowledgeBaseResponse400Example: - value: - error: Bad Request - message: Invalid resource ID provided. - statusCode: 400 + getParameterResponseExample1: + description: A successful response for a user with read-only permissions to get a single parameter. + summary: Read access + value: |- + { + "id": "unique-parameter-id", + "key": "your-api-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"] + } + getParameterResponseExample2: + description: A successful response for a user with write permissions to get a single parameter. + summary: Write access + value: |- + { + "id": "unique-parameter-id", + "key": "your-param-key", + "description": "Param to use in browser monitor", + "tags": ["authentication", "security"], + "namespaces": ["namespace1", "namespace2"], + "value": "your-param-value" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Read a KnowledgeBase for a resource + $ref: '#/components/schemas/Synthetics_getParameterResponse' + description: A successful response. + summary: Get a parameter tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345' \ - --header "Authorization: $API_KEY" - post: - description: Create a knowledge base with a specific resource identifier. - operationId: CreateKnowledgeBase + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a parameter in the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: put-parameter parameters: - - description: The KnowledgeBase `resource` value. - example: kb12345 + - description: The unique identifier for the parameter. in: path - name: resource + name: id required: true schema: type: string - - description: >- - ELSER modelId to use when setting up the Knowledge Base. If not - provided, a default model will be used. - example: elser-model-001 - in: query - name: modelId - required: false - schema: - type: string - - description: >- - Indicates whether we should or should not install Security Labs docs - when setting up the Knowledge Base. Defaults to `false`. - example: true - in: query - name: ignoreSecurityLabs - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json: - examples: - KnowledgeBaseResponse200Example1: - summary: A response that indicates that the request was successful. - value: - success: true - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse - description: Indicates a successful call. - '400': - content: - application/json: - examples: - KnowledgeBaseResponse400Example1: - summary: >- - A response for a request that failed due to an invalid query - parameter value. - value: > - statusCode: 400 error: Bad Request message: "[request - query]: ignoreSecurityLabs: Invalid enum value. Expected - 'true' | 'false', received 'yes', ignoreSecurityLabs: - Expected boolean, received string" - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400 - description: Bad Request response. - summary: Create a KnowledgeBase for a resource - tags: - - Security AI Assistant API - - KnowledgeBase API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries: - post: - description: Create a Knowledge Base Entry - operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: examples: - CreateKnowledgeBaseEntryRequest: - value: - kbResource: user - name: How to reset a password - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document + putParameterRequestExample1: + value: |- + { + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps + type: object + properties: + description: + description: The updated description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + tags: + description: An array of updated tags to categorize the parameter. + items: + type: string + type: array + value: + description: The updated value associated with the parameter. + type: string + description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: examples: - CreateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com + putParameterResponseExample1: + value: |- + { + "id": "param_id1", + "key": "updated_param_key", + "value": "updated-param-value", + "description": "Updated Param to be used in browser monitor", + "tags": ["authentication", "security", "updated"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning Knowledge Base Entries - '400': + type: object + description: A successful response. + summary: Update a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of private locations. + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-locations + responses: + '200': content: application/json: examples: - CreateKnowledgeBaseEntryResponse400Example: - value: - error: Invalid input - message: The 'name' field is required. + getPrivateLocationsResponseExample1: + value: |- + [ + { + "label": "Test private location", + "id": "fleet-server-policy", + "agentPolicyId": "fleet-server-policy", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + }, + { + "label": "Test private location 2", + "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "test" + } + ] schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Create a Knowledge Base Entry + items: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + type: array + description: A successful response. + summary: Get private locations tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}' - /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + - synthetics + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - The bulk action is applied to all Knowledge Base Entries that match the - filter or to the list of Knowledge Base Entries by their IDs. - operationId: PerformKnowledgeBaseEntryBulkAction + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: post-private-location requestBody: content: application/json: examples: - PerformKnowledgeBaseEntryBulkActionRequest: - value: - create: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - delete: - ids: - - '789' - update: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document + postPrivateLocationRequestExample1: + description: Run `POST /api/private_locations` to create a private location. + value: |- + { + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + "spaces": ["default"] + } schema: type: object properties: - create: - description: List of Knowledge Base Entries to create. - example: - - kbResource: user - name: New Entry - source: manual - text: This is the content of the new entry. - type: document - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps - type: array - delete: + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. type: object properties: - ids: - description: Array of Knowledge Base Entry IDs. - example: - - '123' - - '456' - - '789' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter Knowledge Base Entries. - example: status:active AND category:technology - type: string - update: - description: List of Knowledge Base Entries to update. - example: - - id: '123' - kbResource: user - name: Updated Entry - source: manual - text: Updated content. - type: document + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + label: + description: A label for the private location. + type: string + spaces: + description: | + An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps + type: string + type: array + tags: + description: An array of tags to categorize the private location. + items: + type: string type: array + required: + - agentPolicyId + - label + required: true responses: '200': content: application/json: examples: - PerformKnowledgeBaseEntryBulkActionResponse200Example: - value: - attributes: - results: - created: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '456' - kbResource: user - name: New Entry - namespace: default - source: manual - text: This is the content of the new entry. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - deleted: - - '789' - skipped: [] - updated: - - createdAt: '2024-01-14T09:00:00.000Z' - createdBy: user@example.com - global: false - id: '123' - kbResource: user - name: Updated Entry - namespace: default - source: manual - text: Updated content. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - summary: - failed: 0 - skipped: 0 - succeeded: 3 - total: 3 - knowledgeBaseEntriesCount: 3 - message: Bulk action completed successfully. - statusCode: 200 - success: true + postPrivateLocationResponseExample1: + value: |- + { + "id": "abcd1234", + "label": "Private Location 1", + "agentPolicyId": "abcd1234", + "tags": ["private", "testing"], + "geo": { + "lat": 40.7128, + "lon": -74.0060 + } + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse - description: Successful bulk operation request + type: object + description: A successful response. '400': - content: - application/json: - examples: - PerformKnowledgeBaseEntryBulkActionResponse400Example: - value: - error: Bad Request - message: Invalid request body. - statusCode: 400 - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Applies a bulk action to multiple Knowledge Base Entries + description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. + summary: Create a private location tags: - - Security AI Assistant API - - Knowledge Base Entries Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"create":[{"name":"Runbook","type":"document","kbResource":"user","source":"manual","text":"Steps to triage an alert."}]}' - /api/security_ai_assistant/knowledge_base/entries/_find: - get: - description: Finds Knowledge Base Entries that match the given query. - operationId: FindKnowledgeBaseEntries + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. + A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. + operationId: delete-private-location parameters: - - description: >- - A list of fields to include in the response. If not provided, all - fields will be included. - in: query - name: fields - required: false - schema: - example: - - name - - created_at - items: - type: string - type: array - - description: Search query to filter Knowledge Base Entries by specific criteria. - in: query - name: filter - required: false + - description: The unique identifier of the private location to be deleted. + in: path + name: id + required: true schema: - example: error handling + maxLength: 1024 + minLength: 1 type: string - - description: Field to sort the Knowledge Base Entries by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField - example: created_at - - description: Sort order for the results, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - example: asc - - description: Page number for paginated results. Defaults to 1. - in: query - name: page - required: false - schema: - default: 1 - example: 2 - minimum: 1 - type: integer - - description: Number of Knowledge Base Entries to return per page. Defaults to 20. - in: query - name: per_page - required: false - schema: - default: 20 - example: 10 - minimum: 0 - type: integer responses: '200': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse200Example: - value: - data: - - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and - click 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com - page: 1 - perPage: 20 - total: 100 - schema: - type: object - properties: - data: - description: The list of Knowledge Base Entries for the current page. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - type: array - page: - description: The current page number. - example: 1 - type: integer - perPage: - description: The number of Knowledge Base Entries returned per page. - example: 20 - type: integer - total: - description: The total number of Knowledge Base Entries available. - example: 100 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing the paginated Knowledge Base Entries. - '400': - content: - application/json: - examples: - FindKnowledgeBaseEntriesResponse400Example: - value: - error: Bad Request - message: 'Invalid query parameter: sort_order' - statusCode: 400 - schema: - type: object - properties: - error: - description: A short description of the error. - example: Bad Request - type: string - message: - description: A detailed message explaining the error. - example: 'Invalid query parameter: sort_order' - type: string - statusCode: - description: The HTTP status code of the error. - example: 400 - type: number - description: Bad Request response. - summary: Finds Knowledge Base Entries that match the given query. + description: OK + summary: Delete a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security_ai_assistant/knowledge_base/entries/{id}: - delete: - description: Delete a Knowledge Base Entry by its unique `id`. - operationId: DeleteKnowledgeBaseEntry + - synthetics + x-metaTags: + - content: Kibana + name: product_name + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-location parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. - example: '12345' + - description: A private location identifier or label. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string responses: '200': content: application/json: examples: - DeleteKnowledgeBaseEntryResponse200Example: - value: - id: '12345' - message: Knowledge Base Entry successfully deleted. - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DeleteResponseFields - description: >- - Successful request returning the `id` of the deleted Knowledge Base - Entry. - '400': - content: - application/json: - examples: - DeleteKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. + getPrivateLocationResponseExample1: + value: |- + { + "label": "Test private location", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "geo": { + "lat": 0, + "lon": 0 + }, + "namespace": "default" + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Deletes a single Knowledge Base Entry using the `id` field + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + summary: Get a private location tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - get: - description: Retrieve a Knowledge Base Entry by its unique `id`. - operationId: ReadKnowledgeBaseEntry + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing private location's label. + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. + operationId: put-private-location parameters: - - description: >- - The unique identifier (`id`) of the Knowledge Base Entry to - retrieve. - example: '12345' + - description: The unique identifier of the private location to be updated. in: path name: id required: true schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + type: string + requestBody: + content: + application/json: + examples: + putPrivateLocationRequestExample1: + description: Update a private location's label. + value: |- + { + "label": "Updated Private Location Name" + } + schema: + type: object + properties: + label: + description: A new label for the private location. Must be at least 1 character long. + minLength: 1 + type: string + required: + - label + required: true responses: '200': content: application/json: examples: - ReadKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password - namespace: default - source: manual - text: >- - To reset your password, go to the settings page and click - 'Reset Password'. - type: document - updatedAt: '2024-01-15T10:00:00.000Z' - updatedBy: user@example.com + putPrivateLocationResponseExample1: + value: |- + { + "label": "Updated Private Location Name", + "id": "test-private-location-id", + "agentPolicyId": "test-private-location-id", + "isServiceManaged": false, + "isInvalid": false, + "tags": ["private", "testing", "updated"], + "geo": { + "lat": 37.7749, + "lon": -122.4194 + }, + "spaces": ["*"] + } schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the requested Knowledge Base Entry. + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. '400': + description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. + '404': + description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. + summary: Update a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + '200': content: application/json: examples: - ReadKnowledgeBaseEntryResponse400Example: - value: - error: Not Found - message: No Knowledge Base Entry found with the provided `id`. + taskManagerHealthResponse1: + $ref: '#/components/examples/Task_manager_health_APIs_health_200response' schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Read a Knowledge Base Entry + $ref: '#/components/schemas/Task_manager_health_APIs_health_response' + description: Indicates a successful call + summary: Get the task manager health tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" - put: - description: Update an existing Knowledge Base Entry by its unique `id`. - operationId: UpdateKnowledgeBaseEntry - parameters: - - description: The unique identifier (`id`) of the Knowledge Base Entry to update. - example: '12345' - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + - task manager + x-metaTags: + - content: Kibana + name: product_name + /api/timeline: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines requestBody: content: application/json: examples: - UpdateKnowledgeBaseEntryRequest: + deleteByIds: + summary: Delete timelines by saved object id value: - kbResource: user - name: How to reset a password (updated) - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + deleteWithSearches: + summary: Delete Timelines and their linked saved searches + value: + savedObjectIds: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + - 6ce1b592-84e3-4b4a-9552-f189d4b82075 + searchIds: + - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps + type: object + properties: + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + maxItems: 100 + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + maxItems: 100 + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': content: application/json: examples: - UpdateKnowledgeBaseEntryResponse200Example: - value: - createdAt: '2024-01-15T10:00:00.000Z' - createdBy: user@example.com - global: false - id: '12345' - kbResource: user - name: How to reset a password (updated) - namespace: default - source: manual - text: >- - Updated: go to settings and click Reset Password, then - follow the on-screen instructions. - type: document - updatedAt: '2024-01-15T10:05:00.000Z' - updatedBy: user@example.com + success: + summary: Success + value: {} schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse - description: Successful request returning the updated Knowledge Base Entry. - '400': + additionalProperties: true + type: object + description: Indicates a successful call. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the Timeline template to retrieve. + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': content: application/json: examples: - UpdateKnowledgeBaseEntryResponse400Example: + timelineDetail: + summary: Timeline detail value: - error: Invalid input - message: The 'text' field cannot be empty. + description: User-reported suspicious email + noteIds: [] + pinnedEventIds: [] + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + version: WzE0LDFd schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema - description: Bad Request response. - summary: Update a Knowledge Base Entry + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Get Timeline or Timeline template details tags: - - Security AI Assistant API - - Knowledge Base Entries API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}' - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. This action allows for bulk create, update, or delete operations. - operationId: PerformPromptsBulkAction + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline requestBody: content: application/json: examples: - PerformPromptsBulkActionRequest: + patchTitle: + summary: Update title value: - create: - - content: Please verify the security settings. - name: New Security Prompt - promptType: system - delete: - ids: - - prompt1 - - prompt2 - update: - - content: Updated content for security prompt. - id: prompt123 + timeline: + title: Escalated case review + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + version: WzE0LDFd schema: type: object properties: - create: - description: List of prompts to be created. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - description: Criteria for deleting prompts in bulk. - type: object - properties: - ids: - description: Array of IDs to apply the action to. - example: - - '1234' - - '5678' - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter the bulk action. - example: 'status: ''inactive''' - type: string - update: - description: List of prompts to be updated. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + nullable: true + type: string + version: + description: The version of the Timeline or Timeline template that you’re updating. + example: WzE0LDFd + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true responses: '200': content: application/json: examples: - success: + patched: + summary: Updated timeline value: - attributes: - errors: [] - results: - created: - - content: Please verify the security settings. - id: prompt6 - name: New Security Prompt - promptType: system - deleted: - - prompt2 - - prompt3 - skipped: - - id: prompt4 - name: Security Prompt - skip_reason: PROMPT_FIELD_NOT_MODIFIED - updated: - - content: Updated security settings prompt - id: prompt1 - name: Security Prompt - promptType: system - summary: - failed: 0 - skipped: 1 - succeeded: 4 - total: 5 - message: Bulk action completed successfully. - prompts_count: 5 - status_code: 200 - success: true + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Escalated case review + version: WzE1LDFd schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call with the results of the bulk action. - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - PerformPromptsBulkActionResponse400Example: + error: + summary: Error body value: - error: Bad Request - message: Invalid prompt ID or missing required fields. - statusCode: 400 + body: update timeline error + statusCode: 405 schema: type: object properties: - error: - description: A short error message. - example: Bad Request - type: string - message: - description: A detailed error message. - example: Invalid prompt ID or missing required fields. + body: + description: The error message. + example: update timeline error type: string statusCode: - description: The HTTP status code for the error. - example: 400 + example: 405 type: number - description: Bad Request response. - summary: Apply a bulk action to prompts + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline tags: - - Security AI Assistant API - - Bulk API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \ - --header "Authorization: $API_KEY" \ - --header "Content-Type: application/json" \ - --data '{"delete":{"query":"name: test","ids":[]}}' - /api/security_ai_assistant/prompts/_find: - get: - description: >- - Get a list of all prompts based on optional filters, sorting, and - pagination. - operationId: FindPrompts - parameters: - - description: List of specific fields to include in each returned prompt. - in: query - name: fields - required: false - schema: - example: - - id - - name - - content - items: - type: string - type: array - - description: Search query string to filter prompts by matching fields. - in: query - name: filter - required: false - schema: - example: error handling - type: string - - description: Field to sort prompts by. - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order, either asc or desc. - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number for pagination. - in: query - name: page - required: false - schema: - default: 1 - example: 1 - minimum: 1 - type: integer - - description: Number of prompts per page. - in: query - name: per_page - required: false - schema: - default: 20 - example: 20 - minimum: 0 - type: integer + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + examples: + createDefault: + summary: Create a default timeline + value: + timeline: + status: active + timelineType: default + title: Malware containment + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique identifier for the Timeline template. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. + example: 12 + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true responses: '200': content: application/json: examples: - FindPromptsResponse200Example: + created: + summary: Created timeline value: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Malware containment + version: WzE0LDFd schema: - example: - data: - - categories: - - troubleshooting - - logging - color: '#FF5733' - consumer: security - content: If you encounter an error, check the logs and retry. - createdAt: '2025-04-20T21:00:00Z' - createdBy: jdoe - id: prompt-123 - isDefault: true - isNewConversationDefault: false - name: Error Troubleshooting Prompt - namespace: default - promptType: standard - timestamp: '2025-04-30T22:30:00Z' - updatedAt: '2025-04-30T22:45:00Z' - updatedBy: jdoe - users: - - full_name: John Doe - username: jdoe - page: 1 - perPage: 20 - total: 142 - type: object - properties: - data: - description: >- - The list of prompts returned based on the search query, - sorting, and pagination. - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - description: Current page number. - example: 1 - type: integer - perPage: - description: Number of prompts per page. - example: 20 - type: integer - total: - description: Total number of prompts matching the query. - example: 142 - type: integer - required: - - page - - perPage - - total - - data - description: Successful response containing a list of prompts. - '400': + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '405': content: application/json: examples: - FindPromptsResponse400Example: + error: + summary: Error body value: - error: Bad Request - message: Invalid sort order value provided. - statusCode: 400 + body: update timeline error + statusCode: 405 schema: type: object properties: - error: - description: Short error message. - example: Bad Request - type: string - message: - description: Detailed description of the error. - example: Invalid sort order value provided. + body: + description: The error message + example: update timeline error type: string statusCode: - description: HTTP status code for the error. - example: 400 + example: 405 type: number - description: Bad request due to invalid parameters or malformed query. - summary: Get prompts + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template tags: - - Security AI Assistant API - - Prompts API - x-codeSamples: - - label: Example request - lang: curl - source: | - curl \ - --request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \ - --header "Authorization: $API_KEY" - /api/security/session/_invalidate: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_copy: post: - description: > - Invalidate user sessions that match a query. To use this API, you must - be a superuser. - operationId: post-security-session-invalidate - parameters: - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline requestBody: content: application/json: examples: - invalidateRequestExample1: - description: >- - Run `POST api/security/session/_invalidate` to invalidate all - existing sessions. - summary: Invalidate all sessions - value: |- - { - "match" : "all" - } - invalidateRequestExample2: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any SAML authentication - provider. - summary: Invalidate all SAML sessions - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml" } - } - } - invalidateRequestExample3: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by the SAML authentication provider - named `saml1`. - summary: Invalidate sessions for a provider - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "saml", "name": "saml1" } - } - } - invalidateRequestExample4: - description: >- - Run `POST api/security/session/_invalidate` to invalidate - sessions that were created by any OpenID Connect - authentication provider for the user with the username - `user@my-oidc-sso.com`. - summary: Invalidate sessions for a user - value: |- - { - "match" : "query", - "query": { - "provider" : { "type": "oidc" }, - "username": "user@my-oidc-sso.com" - } - } + copyWithTitle: + summary: Copy with a new title + value: + timeline: + timelineType: default + title: Copy of investigation + timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e schema: type: object properties: - match: - description: > - The method Kibana uses to determine which sessions to - invalidate. If it is `all`, all existing sessions will be - invalidated. If it is `query`, only the sessions that match - the query will be invalidated. - enum: - - all - - query + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + description: The `savedObjectId` of the timeline or template to duplicate. type: string - query: - description: > - The query that Kibana uses to match the sessions to - invalidate when the `match` parameter is set to `query`. - type: object - properties: - provider: - description: >- - The authentication providers that will have their user - sessions invalidated. - type: object - properties: - name: - description: The authentication provider name. - type: string - type: - description: > - The authentication provide type. For example: - `basic`, `token`, `saml`, `oidc`, `kerberos`, or - `pki`. - type: string - required: - - type - username: - description: The username that will have its sessions invalidated. - type: string - required: - - provider required: - - match + - timeline + - timelineIdToCopy + description: Source timeline id to copy plus timeline fields for the new saved object. + required: true + responses: + '200': + content: + application/json: + examples: + copied: + summary: Newly saved timeline + value: + savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + status: active + timelineType: default + title: Copy of investigation + version: WzE1LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_draft: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines + parameters: + - description: Which draft to load (`default` investigation timeline or `template` timeline template). + in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: + examples: + draftPayload: + summary: Draft timeline payload + value: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + timelineType: default + title: '' + version: WzE0LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Permission denied + value: + message: Forbidden + status_code: 403 + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + '409': + content: + application/json: + examples: + conflict: + summary: Draft conflict + value: + message: Conflict + status_code: 409 schema: type: object properties: - total: - description: The number of sessions that were successfully invalidated. - type: integer - description: Indicates a successful call - '403': - description: >- - Indicates that the user may not be authorized to invalidate sessions - for other users. - summary: Invalidate user sessions + message: + type: string + status_code: + type: number + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details tags: - - user session - /api/short_url: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name post: - description: > - Kibana URLs may be long and cumbersome, short URLs are much easier to - remember and share. + description: | + **Spaces method and path for this operation:** - Short URLs are created by specifying the locator ID and locator - parameters. When a short URL is resolved, the locator ID and locator - parameters are used to redirect user to the right Kibana page. - operationId: post-url +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines requestBody: content: application/json: examples: - createShortUrlRequest: - description: >- - Request a short URL that resolves to a dashboard with a preset - time range. - summary: Create a short URL for a dashboard locator + defaultDraft: + summary: Create a default draft timeline value: - locatorId: DASHBOARD_APP_LOCATOR - params: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - slug: my-dashboard + timelineType: default schema: type: object properties: - humanReadableSlug: - description: > - When the `slug` parameter is omitted, the API will generate - a random human-readable slug if `humanReadableSlug` is set - to true. - type: boolean - locatorId: - description: The identifier for the locator. - type: string - params: - description: > - An object which contains all necessary parameters for the - given locator to resolve to a Kibana location. - - > warn - - > When you create a short URL, locator params are not - validated, which allows you to pass arbitrary and ill-formed - data into the API that can break Kibana. Make sure any data - that you send to the API is properly formed. - type: object - slug: - description: > - A custom short URL slug. The slug is the part of the short - URL that identifies it. You can provide a custom slug which - consists of latin alphabet letters, numbers, and `-._` - characters. The slug must be at least 3 characters long, but - no longer than 255 characters. - type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - - locatorId - - params + - timelineType + description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: examples: - createShortUrlResponse: - description: The created short URL record. - summary: Short URL created + draftResponse: + summary: Draft after reset or creation value: - accessCount: 0 - accessDate: 1767225600000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: draft + templateTimelineId: null + templateTimelineVersion: null + timelineType: default + title: '' + version: WzE0LDFd schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates a successful call. - summary: Create a short URL - tags: - - short url - x-state: Technical Preview - /api/short_url/_slug/{slug}: - get: - description: | - Resolve a Kibana short URL by its slug. - operationId: resolve-url - parameters: - - description: The slug of the short URL. - in: path - name: slug - required: true - schema: - type: string - responses: - '200': + '403': content: application/json: examples: - resolveShortUrlResponse: - description: The short URL record matching the given slug. - summary: Short URL resolved by slug + forbidden: + summary: Permission denied value: - accessCount: 12 - accessDate: 1767744000000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + message: Forbidden + status_code: 403 schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Resolve a short URL - tags: - - short url - x-state: Technical Preview - /api/short_url/{id}: - delete: - description: | - Delete a Kibana short URL. - operationId: delete-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': - description: Indicates a successful call. - summary: Delete a short URL - tags: - - short url - x-state: Technical Preview - get: - description: | - Get a single Kibana short URL. - operationId: get-url - parameters: - - $ref: '#/components/parameters/Short_URL_APIs_idParam' - responses: - '200': + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that the user does not have the required permissions to create a draft Timeline. + '409': content: application/json: examples: - getShortUrlResponse: - description: The short URL record matching the given identifier. - summary: Short URL retrieved by ID + conflict: + summary: Draft conflict value: - accessCount: 12 - accessDate: 1767744000000 - createDate: 1767225600000 - id: c54b04f5d4b3aa3c - locator: - id: DASHBOARD_APP_LOCATOR - state: - dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b - timeRange: - from: now-7d - to: now - version: 9.4.0 - slug: my-dashboard + message: Conflict + status_code: 409 schema: - $ref: '#/components/schemas/Short_URL_APIs_urlResponse' - description: Indicates a successful call. - summary: Get a short URL + type: object + properties: + message: + type: string + status_code: + type: number + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template tags: - - short url - x-state: Technical Preview - /api/synthetics/monitor/test/{monitorId}: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_export: post: - description: > - Trigger an immediate test execution for the specified monitor. The - response includes the generated `testRunId`. If the test encounters - issues in one or more service locations, an `errors` array is also - returned with details about the failures. - operationId: post-synthetics-monitor-test + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines parameters: - - description: The ID (config_id) of the monitor to test. - in: path - name: monitorId + - description: The name of the file to export + in: query + name: file_name required: true schema: type: string + requestBody: + content: + application/json: + examples: + exportIds: + summary: Export by timeline ids + value: + ids: + - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + schema: + type: object + properties: + ids: + items: + type: string + maxItems: 1000 + minItems: 1 + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true responses: '200': content: - application/json: + application/ndjson: examples: - testNowMonitorResponseExample1: - value: |- - { - "testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0", - "errors": [ - { - "locationId": "us_central_staging", - "error": { - "status": 401, - "reason": "no auth credentials provided", - "failed_monitors": null - } - } - ] - } + ndjsonLine: + summary: Single NDJSON line + value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}' + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates a successful call. + '400': + content: + application/ndjson: + examples: + badRequest: + summary: Export error + value: + body: Export limit exceeded + statusCode: 400 schema: type: object properties: - errors: - description: >- - Array of errors encountered while triggering the test, one - per service location. - items: - type: object - properties: - error: - type: object - properties: - failed_monitors: - description: >- - Optional list of monitors that failed at the - location. - items: - type: object - nullable: true - type: array - reason: - description: Human-readable explanation of the failure. - type: string - status: - description: HTTP status code returned by the agent. - type: integer - required: - - status - - reason - - failed_monitors - locationId: - description: >- - Identifier of the service location where the error - occurred. - type: string - required: - - locationId - - error - type: array - testRunId: - description: Unique identifier for the triggered test run. + body: type: string - required: - - testRunId - description: Test run triggered successfully. - '404': - description: Monitor not found. - summary: Trigger an on-demand test run for a monitor + statusCode: + type: number + description: Bad Request response. + summary: Export Timelines tags: - - synthetics - x-state: Generally available; added in 9.2.0 - /api/synthetics/monitors: - get: - description: > - Get a list of monitors. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-synthetic-monitors - parameters: - - description: Additional filtering criteria. - in: query - name: filter - schema: - type: string - - description: The locations to filter by. - in: query - name: locations - schema: - oneOf: - - type: string - - items: - type: string - type: array - - description: The monitor types to filter. - in: query - name: monitorTypes - schema: - oneOf: - - enum: - - browser - - http - - icmp - - tcp - type: string - - items: - enum: - - browser - - http - - icmp - - tcp - type: string - type: array - - description: The page number for paginated results. - in: query - name: page - schema: - type: integer - - description: The number of items to return per page. - in: query - name: per_page - schema: - type: integer - - description: The projects to filter by. - in: query - name: projects - schema: - oneOf: - - type: string - - items: - type: string - type: array - - description: A free-text query string. - in: query - name: query - schema: - type: string - - description: The schedules to filter by. - in: query - name: schedules - schema: - oneOf: - - items: - type: string - type: array - - type: string - - description: The field to sort the results by. - in: query - name: sortField - schema: - enum: - - name - - createdAt - - updatedAt - - status - type: string - - description: The sort order. - in: query - name: sortOrder - schema: - enum: - - asc - - desc - type: string - - description: The status to filter by. - in: query - name: status - schema: - oneOf: - - items: - type: string - type: array - - type: string - - description: Tags to filter monitors. - in: query - name: tags - schema: - oneOf: - - type: string - - items: +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + examples: + favoriteDefault: + summary: Favorite a default timeline + value: + templateTimelineId: null + templateTimelineVersion: null + timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + schema: + type: object + properties: + templateTimelineId: + nullable: true type: string - type: array - - description: > - Specifies whether to apply logical AND filtering for specific - fields. Accepts either a string with values "tags" or "locations" or - an array containing both. - in: query - name: useLogicalAndFor - schema: - oneOf: - - enum: - - tags - - locations - type: string - - items: - enum: - - tags - - locations + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string - type: array + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true responses: '200': content: application/json: examples: - getSyntheticMonitorsResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. - value: |- - { - "page": 1, - "total": 24, - "monitors": [ - { - "type": "icmp", - "enabled": false, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "timeout": "16", - "name": "8.8.8.8:80", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", - "max_attempts": 2, - "wait": "7", - "revision": 3, - "mode": "all", - "ipv4": true, - "ipv6": true, - "created_at": "2023-11-07T09:57:04.152Z", - "updated_at": "2023-12-04T19:19:34.039Z", - "host": "8.8.8.8:80" - } - ], - "absoluteTotal": 24, - "perPage": 10, - } + favoriteResponse: + summary: Favorite metadata updated + value: + favorite: + - favoriteDate: 1741337636741 + userName: elastic + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + version: WzE2LDFd + schema: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates a successful call. + '403': + content: + application/json: + examples: + forbidden: + summary: Forbidden + value: + body: Forbidden + statusCode: 403 schema: type: object - description: A successful response. - summary: Get monitors + properties: + body: + type: string + statusCode: + type: number + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template tags: - - synthetics + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_import: post: - description: > - Create a new monitor with the specified attributes. A monitor can be one - of the following types: HTTP, TCP, ICMP, or Browser. The required and - default fields may vary based on the monitor type. + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-synthetic-monitors +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines requestBody: content: application/json: examples: - postSyntheticMonitorsRequestExample1: - description: Create an HTTP monitor to check a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample2: - description: Create a TCP monitor to monitor a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - postSyntheticMonitorsRequestExample3: - description: Create an ICMP monitor to perform ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - postSyntheticMonitorsRequestExample4: - description: Create a browser monitor to check a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } + multipartPlaceholder: + summary: Request shape (file is a stream of NDJSON lines at runtime) + value: + file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n' + isImmutable: 'false' schema: - description: > - The request body should contain the attributes of the monitor - you want to create. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + properties: + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: examples: - postSyntheticMonitorsResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + importSummary: + summary: Import summary + value: + errors: [] + success: true + success_count: 5 + timelines_installed: 3 + timelines_updated: 2 + schema: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Invalid import + value: + body: Invalid file extension + statusCode: 400 schema: type: object properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. - items: - $ref: '#/components/schemas/Synthetics_monitorWarning' - type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. For example, - if a browser monitor specifies a timeout but has no private - locations configured, a warning is returned indicating the timeout - will have no effect. - '400': + body: + description: The error message + example: Invalid file extension + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + '404': content: application/json: examples: - invalidBrowserTimeout: - description: >- - A 400 error when a browser monitor timeout is below 30 - seconds. - summary: Invalid browser timeout - value: |- - { - "statusCode": 400, - "error": "Bad Request", - "message": "Browser Monitor timeout is invalid", - "attributes": { - "details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds." - } - } + notFound: + summary: Saved objects client missing + value: + body: Unable to find saved object client + statusCode: 404 schema: type: object properties: - attributes: - type: object - properties: - details: - example: >- - Invalid timeout 20 seconds supplied. Minimum timeout - for browser monitors is 30 seconds. - type: string - error: - example: Bad Request + body: + description: The error message + example: Unable to find saved object client type: string - message: - example: Browser Monitor timeout is invalid + statusCode: + example: 404 + type: number + description: Not found response. + '409': + content: + application/json: + examples: + conflict: + summary: Import conflict + value: + body: Could not import timelines + statusCode: 409 + schema: + type: object + properties: + body: + description: The error message + example: Could not import timelines type: string statusCode: - example: 400 - type: integer - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Create a monitor + example: 409 + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines tags: - - synthetics - /api/synthetics/monitors/_bulk_delete: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_prepackaged: post: - description: | - Delete multiple monitors by sending a list of config IDs. - operationId: delete-synthetic-monitors + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines requestBody: content: application/json: examples: - bulkDeleteRequestExample1: - description: >- - Run `POST /api/synthetics/monitors/_bulk_delete` to delete a - list of monitors. - value: |- - { - "ids": [ - "monitor1-id", - "monitor2-id" - ] - } + emptyArrays: + summary: Installer payload shape + value: + prepackagedTimelines: [] + timelinesToInstall: [] + timelinesToUpdate: [] schema: type: object properties: - ids: - description: An array of monitor IDs to delete. + prepackagedTimelines: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true type: array required: - - ids + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. required: true responses: '200': content: application/json: examples: - deleteMonitorsResponseExample1: - description: A response from successfully deleting multiple monitors. - value: |- - [ - { - "id": "monitor1-id", - "deleted": true - }, - { - "id": "monitor2-id", - "deleted": true - } - ] + installResult: + summary: Install result counts + value: + errors: [] + success: true + success_count: 10 + timelines_installed: 8 + timelines_updated: 2 schema: - items: - description: >- - The API response includes information about the deleted - monitors. - type: object - properties: - deleted: - description: > - If it is `true`, the monitor was successfully deleted If - it is `false`, the monitor was not deleted. - type: boolean - ids: - description: The unique identifier of the deleted monitor. - type: string - type: array - description: A successful response. - summary: Delete monitors + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates a successful call. + '500': + content: + application/json: + examples: + serverError: + summary: Server error + value: + body: Internal error + statusCode: 500 + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines tags: - - synthetics - /api/synthetics/monitors/{id}: - delete: - description: > - Delete a monitor from the Synthetics app. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-synthetic-monitor +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates. + operationId: ResolveTimeline parameters: - - description: The identifier for the monitor that you want to delete. - in: path - name: id - required: true + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id schema: type: string - responses: - '200': - description: OK - summary: Delete a monitor - tags: - - synthetics - get: - operationId: get-synthetic-monitor - parameters: - - description: The ID of the monitor. - in: path + - description: The ID of the timeline to resolve + in: query name: id - required: true schema: type: string responses: @@ -44477,2063 +68326,2853 @@ paths: content: application/json: examples: - getSyntheticMonitorResponseExample1: - description: >- - A successful response from `GET - /api/synthetics/monitors/`. - value: |- - { - "type": "http", - "enabled": true, - "alert": { - "status": { - "enabled": true - }, - "tls": { - "enabled": true - } - }, - "schedule": { - "number": "3", - "unit": "m" - }, - "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "timeout": "16", - "name": "am i something", - "locations": [ - { - "id": "us_central", - "label": "North America - US Central", - "geo": { - "lat": 41.25, - "lon": -95.86 - }, - "isServiceManaged": true - } - ], - "namespace": "default", - "origin": "ui", - "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", - "max_attempts": 2, - "__ui": { - "is_tls_enabled": false - }, - "max_redirects": "0", - "response.include_body": "on_error", - "response.include_headers": true, - "check.request.method": "GET", - "mode": "any", - "response.include_body_max_bytes": "1024", - "ipv4": true, - "ipv6": true, - "ssl.verification_mode": "full", - "ssl.supported_protocols": [ - "TLSv1.1", - "TLSv1.2", - "TLSv1.3" - ], - "revision": 13, - "created_at": "2023-11-08T08:45:29.334Z", - "updated_at": "2023-12-18T20:31:44.770Z", - "url": "https://fast.com" - } + exactMatch: + description: Timeline resolved without alias or conflict + summary: Exact match outcome + value: + outcome: exactMatch + timeline: + savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timelineType: default + title: Investigation + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: Indicates a successful call. + '400': + content: + application/json: + examples: + badRequest: + summary: Bad request + value: {} schema: + additionalProperties: true type: object - description: A successful response. + description: Bad Request response. '404': - description: If the monitor is not found, the API returns a 404 error. - summary: Get a monitor + content: + application/json: + examples: + notFound: + summary: Not found + value: {} + schema: + additionalProperties: true + type: object + description: The (template) Timeline was not found + summary: Resolve a Timeline or Timeline template tags: - - synthetics - put: - description: > - Update a monitor with the specified attributes. The required and default - fields may vary based on the monitor type. + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. +
get /s/{space_id}/api/timelines
- You can also partially update a monitor. This will only update the - fields that are specified in the request body. All other fields are left - unchanged. The specified fields should conform to the monitor type. For - example, you can't update the `inline_scipt` field of a HTTP monitor. - operationId: put-synthetic-monitor + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines parameters: - - description: The identifier for the monitor that you want to update. - in: path - name: id - required: true + - description: If `true`, only Timelines that the current user has marked as favorite are returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - description: Restrict results to `default` investigation timelines or `template` timeline templates. + in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - description: Field used to sort the list (`title`, `description`, `updated`, or `created`). + in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search schema: + nullable: true type: string - requestBody: - content: - application/json: - examples: - putSyntheticMonitorsRequestExample1: - description: Update an HTTP monitor that checks a website's availability. - summary: HTTP monitor - value: |- - { - "type": "http", - "name": "Website Availability", - "url": "https://example.com", - "tags": ["website", "availability"], - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample2: - description: Update a TCP monitor that monitors a server's availability. - summary: TCP monitor - value: |- - { - "type": "tcp", - "name": "Server Availability", - "host": "example.com", - "private_locations": ["my_private_location"] - } - putSyntheticMonitorsRequestExample3: - description: Update an ICMP monitor that performs ping checks. - summary: ICMP monitor - value: |- - { - "type": "icmp", - "name": "Ping Test", - "host": "example.com", - "locations": ["united_kingdom"] - } - putSyntheticMonitorsRequestExample4: - description: Update a browser monitor that checks a website. - summary: Browser monitor - value: |- - { - "type": "browser", - "name": "Example journey", - "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", - "locations": ["united_kingdom"] - } - schema: - description: > - The request body should contain the attributes of the monitor - you want to update. The required and default fields differ - depending on the monitor type. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' - type: object - required: true + - description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`). + in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true responses: '200': content: application/json: examples: - putSyntheticMonitorResponseWithWarning: - description: >- - A response when a browser monitor specifies a timeout but - has no private locations. - summary: Response with warning - value: |- - { - "type": "browser", - "name": "Example journey", - "enabled": true, - "warnings": [ - { - "id": "monitor-id", - "message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.", - "publicLocationIds": ["public-1", "public-2"] - } - ] - } + timelineList: + summary: Example list response + value: + customTemplateTimelineCount: 0 + defaultTimelineCount: 1 + elasticTemplateTimelineCount: 0 + favoriteCount: 0 + templateTimelineCount: 0 + timeline: + - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + status: active + timelineType: default + title: Phishing investigation + updated: 1741344876825 + version: WzE0LDFd + totalCount: 1 schema: type: object properties: - warnings: - description: > - An optional array of warnings about the monitor - configuration. + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + example: 2 + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + example: 90 + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + example: 8 + type: number + favoriteCount: + description: The amount of favorited Timelines + example: 5 + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + example: 10 + type: number + timeline: items: - $ref: '#/components/schemas/Synthetics_monitorWarning' + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array - description: > - A successful response. The response may include a `warnings` array - when the monitor configuration has non-critical issues. + totalCount: + description: The total amount of results + example: 100 + type: number + required: + - timeline + - totalCount + description: Indicates a successful call. '400': - description: > - Bad request. For browser monitors, a 400 error is returned if the - timeout is less than 30 seconds. - summary: Update a monitor + content: + application/json: + examples: + badRequest: + summary: Error response body + value: + body: get timeline error + statusCode: 400 + schema: + type: object + properties: + body: + description: The error message. + example: get timeline error + type: string + statusCode: + example: 400 + type: number + description: Bad Request response. + summary: Get Timelines or Timeline templates tags: - - synthetics - /api/synthetics/params: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/upgrade_assistant/status: get: - description: > - Get a list of all parameters. You must have `read` privileges for the - Synthetics feature in the Observability section of the Kibana feature - privileges. - operationId: get-parameters + description: Check the status of your cluster. + operationId: get-upgrade-status responses: '200': content: application/json: examples: - getParametersResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a list of parameters. - summary: Read access - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"] - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"] - } - ] - getParametersResponseExample2: - description: >- - A successful response for a user with write permissions to - get a list of parameters. - summary: Write access + getUpgradeStatusResponseExample1: value: |- - [ - { - "id": "param1-id", - "key": "param1", - "description": "Description for param1", - "tags": ["tag1", "tag2"], - "namespaces": ["namespace1"], - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "description": "Description for param2", - "tags": ["tag3"], - "namespaces": ["namespace2"], - "value": "value2" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - type: array - description: A successful response. - summary: Get parameters - tags: - - synthetics - post: - description: > - Add one or more parameters to the Synthetics app. - - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: post-parameters - requestBody: - content: - application/json: - examples: - postParametersRequestExample1: - description: Add a single parameter. - summary: Single parameter - value: |- - { - "key": "your-key-name", - "value": "your-parameter-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersRequestExample2: - description: Add multiple parameters. - summary: Multiple parameters - value: |- - [ - { - "key": "param1", - "value": "value1" - }, { - "key": "param2", - "value": "value2" + "readyForUpgrade": false, + "cluster": [ + { + "message": "Cluster deprecated issue", + "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." + } + ] } - ] - schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_parameterRequest' - type: array - - $ref: '#/components/schemas/Synthetics_parameterRequest' - description: >- - The request body can contain either a single parameter object or an - array of parameter objects. - required: true + description: Indicates a successful call. + summary: Get the upgrade readiness status + tags: + - upgrade + x-state: Technical Preview + x-metaTags: + - content: Kibana + name: product_name + /api/uptime/settings: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-uptime-settings responses: '200': content: application/json: examples: - postParametersResponseExample1: - description: A successful response for a single added parameter. - summary: Single parameter + getUptimeSettingsResponseExample1: value: |- { - "id": "unique-parameter-id", - "key": "your-key-name", - "value": "your-param-value", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "share_across_spaces": true - } - postParametersResponseExample2: - description: A successful response for multiple added parameters. - summary: Multiple parameters - value: |- - [ - { - "id": "param1-id", - "key": "param1", - "value": "value1" - }, - { - "id": "param2-id", - "key": "param2", - "value": "value2" + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] } - ] + } schema: - oneOf: - - items: - $ref: '#/components/schemas/Synthetics_postParameterResponse' - type: array - - $ref: '#/components/schemas/Synthetics_postParameterResponse' - description: A successful response. - summary: Add parameters + type: object + description: Indicates a successful call + summary: Get uptime settings tags: - - synthetics - /api/synthetics/params/_bulk_delete: - post: - description: > - Delete parameters from the Synthetics app. + - uptime + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameters +
put /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. + operationId: put-uptime-settings requestBody: content: application/json: examples: - deleteParametersRequestExample1: - description: >- - Run `POST /api/synthetics/params/_bulk_delete` to delete - multiple parameters. + putUptimeSettingsRequestExample1: + description: Run `PUT api/uptime/settings` to update multiple Uptime settings. + summary: Update multiple settings value: |- { - "ids": ["param1-id", "param2-id"] + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } + putUptimeSettingsRequestExample2: + description: Run `PUT api/uptime/settings` to update a single Uptime setting. + summary: Update a setting + value: |- + { + "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: - ids: - description: An array of parameter IDs to delete. + certAgeThreshold: + default: 730 + description: The number of days after a certificate is created to trigger an alert. + type: number + certExpirationThreshold: + default: 30 + description: The number of days before a certificate expires to trigger an alert. + type: number + defaultConnectors: + default: [] + description: A list of connector IDs to be used as default connectors for new alerts. items: type: string type: array - required: true + defaultEmail: + description: | + The default email configuration for new alerts. + type: object + properties: + bcc: + default: [] + items: + type: string + type: array + cc: + default: [] + items: + type: string + type: array + to: + default: [] + items: + type: string + type: array + heartbeatIndices: + default: heartbeat-* + description: | + An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. + type: string responses: '200': content: application/json: examples: - deleteParametersResponseExample1: + putUptimeSettingsResponseExample1: + description: A successful response from `PUT api/uptime/settings`. value: |- - [ - { - "id": "param1-id", - "deleted": true - } - ] + { + "heartbeatIndices": "heartbeat-8*", + "certExpirationThreshold": 30, + "certAgeThreshold": 730, + "defaultConnectors": [ + "08990f40-09c5-11ee-97ae-912b222b13d4", + "db25f830-2318-11ee-9391-6b0c030836d6" + ], + "defaultEmail": { + "to": [], + "cc": [], + "bcc": [] + } + } schema: - items: - type: object - properties: - deleted: - description: > - Indicates whether the parameter was successfully - deleted. It is `true` if it was deleted. It is `false` - if it was not deleted. - type: boolean - id: - description: The unique identifier for the deleted parameter. - type: string - type: array - description: A successful response. - summary: Delete parameters + type: object + description: Indicates a successful call + summary: Update uptime settings tags: - - synthetics - /api/synthetics/params/{id}: - delete: - description: > - Delete a parameter from the Synthetics app. - - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: delete-parameter - parameters: - - description: The ID for the parameter to delete. - in: path - name: id - required: true - schema: - type: string + - uptime + x-metaTags: + - content: Kibana + name: product_name + /api/visualizations: + get: + tags: + - Visualizations + summary: Get visualizations + operationId: get-visualizations-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': - description: OK - summary: Delete a parameter + description: See the full Visualizations API reference for detailed response schemas. + post: tags: - - synthetics - get: - description: > - Get a parameter from the Synthetics app. - - You must have `read` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: get-parameter - parameters: - - description: The unique identifier for the parameter. - in: path - name: id - required: true - schema: - type: string + - Visualizations + summary: Create a visualization + operationId: create-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** responses: '200': - content: - application/json: - examples: - getParameterResponseExample1: - description: >- - A successful response for a user with read-only permissions - to get a single parameter. - summary: Read access - value: |- - { - "id": "unique-parameter-id", - "key": "your-api-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"] - } - getParameterResponseExample2: - description: >- - A successful response for a user with write permissions to - get a single parameter. - summary: Write access - value: |- - { - "id": "unique-parameter-id", - "key": "your-param-key", - "description": "Param to use in browser monitor", - "tags": ["authentication", "security"], - "namespaces": ["namespace1", "namespace2"], - "value": "your-param-value" - } - schema: - $ref: '#/components/schemas/Synthetics_getParameterResponse' - description: A successful response. - summary: Get a parameter + description: See the full Visualizations API reference for detailed response schemas. + /api/visualizations/{id}: + get: tags: - - synthetics + - Visualizations + summary: Get a visualization + operationId: get-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. put: - description: > - Update a parameter in the Synthetics app. + tags: + - Visualizations + summary: Update a visualization + operationId: update-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + delete: + tags: + - Visualizations + summary: Delete a visualization + operationId: delete-visualization-redirect + description: | + > **Technical preview** — The Visualizations API is currently in technical preview and its full reference documentation is temporarily hosted at a separate location. + > + > **[View the full Visualizations API reference →](https://elastic.github.io/dashboards-api-spec/visualizations#tag/Visualizations)** + responses: + '200': + description: See the full Visualizations API reference for detailed response schemas. + /api/workflows: + delete: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics feature in the - Observability section of the Kibana feature privileges. - operationId: put-parameter +
delete /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple workflows by their IDs.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows parameters: - - description: The unique identifier for the parameter. - in: path - name: id + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string + - description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean requestBody: - content: - application/json: - examples: - putParameterRequestExample1: - value: |- - { - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } + content: + application/json: + examples: + bulkDeleteWorkflowsRequestExample: + description: Example request for deleting multiple workflows + value: + ids: + - workflow-c3d4e5f6-a7b8-9012-cdef-234567890123 + - workflow-d4e5f6a7-b8c9-0123-defa-345678901234 schema: + additionalProperties: false type: object properties: - description: - description: The updated description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - tags: - description: An array of updated tags to categorize the parameter. + ids: + description: Array of workflow IDs to delete. items: + description: Workflow ID to delete. type: string + maxItems: 1000 type: array - value: - description: The updated value associated with the parameter. - type: string - description: The request body cannot be empty; at least one attribute is required. - required: true + required: + - ids responses: '200': content: application/json: examples: - putParameterResponseExample1: - value: |- - { - "id": "param_id1", - "key": "updated_param_key", - "value": "updated-param-value", - "description": "Updated Param to be used in browser monitor", - "tags": ["authentication", "security", "updated"] - } - schema: - type: object - description: A successful response. - summary: Update a parameter + bulkDeleteWorkflowsResponseExample: + description: Example response after deleting multiple workflows + value: + deleted: 2 + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk delete workflows tags: - - synthetics - /api/synthetics/private_locations: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + }' + - lang: Console + source: | + DELETE kbn://api/workflows + { + "ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name get: - description: > - Get a list of private locations. + description: |- + **Spaces method and path for this operation:** - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-locations +
get /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of workflows with optional filtering.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows + parameters: + - description: Free-text search query. + in: query + name: query + required: false + schema: + type: string + - description: Number of results per page. + in: query + name: size + required: false + schema: + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Filter by enabled state. + in: query + name: enabled + required: false + schema: + items: + type: boolean + maxItems: 2 + type: array + - description: Filter by creator. + in: query + name: createdBy + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by tags. + in: query + name: tags + required: false + schema: + items: + type: string + maxItems: 1000 + type: array + - description: Filter by managed status. Defaults to "unmanaged". + in: query + name: managed + required: false + schema: + enum: + - all + - managed + - unmanaged + type: string responses: '200': content: application/json: examples: - getPrivateLocationsResponseExample1: - value: |- - [ - { - "label": "Test private location", - "id": "fleet-server-policy", - "agentPolicyId": "fleet-server-policy", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - }, - { - "label": "Test private location 2", - "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "test" - } - ] - schema: - items: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - type: array - description: A successful response. - summary: Get private locations + getWorkflowsResponseExample: + description: Example response returning a paginated list of workflows + value: + page: 1 + results: + - createdAt: '2025-11-20T10:30:00.000Z' + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + history: + - duration: 5000 + finishedAt: '2025-11-20T12:00:05.000Z' + id: exec-001 + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowName: Example definition + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + tags: + - example + valid: true + size: 20 + total: 1 + description: Indicates a successful response + summary: Get workflows tags: - - synthetics + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows?size=20&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name post: - description: >- - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: post-private-location + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create multiple workflows in a single request. Optionally overwrite existing workflows.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update. + operationId: post-workflows + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Whether to overwrite existing workflows. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean requestBody: content: application/json: examples: - postPrivateLocationRequestExample1: - description: >- - Run `POST /api/private_locations` to create a private - location. - value: |- - { - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - "spaces": ["default"] - } + bulkCreateWorkflowsRequestExample: + description: Example request for creating multiple workflows at once + value: + workflows: + - yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: | + name: Second workflow + enabled: false + description: Another workflow + triggers: + - type: manual + steps: + - name: log_step + type: console + with: + message: "Hello from second workflow" schema: + additionalProperties: false type: object properties: - agentPolicyId: - description: >- - The ID of the agent policy associated with the private - location. - type: string - geo: - description: Geographic coordinates (WGS84) for the location. - type: object - properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - label: - description: A label for the private location. - type: string - spaces: - description: > - An array of space IDs where the private location is - available. If it is not provided, the private location is - available in all spaces. - items: - type: string - type: array - tags: - description: An array of tags to categorize the private location. + workflows: items: - type: string + type: object + properties: + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 + type: string + required: + - yaml + maxItems: 500 type: array required: - - agentPolicyId - - label - required: true + - workflows responses: '200': content: application/json: examples: - postPrivateLocationResponseExample1: - value: |- - { - "id": "abcd1234", - "label": "Private Location 1", - "agentPolicyId": "abcd1234", - "tags": ["private", "testing"], - "geo": { - "lat": 40.7128, - "lon": -74.0060 - } - } - schema: - type: object - description: A successful response. - '400': - description: >- - If the `agentPolicyId` is already used by an existing private - location or if the `label` already exists, the API will return a 400 - Bad Request response with a corresponding error message. - summary: Create a private location + bulkCreateWorkflowsResponseExample: + description: Example response after creating multiple workflows + value: + created: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + failures: [] + total: 2 + description: Indicates a successful response + summary: Bulk create workflows tags: - - synthetics - /api/synthetics/private_locations/{id}: - delete: - description: > - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows?overwrite=false" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + }' + - lang: Console + source: | + POST kbn://api/workflows?overwrite=false + { + "workflows": [ + { "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" }, + { "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" } + ] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/aggs: + get: + description: |- + **Spaces method and path for this operation:** - The API does not return a response body for deletion, but it will return - an appropriate status code upon successful deletion. +
get /s/{space_id}/api/workflows/aggs
- A location cannot be deleted if it has associated monitors in use. You - must delete all monitors associated with the location before deleting - the location. - operationId: delete-private-location + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-aggs parameters: - - description: The unique identifier of the private location to be deleted. - in: path - name: id + - description: Field or fields to aggregate on. + in: query + name: fields required: true schema: - maxLength: 1024 - minLength: 1 - type: string + description: Fields to aggregate on. + items: + description: Field name to aggregate. + type: string + maxItems: 25 + minItems: 1 + type: array responses: '200': - description: OK - summary: Delete a private location + content: + application/json: + examples: + getAggsResponseExample: + description: Example response with tag and createdBy aggregations + value: + createdBy: + - doc_count: 2 + key: elastic + tags: + - doc_count: 1 + key: reporting + - doc_count: 1 + key: security + - doc_count: 1 + key: triage + description: Indicates a successful response + summary: Get workflow aggregations tags: - - synthetics + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/aggs?fields=tags&fields=createdBy + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/connectors: get: - description: > - You must have `read` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. - operationId: get-private-location - parameters: - - description: A private location identifier or label. - in: path - name: id - required: true - schema: - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-connectors + parameters: [] responses: '200': content: application/json: examples: - getPrivateLocationResponseExample1: - value: |- - { - "label": "Test private location", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "geo": { - "lat": 0, - "lon": 0 - }, - "namespace": "default" - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - summary: Get a private location + getConnectorsResponseExample: + description: Example response with available connector types and their instances + value: + connectorTypes: + .email: + actionTypeId: .email + displayName: Email + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: [] + minimumLicenseRequired: gold + subActions: + - displayName: Send + name: send + .slack_api: + actionTypeId: .slack_api + displayName: Slack + enabled: true + enabledInConfig: true + enabledInLicense: true + instances: + - id: slack-connector-1 + isDeprecated: false + isPreconfigured: false + name: Team Notifications + minimumLicenseRequired: gold + subActions: + - displayName: Post Message + name: postMessage + totalConnectors: 1 + description: Indicates a successful response + summary: Get available connectors tags: - - synthetics - put: - description: > - Update an existing private location's label. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/connectors" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/connectors + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}: + get: + description: |- + **Spaces method and path for this operation:** - You must have `all` privileges for the Synthetics and Uptime feature in - the Observability section of the Kibana feature privileges. +
get /s/{space_id}/api/workflows/executions/{executionId}
- When a private location's label is updated, all monitors using this - location will also be updated to maintain data consistency. - operationId: put-private-location + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid parameters: - - description: The unique identifier of the private location to be updated. + - description: Workflow execution ID in: path - name: id + name: executionId required: true schema: type: string - requestBody: - content: - application/json: - examples: - putPrivateLocationRequestExample1: - description: Update a private location's label. - value: |- - { - "label": "Updated Private Location Name" - } - schema: - type: object - properties: - label: - description: >- - A new label for the private location. Must be at least 1 - character long. - minLength: 1 - type: string - required: - - label - required: true + - description: Include execution input data. + in: query + name: includeInput + required: false + schema: + default: false + type: boolean + - description: Include execution output data. + in: query + name: includeOutput + required: false + schema: + default: false + type: boolean responses: '200': content: application/json: examples: - putPrivateLocationResponseExample1: - value: |- - { - "label": "Updated Private Location Name", - "id": "test-private-location-id", - "agentPolicyId": "test-private-location-id", - "isServiceManaged": false, - "isInvalid": false, - "tags": ["private", "testing", "updated"], - "geo": { - "lat": 37.7749, - "lon": -122.4194 - }, - "spaces": ["*"] - } - schema: - $ref: '#/components/schemas/Synthetics_getPrivateLocation' - description: A successful response. - '400': - description: >- - If the `label` is shorter than 1 character the API will return a 400 - Bad Request response with a corresponding error message. - '404': - description: >- - If the private location with the specified ID does not exist, the - API will return a 404 Not Found response. - summary: Update a private location + getExecutionResponseExample: + description: Example response returning a workflow execution with step details + value: + duration: 3000 + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-a1b2c3d4-e5f6-7890 + input: + message: hello world + isTestRun: false + output: hello world + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + triggeredBy: manual + workflowDefinition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow execution tags: - - synthetics - /api/task_manager/_health: - get: - description: | - Get the health status of the Kibana task manager. - operationId: task-manager-health + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running workflow execution by its ID.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-executions-executionid-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': - content: - application/json: - examples: - taskManagerHealthResponse1: - $ref: >- - #/components/examples/Task_manager_health_APIs_health_200response - schema: - $ref: '#/components/schemas/Task_manager_health_APIs_health_response' - description: Indicates a successful call - summary: Get the task manager health + description: Indicates a successful response + summary: Cancel a workflow execution tags: - - task manager - /api/timeline: - delete: - description: Delete one or more Timelines or Timeline templates. - operationId: DeleteTimelines - requestBody: - content: - application/json: - examples: - deleteByIds: - summary: Delete timelines by saved object id - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - deleteWithSearches: - summary: Delete Timelines and their linked saved searches - value: - savedObjectIds: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e - - 6ce1b592-84e3-4b4a-9552-f189d4b82075 - searchIds: - - 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11 - schema: - type: object - properties: - savedObjectIds: - description: >- - The list of IDs of the Timelines or Timeline templates to - delete - items: - type: string - maxItems: 100 - type: array - searchIds: - description: >- - Saved search IDs that should be deleted alongside the - timelines - items: - type: string - maxItems: 100 - type: array - required: - - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. - required: true + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/children: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/children
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-children + parameters: + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string responses: '200': content: application/json: - examples: - success: - summary: Success - value: {} - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - summary: Delete Timelines or Timeline templates + examples: + getChildrenExecutionsResponseExample: + description: Example response returning child workflow executions spawned by sub-workflow steps + value: + - executionId: child-exec-001 + parentStepExecutionId: step-exec-003 + status: completed + stepExecutions: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:07.000Z' + globalExecutionIndex: 0 + id: child-step-001 + isTestRun: false + scopeStack: [] + startedAt: '2025-11-20T12:00:06.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowRunId: child-exec-001 + workflowId: workflow-e5f6a7b8-c9d0-1234-efab-456789012345 + workflowName: Child Workflow + description: Indicates a successful response + summary: Get child executions tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/children" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/children + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/logs: get: - description: Get the details of an existing saved Timeline or Timeline template. - operationId: GetTimeline + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/logs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-logs parameters: - - description: The `savedObjectId` of the Timeline template to retrieve. + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string + - description: Filter logs by a specific step execution ID. in: query - name: template_timeline_id + name: stepExecutionId + required: false schema: type: string - - description: The `savedObjectId` of the Timeline to retrieve. + - description: Number of log entries per page. in: query - name: id + name: size + required: false + schema: + default: 100 + maximum: 100 + minimum: 1 + type: number + - description: Page number. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: Field to sort by. + in: query + name: sortField + required: false + schema: + type: string + - description: Sort order. + in: query + name: sortOrder + required: false schema: + enum: + - asc + - desc type: string responses: '200': content: application/json: examples: - timelineDetail: - summary: Timeline detail + getExecutionLogsResponseExample: + description: Example response returning paginated execution logs value: - description: User-reported suspicious email - noteIds: [] - pinnedEventIds: [] - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - version: WzE0LDFd - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - description: Indicates a successful call. - summary: Get Timeline or Timeline template details + logs: + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 150 + id: log-001 + level: info + message: Workflow execution started + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:01.000Z' + - additionalData: + executionId: exec-a1b2c3d4-e5f6-7890 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + connectorType: console + duration: 200 + id: log-002 + level: info + message: Step completed successfully + stepId: hello_world_step + stepName: Hello World + timestamp: '2025-11-20T12:00:02.000Z' + page: 1 + size: 100 + total: 2 + description: Indicates a successful response + summary: Get execution logs tags: - - Security Timeline API - - access:securitySolution - patch: - description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. - operationId: PatchTimeline + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1 + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/resume: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/executions/{executionId}/resume
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resume a paused workflow execution with the provided input.

[Required authorization] Route required privileges: workflowsManagement:execute. + operationId: post-workflows-executions-executionid-resume + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow execution ID + in: path + name: executionId + required: true + schema: + type: string requestBody: content: application/json: examples: - patchTitle: - summary: Update title + resumeExecutionRequestExample: + description: Example request to resume a paused workflow execution value: - timeline: - title: Escalated case review - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - version: WzE0LDFd + input: + approved: true + comment: Approved by analyst schema: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - description: >- - The timeline object of the Timeline or Timeline template - that you’re updating. - timelineId: - description: >- - The `savedObjectId` of the Timeline or Timeline template - that you’re updating. - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - nullable: true - type: string - version: - description: >- - The version of the Timeline or Timeline template that you’re - updating. - example: WzE0LDFd - nullable: true - type: string + input: + additionalProperties: + nullable: true + description: Input data to resume the execution with. + type: object required: - - timelineId - - version - - timeline - description: The Timeline updates, along with the Timeline ID and version. - required: true + - input responses: '200': content: application/json: examples: - patched: - summary: Updated timeline + resumeExecutionResponseExample: + description: Example response confirming the resume was scheduled value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Escalated case review - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': + executionId: exec-a1b2c3d4-e5f6-7890 + message: Workflow resume scheduled + success: true + description: Indicates a successful response + summary: Resume a workflow execution + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "input": { + "approved": true, + "comment": "Approved by analyst" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/executions/{executionId}/resume + { + "input": { + "approved": true, + "comment": "Approved by analyst" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/executions/{executionId}/step/{stepExecutionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/executions/{executionId}/step/{stepExecutionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve details of a single step execution within a workflow execution.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-executions-executionid-step-stepexecutionid + parameters: + - description: Workflow execution ID. + in: path + name: executionId + required: true + schema: + type: string + - description: Step execution ID. + in: path + name: stepExecutionId + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - error: - summary: Error body - value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message. - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: >- - Indicates that the user does not have the required access to create - a Timeline. - summary: Update a Timeline + getStepExecutionResponseExample: + description: Example response returning a single step execution + value: + error: null + executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + output: hello world + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + state: null + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Get a step execution tags: - - Security Timeline API - - access:securitySolution + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/step/{stepExecutionId}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/executions/{executionId}/step/{stepExecutionId} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/export: post: - description: Create a new Timeline or Timeline template. - operationId: CreateTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export one or more workflows as JSON with YAML content and metadata.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-export + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - createDefault: - summary: Create a default timeline + exportWorkflowsRequestExample: + description: Example request to export workflows value: - timeline: - status: active - timelineType: default - title: Malware containment + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 schema: + additionalProperties: false type: object properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: A unique identifier for the Timeline template. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - templateTimelineVersion: - description: Timeline template version number. - example: 12 - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - description: A unique identifier for the Timeline. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string + ids: + description: Array of workflow IDs to export. + items: + description: Workflow ID to export. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array required: - - timeline - description: >- - The required Timeline fields used to create a new Timeline, along with - optional fields that will be created if not provided. - required: true + - ids responses: '200': content: application/json: examples: - created: - summary: Created timeline - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Malware containment - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '405': - content: - application/json: - examples: - error: - summary: Error body + exportWorkflowsResponseExample: + description: Workflow entries with YAML content and export manifest value: - body: update timeline error - statusCode: 405 - schema: - type: object - properties: - body: - description: The error message - example: update timeline error - type: string - statusCode: - example: 405 - type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template + entries: + - id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: |- + name: My Workflow + steps: + - type: http.request + with: + url: https://example.com + - id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + yaml: |- + name: Another Workflow + steps: + - type: http.request + with: + url: https://example.com + manifest: + exportedAt: '2026-03-26T12:00:00.000Z' + exportedCount: 2 + version: '1' + description: JSON containing exported workflow YAML entries and manifest metadata + summary: Export workflows tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_copy: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/export" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + }' + - lang: Console + source: | + POST kbn://api/workflows/export + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/mget: post: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/mget
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: post-workflows-mget + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - copyWithTitle: - summary: Copy with a new title + mgetWorkflowsRequestExample: + description: Example request to retrieve multiple workflows by their IDs value: - timeline: - timelineType: default - title: Copy of investigation - timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + ids: + - workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + source: + - name + - enabled schema: + additionalProperties: false type: object properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - description: >- - The `savedObjectId` of the timeline or template to - duplicate. - type: string + ids: + description: Array of workflow IDs to look up. + items: + description: Workflow ID. + maxLength: 255 + type: string + maxItems: 500 + minItems: 1 + type: array + source: + description: Array of source fields to include. + items: + description: Source field. + maxLength: 255 + type: string + maxItems: 10 + minItems: 1 + type: array required: - - timeline - - timelineIdToCopy - description: >- - Source timeline id to copy plus timeline fields for the new saved - object. - required: true + - ids responses: '200': content: application/json: examples: - copied: - summary: Newly saved timeline + mgetWorkflowsResponseExample: + description: Example response returning the requested workflows with projected fields value: - savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - status: active - timelineType: default - title: Copy of investigation - version: WzE1LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - summary: Copies timeline or timeline template + - enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + name: Example definition + - enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + name: Second workflow + description: Indicates a successful response + summary: Get workflows by IDs tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_draft: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/mget" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + }' + - lang: Console + source: | + POST kbn://api/workflows/mget + { + "ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"], + "source": ["name", "enabled"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/schema: get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. - operationId: GetDraftTimelines + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-schema parameters: - - description: >- - Which draft to load (`default` investigation timeline or `template` - timeline template). + - description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation. in: query - name: timelineType + name: loose required: true schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + type: boolean responses: '200': content: application/json: examples: - draftPayload: - summary: Draft timeline payload - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft Timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict + getSchemaResponseExample: + description: Example response returning the workflow JSON schema (truncated) value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft Timeline was not found and - we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details + $schema: http://json-schema.org/draft-07/schema# + type: object + properties: + description: + type: string + enabled: + default: true + type: boolean + name: + minLength: 1 + type: string + tags: + items: + type: string + type: array + version: + const: '1' + default: '1' + description: The version of the workflow schema + type: string + required: + - name + - triggers + - steps + description: Indicates a successful response + summary: Get workflow JSON schema tags: - - Security Timeline API - - access:securitySolution - post: - description: > - Create a clean draft Timeline or Timeline template for the current user. + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/schema?loose=false + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/stats: + get: + description: |- + **Spaces method and path for this operation:** - > info +
get /s/{space_id}/api/workflows/stats
- > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json: - examples: - defaultDraft: - summary: Create a default draft timeline - value: - timelineType: default - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of Timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json: - examples: - draftResponse: - summary: Draft after reset or creation - value: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: draft - templateTimelineId: null - templateTimelineVersion: null - timelineType: default - title: '' - version: WzE0LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Permission denied - value: - message: Forbidden - status_code: 403 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft Timeline. - '409': - content: - application/json: - examples: - conflict: - summary: Draft conflict - value: - message: Conflict - status_code: 409 - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.

[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution. + operationId: get-workflows-stats + parameters: [] + responses: + '200': + content: + application/json: + examples: + getStatsResponseExample: + description: Example response with workflow counts and 30-day execution history + value: + executions: + - cancelled: 1 + completed: 45 + date: '2025-11-20' + failed: 2 + timestamp: '2025-11-20T00:00:00.000Z' + - cancelled: 0 + completed: 50 + date: '2025-11-21' + failed: 0 + timestamp: '2025-11-21T00:00:00.000Z' + workflows: + disabled: 3 + enabled: 12 + description: Indicates a successful response + summary: Get workflow statistics tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_export: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/stats" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/stats + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/step/test: post: - description: Export Timelines as an NDJSON file. - operationId: ExportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/step/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a single step from a workflow definition in test mode.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-step-test parameters: - - description: The name of the file to export - in: query - name: file_name + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf required: true schema: + example: 'true' type: string requestBody: content: application/json: examples: - exportIds: - summary: Export by timeline ids + testStepRequestExample: + description: Example request to test a single workflow step value: - ids: - - 15c1929b-0af7-42bd-85a8-56e234cc7c4e + contextOverride: + inputs: + message: override message + stepId: hello_world_step + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - ids: - items: - type: string - maxItems: 1000 - minItems: 1 - nullable: true - type: array - description: The IDs of the Timelines to export. - required: true + contextOverride: + additionalProperties: + nullable: true + description: Context overrides for the step execution. + type: object + executionContext: + additionalProperties: + nullable: true + description: Execution context for the step execution. + type: object + stepId: + description: ID of the step to test. + type: string + workflowId: + description: ID of the workflow containing the step. + type: string + workflowYaml: + description: YAML definition of the workflow containing the step. + type: string + required: + - stepId + - contextOverride + - workflowYaml responses: '200': content: - application/ndjson: - examples: - ndjsonLine: - summary: Single NDJSON line - value: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"} - schema: - description: NDJSON of the exported Timelines - type: string - description: Indicates a successful call. - '400': - content: - application/ndjson: + application/json: examples: - badRequest: - summary: Export error + testStepResponseExample: + description: Example response returning the step test execution ID value: - body: Export limit exceeded - statusCode: 400 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad Request response. - summary: Export Timelines + workflowExecutionId: step-test-exec-a1b2c3d4 + description: Indicates a successful response + summary: Test a workflow step tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_favorite: - patch: - description: Favorite a Timeline or Timeline template for the current user. - operationId: PersistFavoriteRoute + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/step/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + }' + - lang: Console + source: | + POST kbn://api/workflows/step/test + { + "stepId": "hello_world_step", + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"", + "contextOverride": { "inputs": { "message": "override message" } } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/test: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/test
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-test + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - favoriteDefault: - summary: Favorite a default timeline + testWorkflowByIdRequestExample: + description: Example request to test a saved workflow by its ID value: - templateTimelineId: null - templateTimelineVersion: null - timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default + inputs: + message: test message + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + testWorkflowByYamlRequestExample: + description: Example request to test an unsaved workflow YAML draft + value: + inputs: + message: test message + workflowYaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - templateTimelineId: - nullable: true + inputs: + additionalProperties: + nullable: true + description: Key-value inputs for the test execution. + type: object + workflowId: + description: ID of an existing workflow to test. type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true + workflowYaml: + description: YAML definition to test. type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) Timeline. - required: true + - inputs responses: '200': content: application/json: examples: - favoriteResponse: - summary: Favorite metadata updated - value: - favorite: - - favoriteDate: 1741337636741 - userName: elastic - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - version: WzE2LDFd - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - description: Indicates a successful call. - '403': - content: - application/json: - examples: - forbidden: - summary: Forbidden + testWorkflowResponseExample: + description: Example response returning the test execution ID value: - body: Forbidden - statusCode: 403 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Favorite a Timeline or Timeline template + workflowExecutionId: test-exec-a1b2c3d4-e5f6 + description: Indicates a successful response + summary: Test a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_import: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/test" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + }' + - lang: Console + source: | + POST kbn://api/workflows/test + { + "workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "inputs": { "message": "test message" } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow: post: - description: Import Timelines. - operationId: ImportTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.

[Required authorization] Route required privileges: workflowsManagement:create. + operationId: post-workflows-workflow + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string requestBody: content: application/json: examples: - multipartPlaceholder: - summary: Request shape (file is a stream of NDJSON lines at runtime) + createWorkflowRequestExample: + description: Example request for creating a workflow from a YAML definition value: - file: >- - {"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n - isImmutable: 'false' + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + createWorkflowWithIdRequestExample: + description: Example request for creating a workflow with a custom ID + value: + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" schema: + additionalProperties: false type: object properties: - file: {} - isImmutable: - description: Whether the Timeline should be immutable - enum: - - 'true' - - 'false' + id: + maxLength: 255 + minLength: 3 + pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ + type: string + yaml: + maxLength: 1048576 type: string required: - - file - description: The Timelines to import as a readable stream. - required: true + - yaml responses: '200': content: application/json: examples: - importSummary: - summary: Import summary + createWorkflowResponseExample: + description: Example response returning the created workflow value: - errors: [] - success: true - success_count: 5 - timelines_installed: 3 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '400': + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-20T10:30:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Create a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow + { + "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:delete. + operationId: delete-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + - description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse. + in: query + name: force + required: false + schema: + default: false + type: boolean + responses: + '200': + description: Indicates a successful response + summary: Delete a workflow + tags: + - workflows + x-codeSamples: + - label: Soft delete (default) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - label: Hard delete (permanent) + lang: curl + source: | + curl \ + -X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + DELETE kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single workflow by its ID.

[Required authorization] Route required privileges: workflowsManagement:read. + operationId: get-workflows-workflow-id + parameters: + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - badRequest: - summary: Invalid import + getWorkflowResponseExample: + description: Example response returning a single workflow value: - body: Invalid file extension - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message - example: Invalid file extension + createdAt: '2025-11-20T10:30:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: true + inputs: + - default: hello world + name: message + type: string + name: Example definition + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: true + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2025-11-21T14:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition + valid: true + yaml: | + name: Example definition + enabled: true + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Get a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{id} + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/workflows/workflow/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.

[Required authorization] Route required privileges: workflowsManagement:update. + operationId: put-workflows-workflow-id + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + examples: + updateWorkflowEnableExample: + description: Example request to enable a workflow and update its tags + value: + enabled: true + tags: + - production + updateWorkflowFullExample: + description: Example request to update multiple workflow fields + value: + description: Updated workflow description + enabled: true + name: Updated example + tags: + - example + - updated + yaml: | + name: Updated example + enabled: true + description: Updated workflow description + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + schema: + additionalProperties: false + type: object + properties: + description: + type: string + enabled: + type: boolean + name: + type: string + tags: + items: type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - '404': + type: array + yaml: + type: string + responses: + '200': content: application/json: examples: - notFound: - summary: Saved objects client missing + updateWorkflowResponseExample: + description: Example response returning the updated workflow value: - body: Unable to find saved object client - statusCode: 404 - schema: - type: object - properties: - body: - description: The error message - example: Unable to find saved object client - type: string - statusCode: - example: 404 - type: number - description: Not found response. - '409': + enabled: false + id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lastUpdatedAt: '2026-03-23T13:38:59.568Z' + lastUpdatedBy: elastic + valid: true + validationErrors: [] + description: Indicates a successful response + summary: Update a workflow + tags: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "enabled": true, + "tags": ["production"] + }' + - lang: Console + source: | + PUT kbn://api/workflows/workflow/{id} + { + "enabled": true, + "tags": ["production"] + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/clone: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/clone
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of an existing workflow.

[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read. + operationId: post-workflows-workflow-id-clone + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string + responses: + '200': content: application/json: examples: - conflict: - summary: Import conflict + cloneWorkflowResponseExample: + description: Example response returning the cloned workflow with a new ID value: - body: Could not import timelines - statusCode: 409 - schema: - type: object - properties: - body: - description: The error message - example: Could not import timelines - type: string - statusCode: - example: 409 - type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines + createdAt: '2025-11-22T11:00:00.000Z' + createdBy: elastic + definition: + description: This is a workflow example + enabled: false + inputs: + - default: hello world + name: message + type: string + name: Example definition (copy) + steps: + - name: hello_world_step + type: console + with: + message: '{{ inputs.message }}' + triggers: + - type: manual + description: This is a workflow example + enabled: false + id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901 + lastUpdatedAt: '2025-11-22T11:00:00.000Z' + lastUpdatedBy: elastic + name: Example definition (copy) + valid: true + yaml: | + name: Example definition (copy) + enabled: false + description: This is a workflow example + triggers: + - type: manual + inputs: + - name: message + type: string + default: "hello world" + steps: + - name: hello_world_step + type: console + with: + message: "{{ inputs.message }}" + description: Indicates a successful response + summary: Clone a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/_prepackaged: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/clone + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{id}/run: post: - description: Install or update prepackaged Timelines. - operationId: InstallPrepackedTimelines + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{id}/run
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.

[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read. + operationId: post-workflows-workflow-id-run + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: id + required: true + schema: + type: string requestBody: content: application/json: examples: - emptyArrays: - summary: Installer payload shape + runWorkflowRequestExample: + description: Example request to execute a workflow with inputs value: - prepackagedTimelines: [] - timelinesToInstall: [] - timelinesToUpdate: [] + inputs: + message: hello from the API schema: + additionalProperties: false type: object properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + inputs: + additionalProperties: nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + description: Key-value inputs for the workflow execution. + type: object + metadata: + additionalProperties: nullable: true - type: array + description: Optional metadata for the execution. + type: object required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The Timelines to install or update. - required: true + - inputs responses: '200': content: application/json: examples: - installResult: - summary: Install result counts - value: - errors: [] - success: true - success_count: 10 - timelines_installed: 8 - timelines_updated: 2 - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates a successful call. - '500': - content: - application/json: - examples: - serverError: - summary: Server error + runWorkflowResponseExample: + description: Example response returning the execution ID value: - body: Internal error - statusCode: 500 - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged Timelines was - unsuccessful. - summary: Install prepackaged Timelines + workflowExecutionId: exec-a1b2c3d4-e5f6-7890 + description: Indicates a successful response + summary: Run a workflow tags: - - Security Timeline API - - access:securitySolution - /api/timeline/resolve: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" \ + -H "Content-Type: application/json" \ + -d '{ + "inputs": { + "message": "hello from the API" + } + }' + - lang: Console + source: | + POST kbn://api/workflows/workflow/{id}/run + { + "inputs": { + "message": "hello from the API" + } + } + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions: get: - description: >- - Resolve a Timeline or Timeline template, surfacing outcomes such as - `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been - remapped during upgrades or imports. Provide **either** `id` for default - Timelines or `template_timeline_id` for templates. - operationId: ResolveTimeline + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of executions for a specific workflow.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions parameters: - - description: The ID of the template timeline to resolve + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by execution status. in: query - name: template_timeline_id + name: statuses + required: false + schema: + items: + enum: + - pending + - waiting + - waiting_for_input + - waiting_for_child + - running + - completed + - failed + - cancelled + - timed_out + - skipped + type: string + maxItems: 10 + type: array + - description: Filter by execution type. + in: query + name: executionTypes + required: false + schema: + items: + enum: + - test + - production + type: string + maxItems: 2 + type: array + - description: Filter by the user who triggered the execution. + in: query + name: executedBy + required: false + schema: + items: + type: string + maxItems: 100 + type: array + - description: Filter by evaluated concurrency group key. + in: query + name: concurrencyGroupKey + required: false schema: type: string - - description: The ID of the timeline to resolve + - description: Whether to exclude step-level execution data. in: query - name: id + name: omitStepRuns + required: false + schema: + type: boolean + - description: Datemath lower bound for filtering executions by finishedAt (inclusive when parsed). + in: query + name: finishedAfter + required: false schema: type: string - responses: - '200': - content: - application/json: - examples: - exactMatch: - description: Timeline resolved without alias or conflict - summary: Exact match outcome - value: - outcome: exactMatch - timeline: - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - timelineType: default - title: Investigation - schema: - $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Bad request - value: {} - schema: - additionalProperties: true - type: object - description: Bad Request response. - '404': - content: - application/json: - examples: - notFound: - summary: Not found - value: {} - schema: - additionalProperties: true - type: object - description: The (template) Timeline was not found - summary: Resolve a Timeline or Timeline template - tags: - - Security Timeline API - - access:securitySolution - /api/timelines: - get: - description: Get a list of all saved Timelines or Timeline templates. - operationId: GetTimelines - parameters: - - description: >- - If `true`, only Timelines that the current user has marked as - favorite are returned. + - description: Datemath upper bound for filtering executions by finishedAt (inclusive when parsed with roundUp). in: query - name: only_user_favorite + name: finishedBefore + required: false schema: - enum: - - 'true' - - 'false' - nullable: true type: string - - description: >- - Restrict results to `default` investigation timelines or `template` - timeline templates. + - description: Field to collapse execution results by. in: query - name: timeline_type + name: collapse + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - description: >- - Field used to sort the list (`title`, `description`, `updated`, or - `created`). + enum: + - concurrencyGroupKey + - status + - executedBy + - triggeredBy + type: string + - description: Field to sort executions by. in: query - name: sort_field + name: sortField + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - description: Whether to sort the results `ascending` or `descending` + enum: + - createdAt + - finishedAt + type: string + - description: Sort order. in: query - name: sort_order + name: sortOrder + required: false schema: enum: - asc - desc type: string - - description: How many results should returned at once + - description: Page number. in: query - name: page_size + name: page + required: false schema: - nullable: true - type: string - - description: How many pages should be skipped + minimum: 1 + type: number + - description: Number of results per page. in: query - name: page_index + name: size + required: false schema: - nullable: true - type: string - - description: Allows to search for timelines by their title + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering executions by startedAt (inclusive when parsed). in: query - name: search + name: startedAfter + required: false schema: - nullable: true type: string - - description: >- - Filter by timeline lifecycle state (`active`, `draft`, or - `immutable`). + - description: Datemath upper bound for filtering executions by startedAt (inclusive when parsed with roundUp). in: query - name: status + name: startedBefore + required: false schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true + type: string responses: '200': content: application/json: examples: - timelineList: - summary: Example list response - value: - customTemplateTimelineCount: 0 - defaultTimelineCount: 1 - elasticTemplateTimelineCount: 0 - favoriteCount: 0 - templateTimelineCount: 0 - timeline: - - savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - status: active - timelineType: default - title: Phishing investigation - updated: 1741344876825 - version: WzE0LDFd - totalCount: 1 - schema: - type: object - properties: - customTemplateTimelineCount: - description: The amount of custom Timeline templates in the results - example: 2 - type: number - defaultTimelineCount: - description: The amount of `default` type Timelines in the results - example: 90 - type: number - elasticTemplateTimelineCount: - description: The amount of Elastic's Timeline templates in the results - example: 8 - type: number - favoriteCount: - description: The amount of favorited Timelines - example: 5 - type: number - templateTimelineCount: - description: The amount of Timeline templates in the results - example: 10 - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - description: The total amount of results - example: 100 - type: number - required: - - timeline - - totalCount - description: Indicates a successful call. - '400': - content: - application/json: - examples: - badRequest: - summary: Error response body + getWorkflowExecutionsResponseExample: + description: Example response returning a paginated list of executions for a workflow value: - body: get timeline error - statusCode: 400 - schema: - type: object - properties: - body: - description: The error message. - example: get timeline error - type: string - statusCode: - example: 400 - type: number - description: Bad Request response. - summary: Get Timelines or Timeline templates + page: 1 + results: + - duration: 3000 + error: null + executedBy: elastic + finishedAt: '2025-11-20T12:00:03.000Z' + id: exec-001 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T12:00:00.000Z' + status: completed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + - duration: 2000 + error: + message: Step 'hello_world_step' failed + executedBy: elastic + finishedAt: '2025-11-20T13:00:02.000Z' + id: exec-002 + isTestRun: false + spaceId: default + startedAt: '2025-11-20T13:00:00.000Z' + status: failed + triggeredBy: manual + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + size: 20 + total: 2 + description: Indicates a successful response + summary: Get workflow executions tags: - - Security Timeline API - - access:securitySolution - /api/upgrade_assistant/status: - get: - description: Check the status of your cluster. - operationId: get-upgrade-status + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20&startedAfter=now-1d&startedBefore=now + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/workflows/workflow/{workflowId}/executions/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Request cancellation for all non-terminal executions of the given workflow in the current space.

[Required authorization] Route required privileges: workflowsManagement:cancelExecution. + operationId: post-workflows-workflow-workflowid-executions-cancel + parameters: + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string responses: '200': - content: - application/json: - examples: - getUpgradeStatusResponseExample1: - value: |- - { - "readyForUpgrade": false, - "cluster": [ - { - "message": "Cluster deprecated issue", - "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." - } - ] - } - description: Indicates a successful call. - summary: Get the upgrade readiness status + description: Indicates a successful response + summary: Cancel all active workflow executions tags: - - upgrade - x-state: Technical Preview - /api/uptime/settings: + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \ + -H "Authorization: ApiKey ${API_KEY}" \ + -H "kbn-xsrf: true" + - lang: Console + source: | + POST kbn://api/workflows/workflow/{workflowId}/executions/cancel + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name + /api/workflows/workflow/{workflowId}/executions/steps: get: - description: > - You must have `read` privileges for the uptime feature in the - Observability section of the Kibana feature privileges. - operationId: get-uptime-settings - responses: - '200': - content: - application/json: - examples: - getUptimeSettingsResponseExample1: - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Get uptime settings - tags: - - uptime - put: - description: > - Update uptime setting attributes like `heartbeatIndices`, - `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or - `defaultEmail`. You must have `all` privileges for the uptime feature in - the Observability section of the Kibana feature privileges. A partial - update is supported, provided settings keys will be merged with existing - settings. - operationId: put-uptime-settings - requestBody: - content: - application/json: - examples: - putUptimeSettingsRequestExample1: - description: >- - Run `PUT api/uptime/settings` to update multiple Uptime - settings. - summary: Update multiple settings - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - putUptimeSettingsRequestExample2: - description: >- - Run `PUT api/uptime/settings` to update a single Uptime - setting. - summary: Update a setting - value: |- - { - "heartbeatIndices": "heartbeat-8*", - } - schema: - type: object - properties: - certAgeThreshold: - default: 730 - description: >- - The number of days after a certificate is created to trigger - an alert. - type: number - certExpirationThreshold: - default: 30 - description: >- - The number of days before a certificate expires to trigger - an alert. - type: number - defaultConnectors: - default: [] - description: >- - A list of connector IDs to be used as default connectors for - new alerts. - items: - type: string - type: array - defaultEmail: - description: | - The default email configuration for new alerts. - type: object - properties: - bcc: - default: [] - items: - type: string - type: array - cc: - default: [] - items: - type: string - type: array - to: - default: [] - items: - type: string - type: array - heartbeatIndices: - default: heartbeat-* - description: > - An index pattern string to be used within the Uptime app and - alerts to query Heartbeat data. - type: string + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/workflows/workflow/{workflowId}/executions/steps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.

[Required authorization] Route required privileges: workflowsManagement:readExecution. + operationId: get-workflows-workflow-workflowid-executions-steps + parameters: + - description: Workflow ID + in: path + name: workflowId + required: true + schema: + type: string + - description: Filter by step ID. + in: query + name: stepId + required: false + schema: + type: string + - description: Include step input data. + in: query + name: includeInput + required: false + schema: + type: boolean + - description: Include step output data. + in: query + name: includeOutput + required: false + schema: + type: boolean + - description: Page number for pagination. + in: query + name: page + required: false + schema: + minimum: 1 + type: number + - description: Number of results per page. + in: query + name: size + required: false + schema: + maximum: 100 + minimum: 1 + type: number + - description: Datemath lower bound for filtering step executions by startedAt (inclusive when parsed). + in: query + name: startedAfter + required: false + schema: + type: string + - description: Datemath upper bound for filtering step executions by startedAt (inclusive when parsed with roundUp). + in: query + name: startedBefore + required: false + schema: + type: string responses: '200': content: application/json: examples: - putUptimeSettingsResponseExample1: - description: A successful response from `PUT api/uptime/settings`. - value: |- - { - "heartbeatIndices": "heartbeat-8*", - "certExpirationThreshold": 30, - "certAgeThreshold": 730, - "defaultConnectors": [ - "08990f40-09c5-11ee-97ae-912b222b13d4", - "db25f830-2318-11ee-9391-6b0c030836d6" - ], - "defaultEmail": { - "to": [], - "cc": [], - "bcc": [] - } - } - schema: - type: object - description: Indicates a successful call - summary: Update uptime settings + getWorkflowStepExecutionsResponseExample: + description: Example response returning step execution records for a workflow + value: + results: + - executionTimeMs: 1000 + finishedAt: '2025-11-20T12:00:02.000Z' + globalExecutionIndex: 0 + id: step-exec-001 + input: + message: hello world + isTestRun: false + scopeStack: [] + spaceId: default + startedAt: '2025-11-20T12:00:01.000Z' + status: completed + stepExecutionIndex: 0 + stepId: hello_world_step + stepType: console + topologicalIndex: 0 + workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890 + workflowRunId: exec-001 + total: 1 + description: Indicates a successful response + summary: Get workflow step executions tags: - - uptime + - workflows + x-codeSamples: + - lang: curl + source: | + curl \ + -X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \ + -H "Authorization: ApiKey ${API_KEY}" + - lang: Console + source: | + GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true + x-state: Generally available; added in 9.4.0 + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46544,18 +71183,14 @@ paths: name: kqlQuery schema: type: string - - description: >- - The page size to use for cursor-based pagination, must be greater or - equal than 1 + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - - description: >- - The cursor to use for fetching the results from, when using a - cursor-base pagination. + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: @@ -46599,9 +71234,7 @@ paths: - asc - desc type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: @@ -46625,9 +71258,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name - : "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -46682,9 +71313,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46697,9 +71326,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -46720,10 +71347,12 @@ paths: summary: Get a paginated list of SLOs tags: - slo + x-metaTags: + - content: Kibana + name: product_name post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46736,14 +71365,10 @@ paths: summary: Create an SLO with a KQL indicator value: budgetingMethod: occurrences - description: >- - Availability of my web service measured by successful HTTP - responses + description: Availability of my web service measured by successful HTTP responses indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -46797,9 +71422,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46812,9 +71435,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -46835,13 +71456,13 @@ paths: summary: Create an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete: post: - description: > - Bulk delete SLO definitions and their associated summary and rollup - data. This endpoint initiates a bulk deletion operation for SLOs, which - may take some time to complete. The status of the operation can be - checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46892,9 +71513,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46907,24 +71526,21 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' description: Forbidden response - summary: >- - Bulk delete SLO definitions and their associated summary and rollup - data. + summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: - description: > - Retrieve the status of the bulk deletion operation for SLOs. This - endpoint returns the status of the bulk deletion operation, including - whether it is completed and the results of the operation. + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -46984,9 +71600,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -46999,9 +71613,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47009,12 +71621,13 @@ paths: summary: Retrieve the status of the bulk deletion tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: - description: > - The deletion occurs for the specified list of `sloId`. You must have - `all` privileges for the **SLOs** feature in the **Observability** - section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47076,9 +71689,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47091,9 +71702,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47101,12 +71710,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/_delete_instances: post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47150,9 +71760,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47165,9 +71773,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47175,11 +71781,13 @@ paths: summary: Batch delete rollup and summary data tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}: delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47209,9 +71817,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47224,9 +71830,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47247,10 +71851,12 @@ paths: summary: Delete an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47278,9 +71884,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47334,9 +71938,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47349,9 +71951,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_read] is unauthorized for - user + message: 'security_exception: action [slo_read] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47372,10 +71972,12 @@ paths: summary: Get an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47416,9 +72018,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47463,9 +72063,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47478,9 +72076,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47501,11 +72097,13 @@ paths: summary: Update an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47527,9 +72125,7 @@ paths: id: 8853df00-ae2e-11ed-90af-09bb6422b258 indicator: params: - filter: >- - field.environment : "production" and service.name : - "my-service" + filter: 'field.environment : "production" and service.name : "my-service"' good: 'request.status_code : "2xx"' index: logs-* timestampField: '@timestamp' @@ -47574,9 +72170,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47589,9 +72183,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47612,11 +72204,13 @@ paths: summary: Reset an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/disable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47646,9 +72240,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47661,9 +72253,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47684,11 +72274,13 @@ paths: summary: Disable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/api/observability/slos/{sloId}/enable: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' @@ -47718,9 +72310,7 @@ paths: summary: Unauthorized value: error: Unauthorized - message: >- - security_exception: unable to authenticate user for REST - request [/api/observability/slos] + message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]' statusCode: 401 schema: $ref: '#/components/schemas/SLOs_401_response' @@ -47733,9 +72323,7 @@ paths: summary: Forbidden value: error: Forbidden - message: >- - security_exception: action [slo_write] is unauthorized for - user + message: 'security_exception: action [slo_write] is unauthorized for user' statusCode: 403 schema: $ref: '#/components/schemas/SLOs_403_response' @@ -47756,18 +72344,18 @@ paths: summary: Enable an SLO tags: - slo + x-metaTags: + - content: Kibana + name: product_name /s/{spaceId}/internal/observability/slos/_definitions: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - - description: >- - Indicates if the API returns only outdated SLO or all SLO - definitions + - description: Indicates if the API returns only outdated SLO or all SLO definitions in: query name: includeOutdatedOnly schema: @@ -47831,23 +72419,22 @@ paths: summary: Get the SLO definitions tags: - slo + x-metaTags: + - content: Kibana + name: product_name components: examples: Alerting_401_health_response: summary: Unauthorized response for the get alerting health API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_401_rule_types_response: summary: Unauthorized response for the get rule types API. value: error: Unauthorized - message: >- - [security_exception] missing authentication credentials for REST - request + message: '[security_exception] missing authentication credentials for REST request' statusCode: 401 Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. @@ -48086,9 +72673,7 @@ components: name: Recovered rule_task_timeout: 5m APM_UI_agent_configuration_environments_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/environments`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`. value: environments: - alreadyConfigured: true @@ -48098,23 +72683,17 @@ components: - alreadyConfigured: false name: ALL_OPTION_VALUE APM_UI_agent_configuration_intake_object_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`. value: result: deleted APM_UI_agent_configuration_intake_object_delete_request1: - description: >- - Run `DELETE /api/apm/settings/agent-configuration` to delete a - configuration. + description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: service: environment: production name: frontend APM_UI_agent_configuration_intake_object_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: - '@timestamp': 1581934104843 agent_name: go @@ -48146,15 +72725,10 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_put_200_response1: - description: >- - An example of a successful response from `PUT - /api/apm/settings/agent-configuration`. The response body is - intentionally empty. + description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty. value: {} APM_UI_agent_configuration_intake_object_put_request1: - description: >- - Run `PUT /api/apm/settings/agent-configuration` to create or update - configuration details. + description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: agent_name: nodejs service: @@ -48165,9 +72739,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_configuration_intake_object_search_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/settings/agent-configuration/search`. + description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: _id: CIaqXXABmQCdPphWj8EJ _index: .apm-agent-configuration @@ -48182,18 +72754,14 @@ components: settings: transaction_sample_rate: '1' APM_UI_agent_configuration_intake_object_search_request1: - description: >- - Run `POST /api/apm/settings/agent-configuration/search` to search - configuration details. + description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: etag: 1e58c178efeebae15c25c539da740d21dee422fc service: environment: production name: frontend APM_UI_agent_configuration_intake_object_view_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/view`. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`. value: '@timestamp': 1582031336265 agent_name: nodejs @@ -48208,9 +72776,7 @@ components: transaction_max_spans: '500' transaction_sample_rate: '0.4' APM_UI_agent_keys_object_post_200_response1: - description: >- - An example of a successful response from `POST /api/apm/agent_keys`, - which creates an APM agent API key. + description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: agentKey: api_key: PjGloCGOTzaZr8ilUPvkjA @@ -48218,19 +72784,14 @@ components: id: 3DCLmn0B3ZMhLUa7WBG9 name: apm-key APM_UI_agent_keys_object_post_request1: - description: >- - Run `POST /api/apm/agent_keys` to create an APM agent API key with the - specified privileges. + description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: name: apm-key privileges: - event:write - config_agent:read APM_UI_annotation_object_post_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/services/opbeans-java/annotation`, which creates an annotation - for a service named `opbeans-java`. + description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: _id: Lc9I93EBh6DbmkeV7nFX _index: observability-annotations @@ -48253,9 +72814,7 @@ components: _version: 1 found: true APM_UI_annotation_object_post_request1: - description: >- - Run `POST /api/apm/services/{serviceName}/annotation` to create a - deployment annotation for a service. + description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service. value: '@timestamp': '2024-01-15T12:00:00.000Z' message: Deployment 1.2.0 @@ -48266,10 +72825,7 @@ components: - apm - deployment APM_UI_annotation_search_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/services/{serviceName}/annotation/search`, which returns the - annotations associated with a service over the given time range. + description: An example of a successful response from `GET /api/apm/services/{serviceName}/annotation/search`, which returns the annotations associated with a service over the given time range. value: annotations: - '@timestamp': 1735689600000 @@ -48281,77 +72837,50 @@ components: text: opbeans-node@2.1.0 type: version APM_UI_error_400_response: - description: >- - An example of a 400 Bad Request response, returned when the request - payload or query parameters fail validation. + description: An example of a 400 Bad Request response, returned when the request payload or query parameters fail validation. value: error: Bad Request message: '[request body]: expected value of type [string] but got [undefined]' statusCode: 400 APM_UI_error_401_response: - description: >- - An example of a 401 Unauthorized response, returned when the request is - missing valid authentication credentials. + description: An example of a 401 Unauthorized response, returned when the request is missing valid authentication credentials. value: error: Unauthorized - message: >- - [security_exception]: missing authentication credentials for REST - request + message: '[security_exception]: missing authentication credentials for REST request' statusCode: 401 APM_UI_error_403_response: - description: >- - An example of a 403 Forbidden response, returned when the authenticated - user lacks the required APM and User Experience privileges. + description: An example of a 403 Forbidden response, returned when the authenticated user lacks the required APM and User Experience privileges. value: error: Forbidden - message: >- - Insufficient privileges to perform this action. The APM and User - Experience feature requires `all` privileges. + message: Insufficient privileges to perform this action. The APM and User Experience feature requires `all` privileges. statusCode: 403 APM_UI_error_404_response: - description: >- - An example of a 404 Not Found response, returned when the requested - resource does not exist or the feature is not available on the current - deployment. + description: An example of a 404 Not Found response, returned when the requested resource does not exist or the feature is not available on the current deployment. value: error: Not Found message: Not Found statusCode: 404 APM_UI_error_500_response: - description: >- - An example of a 500 Internal Server Error response, returned when an - unexpected error occurs while processing the request. + description: An example of a 500 Internal Server Error response, returned when an unexpected error occurs while processing the request. value: error: Internal Server Error - message: >- - An internal server error occurred. Check the Kibana server logs for - details. + message: An internal server error occurred. Check the Kibana server logs for details. statusCode: 500 APM_UI_error_501_response: - description: >- - An example of a 501 Not Implemented response, returned when the source - map feature is not available on the current deployment. + description: An example of a 501 Not Implemented response, returned when the source map feature is not available on the current deployment. value: error: Not Implemented message: Not Implemented statusCode: 501 APM_UI_fleet_apm_server_schema_200_response1: - description: >- - An example of a successful response from `POST - /api/apm/fleet/apm_server_schema`. The response body is intentionally - empty. + description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty. value: {} APM_UI_service_agent_name_get_200_response1: - description: >- - An example of a successful response from `GET - /api/apm/settings/agent-configuration/agent_name`, which returns the - detected APM agent name for a service. + description: An example of a successful response from `GET /api/apm/settings/agent-configuration/agent_name`, which returns the detected APM agent name for a service. value: agentName: nodejs APM_UI_source_maps_delete_200_response1: - description: >- - An example of a successful response from `DELETE - /api/apm/sourcemaps/{id}`. The response body is intentionally empty. + description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty. value: {} APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. @@ -48381,18 +72910,15 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: - body: >- - eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI + body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 @@ -48400,26 +72926,20 @@ components: encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none - id: >- - apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm - relative_url: >- - /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 + relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap APM_UI_source_maps_upload_request1: - description: > - An example of a multipart/form-data request body for `POST - /api/apm/sourcemaps`. - - Each field is a separate form part; `sourcemap` is the source map file - content (typically uploaded as a file). + description: | + An example of a multipart/form-data request body for `POST /api/apm/sourcemaps`. + Each field is a separate form part; `sourcemap` is the source map file content (typically uploaded as a file). value: bundle_filepath: /test/e2e/general-usecase/bundle.js.map service_name: opbeans-node service_version: 1.0.0 - sourcemap: >- - {"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log('hello');"]} + sourcemap: '{"version":3,"sources":["bundle.js"],"names":[],"mappings":"AAAA","file":"bundle.js","sourcesContent":["console.log(''hello'');"]}' Cases_add_comment_request: summary: Adds a comment to a case. value: @@ -48427,9 +72947,7 @@ components: owner: cases type: user Cases_add_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -48517,9 +73035,7 @@ components: - tag-1 title: Case title 1 Cases_create_case_response: - summary: >- - The create case API returns a JSON object that contains details about - the case. + summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null @@ -48665,9 +73181,7 @@ components: per_page: 20 total: 1 Cases_find_case_response: - summary: >- - Retrieve the first five cases with the `tag-1` tag, in ascending order - by last update time. + summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] @@ -48798,9 +73312,7 @@ components: updated_by: null version: WzEyLDNd Cases_get_case_observability_response: - summary: >- - Get case response (Observability). Comments are not included; use the - find case comments API. totalComment reflects the actual count. + summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 @@ -48845,9 +73357,7 @@ components: username: elastic version: WzI0NywyXQ== Cases_get_case_response: - summary: >- - Get case response. Comments are not included; use the find case comments - API. totalComment reflects the actual count. + summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 @@ -48935,9 +73445,7 @@ components: - tag 1 - tag 2 Cases_push_case_response: - summary: >- - The push case API returns a JSON object with details about the case and - the external service. + summary: The push case API returns a JSON object with details about the case and the external service. value: assignees: [] category: null @@ -49001,9 +73509,7 @@ components: message: Unable to authenticate with the provided credentials. statusCode: 401 Cases_set_case_configuration_request: - summary: >- - Set the closure type, custom fields, and default connector for Stack - Management cases. + summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: @@ -49191,9 +73697,7 @@ components: - tag-1 version: WzIzLDFd Cases_update_case_response: - summary: >- - This is an example response when the case description, tags, and - connector were updated. + summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null @@ -49265,9 +73769,7 @@ components: type: user version: Wzk1LDFd Cases_update_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. + summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null @@ -49334,9 +73836,7 @@ components: username: elastic version: WzIwNjM2LDFd Data_views_create_data_view_request: - description: >- - Create a data view for logstash indices that includes a runtime field - which extracts the shape name from a source field. + description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field. summary: Create a data view with runtime fields. value: data_view: @@ -49348,12 +73848,8 @@ components: type: keyword title: logstash-* Data_views_create_data_view_response: - description: >- - The response includes the full data view specification, including - auto-generated fields such as the unique identifier and version. - summary: >- - The create data view API returns a JSON object that contains details - about the new data view. + description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version. + summary: The create data view API returns a JSON object that contains details about the new data view. value: data_view: allowNoIndex: false @@ -49391,9 +73887,7 @@ components: typeMeta: {} version: WzQ5LDJd Data_views_create_runtime_field_request: - description: >- - Create a long-type runtime field that emits a value derived from the foo - source field. + description: Create a long-type runtime field that emits a value derived from the foo source field. summary: Create a runtime field. value: name: runtimeFoo @@ -49402,46 +73896,30 @@ components: source: emit(doc["foo"].value) type: long Data_views_create_runtime_field_response: - description: >- - The response includes the newly created runtime field as an array and - the full updated data view object. - summary: >- - The API returns created runtime field object array and updated data view - object. + description: The response includes the newly created runtime field as an array and the full updated data view object. + summary: The API returns created runtime field object array and updated data view object. value: data_view: ...: null fields: - ... Data_views_error_400_response: - description: >- - The request was rejected because the payload or query parameters are - missing required fields or contain invalid values. + description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values. summary: A bad request response. value: error: Bad Request - message: >- - [request body.data_view.title]: expected value of type [string] but - got [undefined] + message: '[request body.data_view.title]: expected value of type [string] but got [undefined]' statusCode: 400 Data_views_error_404_response: - description: >- - The requested data view or runtime field was not found in the current - Kibana space. + description: The requested data view or runtime field was not found in the current Kibana space. summary: A not found response. value: error: Not Found - message: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not - found + message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found statusCode: 404 Data_views_get_data_view_response: - description: >- - A complete data view object including all fields, runtime fields, and - metadata. - summary: >- - The get data view API returns a JSON object that contains information - about the data view. + description: A complete data view object including all fields, runtime fields, and metadata. + summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false @@ -50368,9 +74846,7 @@ components: typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: - description: >- - A list of available data views including their identifiers, names, and - index patterns. + description: A list of available data views including their identifiers, names, and index patterns. summary: The get all data views API returns a list of data views. value: data_view: @@ -50397,10 +74873,7 @@ components: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: description: The runtime field definition along with the parent data view. - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false @@ -50899,17 +75372,13 @@ components: shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: - description: >- - Preview the saved objects that would be affected by swapping references - from one data view to another. + description: Preview the saved objects that would be affected by swapping references from one data view to another. summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_preview_swap_data_view_response: - description: >- - The result array lists every saved object that references the source - data view. No saved objects are modified by the preview endpoint. + description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint. summary: A preview of saved objects that would be affected by a data view swap. value: result: @@ -50918,35 +75387,25 @@ components: - id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b type: dashboard Data_views_set_default_data_view_request: - description: >- - Set the default data view, using the force flag to overwrite an existing - default. + description: Set the default data view, using the force flag to overwrite an existing default. summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_set_default_data_view_response: - description: >- - The acknowledged flag confirms that the default data view for the - current Kibana space was updated. + description: The acknowledged flag confirms that the default data view for the current Kibana space was updated. summary: The default data view was set successfully. value: acknowledged: true Data_views_swap_data_view_request: - description: >- - Swap all saved object references from one data view to another and - delete the source data view afterward. - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. + description: Swap all saved object references from one data view to another and delete the source data view afterward. + summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_swap_data_view_response: - description: >- - The list of saved objects whose references were updated, along with the - delete status of the source. + description: The list of saved objects whose references were updated, along with the delete status of the source. summary: The swap references API returns a list of the affected saved objects. value: deleteStatus: @@ -50956,9 +75415,7 @@ components: - id: '123' type: visualization Data_views_update_data_view_request: - description: >- - Update the title, time field, and other properties of an existing data - view. + description: Update the title, time field, and other properties of an existing data view. summary: Update some properties for a data view. value: data_view: @@ -50968,9 +75425,7 @@ components: title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: - description: >- - Update the popularity count, custom label, and custom description for - specific fields in a data view. + description: Update the popularity count, custom label, and custom description for specific fields in a data view. summary: Update metadata for multiple fields. value: fields: @@ -50981,9 +75436,7 @@ components: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_field_metadata_response: - description: >- - The acknowledged flag confirms that the field metadata changes were - applied to the data view. + description: The acknowledged flag confirms that the field metadata changes were applied to the data view. summary: Field metadata was updated successfully. value: acknowledged: true @@ -51047,10 +75500,8 @@ components: } Observability_AI_Assistant_API_ChatCompleteResponseExample: summary: Get a chat completion from the Observability AI Assistant - value: > - data: - {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} - + value: | + data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"} data: [DONE] Saved_objects_key_rotation_response: @@ -52290,6 +76741,893 @@ components: } } } + get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - id: .gen-ai + name: OpenAI + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .bedrock + name: AWS Bedrock + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + is_system_action_type: false + - id: .gemini + name: Google Gemini + enabled: true + enabled_in_config: true + enabled_in_license: true + minimum_license_required: enterprise + supported_feature_ids: + - generativeAIForSecurity + is_system_action_type: false + get_connector_response: + summary: Get connector details. + value: + id: df770e30-8b8b-11ed-a780-3b746c987a81 + name: my_server_log_connector + config: {} + connector_type_id: .server-log + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + update_index_connector_request: + summary: Update an index connector. + value: + name: updated-connector + config: + index: updated-index + create_email_connector_request: + summary: Create an email connector. + value: + name: email-connector-1 + connector_type_id: .email + config: + from: tester@example.com + hasAuth: true + host: https://example.com + port: 1025 + secure: false + service: other + secrets: + user: username + password: password + create_index_connector_request: + summary: Create an index connector. + value: + name: my-connector + connector_type_id: .index + config: + index: test-index + create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + name: my-webhook-connector + connector_type_id: .webhook + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + name: my-xmatters-connector + connector_type_id: .xmatters + config: + usesBasic: false + secrets: + secretsUrl: https://example.com?apiKey=xxxxx + create_email_connector_response: + summary: A new email connector. + value: + id: 90a82c60-478f-11ee-a343-f98a117c727f + connector_type_id: .email + name: email-connector-1 + config: + from: tester@example.com + service: other + host: https://example.com + port: 1025 + secure: false + hasAuth: true + tenantId: null + clientId: null + oauthTokenUrl: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_index_connector_response: + summary: A new index connector. + value: + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + connector_type_id: .index + name: my-connector + config: + index: test-index + refresh: false + executionTimeField: null + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + create_webhook_connector_response: + summary: A new webhook connector. + value: + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + name: my-webhook-connector + config: + method: post + url: https://example.com + authType: webhook-authentication-ssl + certType: ssl-crt-key + verificationMode: full + headers: null + hasAuth: true + connector_type_id: .webhook + is_preconfigured: false + is_deprecated: false + is_missing_secrets: false + is_system_action: false + run_index_connector_request: + summary: Run an index connector. + value: + params: + documents: + - id: my_doc_id + name: my_doc_name + message: hello, world + run_jira_connector_request: + summary: Run a Jira connector to retrieve the list of issue types. + value: + params: + subAction: issueTypes + run_servicenow_itom_connector_request: + summary: Run a ServiceNow ITOM connector to retrieve the list of choices. + value: + params: + subAction: getChoices + subActionParams: + fields: + - severity + - urgency + run_slack_api_connector_request: + summary: Run a Slack connector that uses the web API method to post a message on a channel. + value: + params: + subAction: postMessage + subActionParams: + channelIds: + - C123ABC456 + text: A test message. + run_swimlane_connector_request: + summary: Run a Swimlane connector to create an incident. + value: + params: + subAction: pushToService + subActionParams: + comments: + - commentId: 1 + comment: A comment about the incident. + incident: + caseId: '1000' + caseName: Case name + description: Description of the incident. + run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok + run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok + run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok + run_servicenow_itom_connector_response: + summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok + run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + status: ok + data: + ok: true + channel: C123ABC456 + ts: '1234567890.123456' + message: + bot_id: B12BCDEFGHI + type: message + text: A test message + user: U12A345BC6D + ts: '1234567890.123456' + app_id: A01BC2D34EF + blocks: + - type: rich_text + block_id: /NXe + elements: + - type: rich_text_section + elements: + - type: text + text: A test message. + team: T01ABCDE2F + bot_profile: + id: B12BCDEFGHI + app_id: A01BC2D34EF + name: test + icons: + image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png + deleted: false + updated: 1672169705 + team_id: T01ABCDE2F + connector_id: .slack_api + run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. + value: + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 + data: + id: aKPmBHWzmdRQtx6Mx + title: TEST-457 + url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + comments: + - commentId: 1 + pushedDate: '2022-09-08T16:52:27.865Z' + status: ok + get_connectors_response: + summary: A list of connectors + value: + - id: preconfigured-email-connector + name: my-preconfigured-email-notification + connector_type_id: .email + is_preconfigured: true + is_deprecated: false + referenced_by_count: 0 + is_system_action: false + - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + name: my-index-connector + config: + index: test-index + refresh: false + executionTimeField: null + connector_type_id: .index + is_preconfigured: false + is_deprecated: false + referenced_by_count: 2 + is_missing_secrets: false + is_system_action: false + get_roles_response1: + summary: Get all role details + value: + - name: my_kibana_role + description: My kibana role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + indices: [] + cluster: [] + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - '*' + - name: my_admin_role + description: My admin role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + field_security: + grant: + - title + - body + query: '{\"match\": {\"title\": \"foo\"}}' + kibana: [] + get_role_response1: + summary: Get role details + value: + name: my_kibana_role + description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + remote_cluster: + - privileges: + - monitor_enrich + clusters: + - remote_cluster1 + indices: + - names: + - index1 + - index2 + privileges: + - all + allow_restricted_indices: false + remote_indices: + - names: + - remote_index1 + - remote_index2 + privileges: + - all + allow_restricted_indices: false + clusters: + - remote_cluster1 + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + _transform_error: [] + _unrecognized_applications: [] + create_role_request1: + summary: Feature privileges in multiple spaces + description: Grant access to various features in some spaces. + value: + description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + discover: + - all + dashboard: + - all + spaces: + - default + - base: + - read + spaces: + - marketing + - sales + create_role_request2: + summary: Dashboard privileges in a space + description: Grant access to dashboard features in a Marketing space. + value: + description: Grant dashboard access in the Marketing space. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + dashboard: + - read + spaces: + - marketing + create_role_request3: + summary: Feature privileges in a space + description: Grant full access to all features in the default space. + value: + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + create_role_request4: + summary: Elasticsearch and Kibana feature privileges + description: Grant Elasticsearch and Kibana feature privileges. + value: + description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. + metadata: + version: 1 + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + remote_indices: + - clusters: + - remote_cluster1 + names: + - remote_index1 + - remote_index2 + privileges: + - all + remote_cluster: + - clusters: + - remote_cluster1 + privileges: + - monitor_enrich + kibana: + - base: + - all + feature: {} + spaces: + - default + copy_saved_objects_request1: + summary: Copy with createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + copy_saved_objects_request2: + summary: Copy without createNewCopies + description: | + Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. + value: + objects: + - type: dashboard + id: my-dashboard + spaces: + - marketing + includeReferences: true + createNewCopies: false + copy_saved_objects_response1: + summary: Copy with createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response2: + summary: Copy without createNewCopies + description: | + The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. + value: + marketing: + success: true + successCount: 3 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + copy_saved_objects_response3: + summary: Failed copy response with conflict errors + description: | + A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. + value: + marketing: + success: true + successCount: 4 + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-vis + type: visualization + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + - id: my-index-pattern + type: index-pattern + meta: + icon: indexPatternApp + title: my-pattern-* + sales: + success: false + successCount: 1, + errors: + - id: my-pattern + type: index-pattern + title: my-pattern-* + error: + type: conflict + meta: + icon: indexPatternApp + title: my-pattern-* + - id: my-visualization + type: my-vis + title: Look at my visualization + error: + type: conflict + destinationId: another-vis + meta: + icon: visualizeApp + title: Look at my visualization + - id: my-canvas + type: canvas-workpad + title: Look at my canvas + error: + type: ambiguous_conflict + destinations: + - id: another-canvas + title: Look at another canvas + updatedAt: '2020-07-08T16:36:32.377Z' + - id: yet-another-canvas + title: Look at yet another canvas + updatedAt: '2020-07-05T12:29:54.849Z' + meta: + icon: canvasApp + title: Look at my canvas + successResults": + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + copy_saved_objects_response4: + summary: Failed copy with missing reference errors + description: | + The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. + value: + marketing: + success: false + successCount: 2 + errors: + - id: my-vis + type: visualization + title: Look at my visualization + error: + type: missing_references + references: + - type: index-pattern + id: my-pattern-* + meta: + icon: visualizeApp + title: Look at my visualization + successResults: + - id: my-dashboard + type: dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + - id: my-canvas + type: canvas-workpad + meta: + icon: canvasApp + title: Look at my canvas + disable_legacy_url_request1: + summary: Disable legacy URL aliases + description: | + This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. + value: + aliases: + - targetSpace: bills-space + targetType: dashboard + sourceId: 123 + get_shareable_references_request1: + summary: Get shareable references + description: | + Collect references and space contexts for a dashboard saved object. + value: + objects: + - type: dashboard + id: my-dashboard-id + get_shareable_references_response1: + summary: Get shareable references response + description: | + A response that includes the collected references and the spaces where the objects exist. + value: + objects: + - type: dashboard + id: my-dashboard-id + spaces: + - default + - marketing + inboundReferences: [] + resolve_copy_saved_objects_request1: + summary: Resolve conflict errors + description: | + Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + sales: + - type: index-pattern + id: my-pattern + overwrite: true + - type: visualization + id: my-vis + overwrite: true, + destinationId: another-vis + - type: canvas + id: my-canvas + overwrite: true + destinationId: yet-another-canvas + - type: dashboard + id: my-dashboard + resolve_copy_saved_objects_request2: + summary: Resolve missing reference errors + description: | + Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. + value: + objects: + - type: dashboard + id: my-dashboard + includeReferences: true + createNewCopies: false + retries: + marketing: + - type: visualization + id: my-vis + ignoreMissingReferences: true + - type: canvas + id: my-canvas + - type: dashboard + id: my-dashboard + update_saved_objects_spaces_request1: + summary: Update saved object spaces + description: Update the spaces of each saved object and all its references. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spacesToAdd: + - test + spacesToRemove: [] + update_saved_objects_spaces_response1: + summary: Update saved object spaces + description: | + The response from updating the spaces of saved objects. + value: + objects: + - type: index-pattern + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + spaces: + - default + - test + get_spaces_response1: + summary: Get all spaces + description: Get all spaces without specifying any options. + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUr": '' + solution: oblt + get_spaces_response2: + summary: Get all spaces with custom options + description: | + The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" + value: + - id: default + name: Default + description: This is the Default Space + disabledFeatures: [] + imageUrl: '' + _reserved: true + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: marketing + name: Marketing + description: This is the Marketing Space + color: null + disabledFeatures: + - apm + initials: MK + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: true + findSavedObjects: true + shareSavedObjectsIntoSpace: true + - id: sales + name: Sales + initials: MK + disabledFeatures: + - discover + imageUrl: '' + authorizedPurposes: + any: true + copySavedObjectsIntoSpace: false + findSavedObjects: true + shareSavedObjectsIntoSpace: false + create_space_request: + summary: Create a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== + get_space_response: + summary: Get details about a marketing space + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' + solution: es + update_space_request: + summary: Update a marketing space + description: Update the marketing space to remove the imageUrl. + value: + id: marketing + name: Marketing + description: This is the Marketing Space + color: null + initials: MK + disabledFeatures: [] + imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use @@ -52318,10 +77656,8 @@ components: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: - description: > - Filters the returned cases by assignees. Valid values are `none` or - unique identifiers for the user profiles. These identifiers can be found - by using the suggest user profile API. + description: | + Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: @@ -52329,9 +77665,7 @@ components: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: - description: >- - The identifier for the case. To retrieve case IDs, use the search cases - (`_find)` API. All non-ASCII characters must be URL encoded. + description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true @@ -52347,9 +77681,8 @@ components: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - case or search cases (`_find`) APIs. + description: | + The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs. in: path name: commentId required: true @@ -52359,4794 +77692,29251 @@ components: Cases_configuration_id: description: An identifier for the configuration. in: path - name: configurationId + name: configurationId + required: true + schema: + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 + type: string + Cases_connector_id: + description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: | + Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: | + The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` + in: query + name: ids + required: true + schema: + items: + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner_filter: + description: | + A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owner' + - $ref: '#/components/schemas/Cases_owners' + Cases_page_index: + description: The page number to return. + example: 1 + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + example: 20 + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_search: + description: An Elasticsearch simple_query_string query that filters the objects in the response. + example: Case title 1 + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' + Cases_severity: + description: The severity of the case. + example: low + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + example: desc + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_to: + description: | + Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + example: create_case + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Short_URL_APIs_idParam: + description: The identifier for the short URL. + in: path + name: id + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId required: true schema: - example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 + example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string - Cases_connector_id: - description: >- - An identifier for the connector. To retrieve connector IDs, use the find - connectors API. + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. in: path - name: connectorId + name: spaceId required: true schema: - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + example: default + type: string + schemas: + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response + type: object + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: | + Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: | + Details about the object properties. This property is applicable when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: | + The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. + type: integer + type: + description: Specifies the data type for the field. + example: scaled_float + type: string + APM_UI_400_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 400 + type: number + APM_UI_401_response: + type: object + properties: + error: + description: Error type + example: Unauthorized + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 401 + type: number + APM_UI_403_response: + type: object + properties: + error: + description: Error type + example: Forbidden + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 403 + type: number + APM_UI_404_response: + type: object + properties: + error: + description: Error type + example: Not Found + type: string + message: + description: Error message + example: Not Found + type: string + statusCode: + description: Error status code + example: 404 + type: number + APM_UI_500_response: + type: object + properties: + error: + description: Error type + example: Internal Server Error + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + example: 500 + type: number + APM_UI_501_response: + type: object + properties: + error: + description: Error type + example: Not Implemented + type: string + message: + description: Error message + example: Not Implemented + type: string + statusCode: + description: Error status code + example: 501 + type: number + APM_UI_agent_configuration_intake_object: + type: object + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + APM_UI_agent_configuration_object: + description: Agent configuration + type: object + properties: + '@timestamp': + description: Timestamp + example: 1730194190636 + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + example: true + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + APM_UI_agent_configurations_response: + type: object + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + APM_UI_agent_keys_object: + type: object + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: + - name + - privileges + APM_UI_agent_keys_response: + type: object + properties: + agentKey: + description: Agent key + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + APM_UI_annotation_search_response: + type: object + properties: + annotations: + description: Annotations + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + APM_UI_base_source_map_object: + type: object + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + APM_UI_create_annotation_object: + type: object + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + type: object + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + APM_UI_create_annotation_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + type: object + properties: + '@timestamp': + type: string + annotation: + type: object + properties: + title: + type: string + type: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + APM_UI_delete_agent_configurations_response: + type: object + properties: + result: + description: Result + type: string + APM_UI_delete_service_object: + description: Service + type: object + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_object: + type: object + properties: + error: + description: | + If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`. + This is useful for cases where the agent configuration was not applied successfully. + type: string + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + APM_UI_search_agent_configuration_response: + type: object + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_service_agent_name_response: + type: object + properties: + agentName: + description: Agent name + example: nodejs + type: string + APM_UI_service_environment_object: + type: object + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + example: ALL_OPTION_VALUE + type: string + APM_UI_service_environments_response: + type: object + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + APM_UI_service_object: + description: Service + type: object + properties: + environment: + description: The environment of the service. + example: prod + type: string + name: + description: The name of the service. + example: node + type: string + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - type: object + properties: + id: + type: string + required: + - id + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + type: object + properties: + artifacts: + description: Artifacts + items: + allOf: + - type: object + properties: + body: + type: object + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + type: object + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + APM_UI_upload_source_map_object: + type: object + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + APM_UI_upload_source_maps_response: + allOf: + - type: object + properties: + body: + type: string + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_case_file_request: + description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. + type: object + properties: + file: + description: The file being attached to the case. + format: binary + type: string + filename: + description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** + type: string + required: + - file + title: Add case file request properties + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object + properties: + alertId: + items: + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string + type: array + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + example: alert + type: string + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: | + The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-state: Technical preview + Cases_alert_indices: + description: | + The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-state: Technical preview + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_attachment_totals: + description: Counts of alerts, events, and user comments attached to a case. + properties: + alerts: + description: Number of alert attachments on the case. + type: integer + events: + description: Number of event attachments on the case. + type: integer + userComments: + description: Number of user comment attachments on the case. + type: integer + required: + - alerts + - events + - userComments + title: Attachment totals + type: object + Cases_case_categories: + items: + $ref: '#/components/schemas/Cases_case_category' + maxItems: 100 + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_close_sync_reason: + description: | + The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user. + oneOf: + - enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + - type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_observable: + description: A single observable attached to a case. + properties: + createdAt: + description: When the observable was created. + example: '2024-11-14T10:00:00.000Z' + format: date-time + type: string + description: + description: An optional description for the observable. + example: Source IP + nullable: true + type: string + id: + description: The observable identifier. + example: df927ab8-54ed-47d6-be07-9948c255c097 + type: string + typeKey: + description: The observable type key. + example: observable-type-ipv4 + type: string + updatedAt: + description: When the observable was last updated. + example: '2024-11-14T10:00:00.000Z' + format: date-time + nullable: true + type: string + value: + description: The observable value. + example: 10.0.0.8 + type: string + required: + - id + - typeKey + - value + - description + - createdAt + - updatedAt + title: Case observable + type: object + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_get_case: + description: | + Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + description: The number of user comments on the case. Use the find case comments API to retrieve comment content. + example: 1 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + title: Get case response + type: object + Cases_case_response_properties: + title: Case response properties + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + alert: '#/components/schemas/Cases_alert_comment_response_properties' + event: '#/components/schemas/Cases_event_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_event_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + incremental_id: + description: | + A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response. + example: 1 + nullable: true + type: integer + observables: + description: Observables attached to the case. + items: + $ref: '#/components/schemas/Cases_case_observable' + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + total_observables: + description: The number of observables attached to the case. + example: 0 + nullable: true + type: integer + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + totalEvents: + description: The number of events attached to the case. + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - observables + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - total_observables + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: | + The words and phrases that help categorize cases. It can be an empty array. + items: + maxLength: 256 type: string - Cases_defaultSearchOperator: - description: he default operator to use for the simple_query_string. - example: OR - in: query - name: defaultSearchOperator - schema: - default: OR + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + issueType: + description: The type of issue. + nullable: true + type: string + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + priority: + description: The priority of the issue. + nullable: true + type: string + required: + - issueType + - parent + - priority + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. + example: null + nullable: true + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + nullable: true + type: object + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. + type: string + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + impact: + description: The effect an incident had on business. + nullable: true + type: string + severity: + description: The severity of the incident. + nullable: true + type: string + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs. + nullable: true + type: boolean + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: The create case API request body varies depending on the type of connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_event_comment_response_properties: + title: Case response properties for event comments + type: object + properties: + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + eventId: + items: + example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f + type: string + type: array + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - event + example: event + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + Cases_find_comments_response: + title: Find case comments response + type: object + properties: + comments: + description: Paginated list of user comments for the case. + items: + $ref: '#/components/schemas/Cases_user_comment_response_properties' + type: array + page: + description: The current page index. + type: integer + per_page: + description: The number of items per page. + type: integer + total: + description: The total number of comments. + type: integer + required: + - comments + - page + - per_page + - total + Cases_owner: + description: | + The application that owns the cases: Stack Management, Observability, or Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_owners: + items: + $ref: '#/components/schemas/Cases_owner' + type: array + Cases_payload_alert_comment: + type: object + properties: + comment: + type: object + properties: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: + type: string + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + nullable: true + type: string + name: + description: The rule name. + example: security_rule + nullable: true + type: string + type: + enum: + - alert + type: string + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + type: object + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + example: none + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + type: string + Cases_payload_delete: + description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + enum: + - user + type: string + Cases_related_case: + description: | + Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response. + properties: + createdAt: + description: When the case was created. + format: date-time + type: string + description: + description: The case description. + type: string + id: + description: The case identifier. + type: string + status: + $ref: '#/components/schemas/Cases_case_status' + title: + description: The case title. + type: string + totals: + $ref: '#/components/schemas/Cases_attachment_totals' + required: + - id + - title + - description + - status + - createdAt + - totals + title: Related case + type: object + Cases_response_4xx: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_rule: + description: | + The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-state: Technical preview + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_searchFieldsTypeArray: + items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_set_case_configuration_request: + description: External connection details, such as the closure type and default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + extractObservables: + description: | + When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted. + example: false + type: boolean + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_string: + type: string + Cases_string_array: + items: + $ref: '#/components/schemas/Cases_string' + maxItems: 100 + type: array + Cases_template_tags: + description: | + The words and phrases that help categorize templates. It can be an empty array. + items: + maxLength: 256 type: string - Cases_from: - description: > - Returns only cases that were created after a specific date. The date - must be specified as a KQL data range or date match expression. - in: query - name: from - schema: - example: now-1d + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: | + The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-state: Technical preview + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: | + A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-state: Technical preview + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: The update case comment API request body varies depending on whether you are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: | + You can update settings such as the closure type, custom fields, templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + example: none + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + required: + - key + - label + - required + - type + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: | + The version of the connector. To retrieve the version value, use the get configuration API. + example: WzIwMiwxXQ== + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: The update case API request body varies depending on the type of connector. + properties: + cases: + description: An array containing one or more case objects. + items: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + closeReason: + $ref: '#/components/schemas/Cases_case_close_sync_reason' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: | + The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs. + type: string + required: + - id + - version + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + example: user + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - category + - comment + - connector + - create_case + - customFields + - delete_case + - description + - extended_fields + - observables + - pushed + - settings + - severity + - status + - tags + - title + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + example: user + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default type: string - Cases_ids: - description: > - The cases that you want to removed. To get the case identifiers, use the - search cases (`_find`) API. In the Dev Console, you can specify the - array of cases in the following format: - `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII - characters must be URL encoded. For example: - `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D` - in: query - name: ids - required: true - schema: + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_action_id_response: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + title: action_id_response + type: object + Kibana_HTTP_APIs_action_message_response: + additionalProperties: false + properties: + message: + type: string + required: + - message + title: action_message_response + type: object + Kibana_HTTP_APIs_agent_policy_response: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + type: object + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: + items: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + maxItems: 100 + type: array + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + agents: + type: number + agents_per_version: + items: + additionalProperties: false + type: object + properties: + count: + type: number + version: + type: string + required: + - version + - count + maxItems: 1000 + type: array + created_at: + type: string + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 + type: array + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Defaults to `false`. + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true + type: string + monitoring_diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + package_policies: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the `?full=true` parameter + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + maxItems: 100 + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_protected + - status + - updated_at + - updated_by + - revision + title: agent_policy_response + type: object + Kibana_HTTP_APIs_aiops_change_point_chart: + additionalProperties: false + description: Change point detection chart embeddable schema + properties: + aggregation_function: + default: avg + description: The aggregation function used to calculate the metric values. + enum: + - avg + - sum + - min + - max + type: string + data_view_id: + description: The data view ID used to run change point detection. + minLength: 1 + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + max_series_to_plot: + default: 6 + description: The maximum number of change points to visualize. Defaults to 6. + maximum: 50 + minimum: 1 + type: number + metric_field: + description: The metric field used by the aggregation function. + minLength: 1 + type: string + partitions: + description: Optional split field values to include in the panel. + items: + minLength: 1 + type: string + maxItems: 10000 + type: array + split_field: + description: The optional field used to split change point results. + minLength: 1 + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + view_type: + default: charts + description: The type of change point detection view to display. + enum: + - charts + - table + type: string + required: + - data_view_id + - metric_field + title: aiops_change_point_chart + type: object + Kibana_HTTP_APIs_alerts_filter_query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: A filter that can be applied to a specific application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: + description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value" + nullable: true + type: object + query: + additionalProperties: + description: A query for the filter. + nullable: true + type: object + required: + - meta + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + title: alerts_filter_query + type: object + Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`. + properties: + anomalyDetectorTypes: + description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates. + items: + enum: + - txLatency + - txThroughput + - txFailureRate + type: string + minItems: 1 + type: array + anomalySeverityType: + description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.' + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: The environment from APM. + type: string + serviceName: + description: The service name from APM. + type: string + transactionType: + description: The transaction type from APM. + type: string + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + title: APM Anomaly Rule Params + type: object + rule_type_id: + enum: + - apm.anomaly + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: APM anomaly + type: object + Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`. + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The number of errors, which is the threshold for alerts. + type: number + useKqlFilter: + description: A filter in Kibana Query Language (KQL) that limits the scope of the rule. + type: boolean + windowSize: + description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Error Count Rule Params + type: object + rule_type_id: + enum: + - apm.error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Error rate + type: object + Kibana_HTTP_APIs_apm-service-map-embeddable: + additionalProperties: false + description: APM service map embeddable schema + properties: + description: + type: string + environment: + default: ENVIRONMENT_ALL + type: string + hide_border: + type: boolean + hide_title: + type: boolean + kuery: + type: string + service_group_id: + type: string + service_name: + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + title: apm-service-map-embeddable + type: object + Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`. + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + items: + description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + useKqlFilter: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: boolean + windowSize: + description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: 'The type of units for the time window. For example: minutes, hours, or days.' + type: string + required: + - windowSize + - windowUnit + - threshold + - aggregationType + - environment + title: Transaction Duration Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_duration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction duration + type: object + Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`. + properties: + environment: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + anyOf: + - type: string + - additionalProperties: + nullable: true + type: object + required: + - query + - language + required: + - query + serviceName: + type: string + threshold: + type: number + transactionName: + type: string + transactionType: + type: string + useKqlFilter: + type: boolean + windowSize: + type: number + windowUnit: + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + title: Transaction Error Rate Rule Params + type: object + rule_type_id: + enum: + - apm.transaction_error_rate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transaction error rate + type: object + Kibana_HTTP_APIs_autoColor: + additionalProperties: false + description: Coloring determined at runtime based on chart defaults + properties: + type: + enum: + - auto + type: string + required: + - type + title: Auto Color + type: object + Kibana_HTTP_APIs_backfill_error_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + rule: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + status: + type: number + required: + - message + - rule + required: + - error + title: backfill_error_response + type: object + Kibana_HTTP_APIs_backfill_response: + additionalProperties: false + properties: + created_at: + type: string + duration: + type: string + enabled: + type: boolean + end: + type: string + id: + type: string + initiator: + enum: + - user + - system + type: string + initiator_id: + type: string + rule: + additionalProperties: false + type: object + properties: + api_key_created_by_user: + nullable: true + type: boolean + api_key_owner: + nullable: true + type: string + consumer: + type: string + created_at: + type: string + created_by: + nullable: true + type: string + enabled: + type: boolean + id: + type: string + name: + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + type: number + rule_type_id: + type: string + schedule: + additionalProperties: false + type: object + properties: + interval: + type: string + required: + - interval + tags: + items: + type: string + type: array + updated_at: + type: string + updated_by: + nullable: true + type: string + required: + - id + - name + - tags + - rule_type_id + - params + - api_key_owner + - consumer + - enabled + - schedule + - created_by + - updated_by + - created_at + - updated_at + - revision + schedule: + items: + additionalProperties: false + type: object + properties: + interval: + type: string + run_at: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - run_at + - status + - interval + type: array + space_id: + type: string + start: + type: string + status: + enum: + - complete + - pending + - running + - error + - timeout + type: string + required: + - id + - created_at + - duration + - enabled + - rule + - space_id + - initiator + - start + - status + - schedule + title: backfill_response + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + additionalProperties: false + properties: + forceDelete: + default: false + description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document. + type: boolean + includeHidden: + default: false + description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false. + type: boolean + kuery: + description: KQL query to select enrollment tokens to delete. + type: string + tokenIds: + description: List of enrollment token IDs to delete. + items: + type: string + maxItems: 10000 + type: array + title: bulk_delete_enrollment_api_keys_request + type: object + Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + additionalProperties: false + properties: + action: + type: string + count: + type: number + errorCount: + type: number + successCount: + type: number + required: + - action + - count + - successCount + - errorCount + title: bulk_delete_enrollment_api_keys_response + type: object + Kibana_HTTP_APIs_bulk_get_agent_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_agent_policies_response + type: object + Kibana_HTTP_APIs_bulk_get_package_policies_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + maxItems: 10000 + type: array + required: + - items + title: bulk_get_package_policies_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_install_packages_from_registry_request + type: object + Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error' + maxItems: 10000 + type: array + required: + - items + title: bulk_install_packages_from_registry_response + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + additionalProperties: false + properties: + error: + anyOf: + - type: string + - nullable: true + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + title: bulk_install_packages_response_item_error + type: object + Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + type: object + properties: + assets: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + error: + nullable: true + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + version: + type: string + required: + - name + - version + - result + title: bulk_install_packages_response_item_success + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_request: + additionalProperties: false + properties: + disable: + description: Namespaces to disable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + enable: + description: Namespaces to enable namespace-level customization for on each package. + items: + type: string + maxItems: 100 + type: array + packages: + description: Package names to apply the customization changes to. + items: + type: string + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_namespace_customization_request + type: object + Kibana_HTTP_APIs_bulk_namespace_customization_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + error: + type: string + name: + type: string + namespace_customization_enabled_for: + description: 'The opt-in list on the package. Returned whenever the package is installed: the new list on success, or the unchanged list when the request is rejected (for example, because of a namespace-prefix restriction).' + items: + type: string + maxItems: 100 + type: array + success: + type: boolean + required: + - name + - success + maxItems: 1000 + type: array + required: + - items + title: bulk_namespace_customization_response + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_request: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + type: object + properties: + name: + description: Package name to rollback + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_rollback_packages_request + type: object + Kibana_HTTP_APIs_bulk_rollback_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_rollback_packages_response + type: object + Kibana_HTTP_APIs_bulk_uninstall_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + maxItems: 1000 + minItems: 1 + type: array + required: + - packages + title: bulk_uninstall_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + type: object + properties: + name: + type: string + version: + type: string + required: + - name + maxItems: 1000 + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + title: bulk_upgrade_packages_request + type: object + Kibana_HTTP_APIs_bulk_upgrade_packages_response: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + title: bulk_upgrade_packages_response + type: object + Kibana_HTTP_APIs_byteFormat: + additionalProperties: false + description: Data size format in bits or bytes, with optional decimal places and suffix. + properties: + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Data size unit: `bits` or `bytes`.' + enum: + - bits + - bytes + type: string + required: + - type + title: Byte Format + type: object + Kibana_HTTP_APIs_categoricalColorMapping: + additionalProperties: false + description: Palette color assignment for specific categorical values. Unmapped values receive the unassigned color. + properties: + mapping: + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 1000 + type: array + required: + - values + - color + maxItems: 1000 + type: array + mode: + enum: + - categorical + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + - mapping + title: Categorical Color Mapping + type: object + Kibana_HTTP_APIs_category_summary_item: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + title: category_summary_item + type: object + Kibana_HTTP_APIs_ClassicFieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_ClassicFieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_ClassicStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: + items: + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false + type: object + properties: + classic: + additionalProperties: false + type: object + properties: + field_overrides: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition' + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + required: + - lifecycle + - processing + - settings + - failure_store + - classic + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - classic + type: string + required: + - description + - ingest + - type + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_collapseBy: + description: Aggregation function used to collapse a breakdown dimension into a single value. + enum: + - avg + - sum + - max + - min + title: collapseBy + type: string + Kibana_HTTP_APIs_color_code: + additionalProperties: false + description: A color specified as a hex or CSS color code string. + properties: + type: + enum: + - color_code + type: string + value: + description: The static color value to use. + type: string + required: + - type + - value + title: Color Code + type: object + Kibana_HTTP_APIs_colorByValue: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValuePercentage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValue' + description: Dynamic color mapping by numeric range, with support for absolute and percentage-based ranges. + title: Color By Value + Kibana_HTTP_APIs_colorByValueAbsolute: + additionalProperties: false + description: Color by absolute value configuration + properties: + range: + enum: + - absolute + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Absolute) + type: object + Kibana_HTTP_APIs_colorByValuePercentage: + additionalProperties: false + description: Color by percentage value configuration + properties: + range: + enum: + - percentage + type: string + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - dynamic + type: string + required: + - type + - range + - steps + title: Color By Value (Percentage) + type: object + Kibana_HTTP_APIs_colorFromPalette: + additionalProperties: false + description: Color at a fixed index position in a named palette. + properties: + index: + description: The index of the color in the palette. + type: number + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + type: + enum: + - from_palette + type: string + required: + - type + - index + title: Color From Palette + type: object + Kibana_HTTP_APIs_colorMapping: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_categoricalColorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gradientColorMapping' + description: Color mapping for dimension values, either categorical (for specific values) or as a gradient. + title: Color Mapping + Kibana_HTTP_APIs_Condition: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition' + - additionalProperties: false + description: A logical AND that groups multiple conditions. + type: object + properties: + and: + description: An array of conditions. All sub-conditions must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - and + - additionalProperties: false + description: A logical OR that groups multiple conditions. + type: object + properties: + or: + description: An array of conditions. At least one sub-condition must be true for this condition to be true. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + type: array + required: + - or + - additionalProperties: false + description: A logical NOT that negates a condition. + type: object + properties: + not: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: A condition that negates another condition. + required: + - not + - additionalProperties: false + description: A condition that always evaluates to false. + type: object + properties: + never: + additionalProperties: false + description: An empty object. This condition never matches. + type: object + properties: {} + required: + - never + - additionalProperties: false + description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered. + type: object + properties: + always: + additionalProperties: false + description: An empty object. This condition always matches. + type: object + properties: {} + required: + - always + description: The root condition object. It can be a simple filter or a combination of other conditions. + Kibana_HTTP_APIs_ConditionWithSteps: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + - additionalProperties: false + type: object + properties: + else: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + required: + - steps + Kibana_HTTP_APIs_ContentPackIncludedObjects: + anyOf: + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + all: + additionalProperties: false + type: object + properties: {} + required: + - all + required: + - objects + - additionalProperties: false + type: object + properties: + objects: + additionalProperties: false + type: object + properties: + mappings: + type: boolean + queries: + items: + type: object + properties: + id: + type: string + required: + - id + type: array + routing: + items: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects' + - type: object + properties: + destination: + type: string + required: + - destination + type: array + required: + - mappings + - queries + - routing + required: + - objects + Kibana_HTTP_APIs_copy_agent_policy_request: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + title: copy_agent_policy_request + type: object + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. Returned when the caller is unauthenticated or lacks the `monitor` cluster privilege. + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + title: core_status_redactedResponse + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + http: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: + nullable: true + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + title: core_status_response + type: object + Kibana_HTTP_APIs_counterRateOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_countMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_create_custom_integration_request: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + type: object + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + maxItems: 10 + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + title: create_custom_integration_request + type: object + Kibana_HTTP_APIs_create_package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + description: + description: Package policy description + type: string + enabled: + type: boolean + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + description: Package policy unique identifier + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - name + - inputs + title: create_package_policy_request + type: object + Kibana_HTTP_APIs_create_package_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' + required: + - item + title: create_package_policy_response + type: object + Kibana_HTTP_APIs_cumulativeSumOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_customFormat: + additionalProperties: false + description: Custom format using a Kibana field format pattern string. + properties: + pattern: + description: Kibana field format pattern string. + type: string + type: + enum: + - custom + type: string + required: + - type + - pattern + title: Custom Format + type: object + Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`. + properties: + comparator: + type: string + groupBy: + items: + type: string + type: array + searchConfiguration: + additionalProperties: false + type: object + properties: + index: + type: string + required: + - index + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - timeUnit + - timeSize + - threshold + - comparator + - searchConfiguration + title: Degraded Docs Rule Params + type: object + rule_type_id: + enum: + - datasetQuality.degradedDocs + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Degraded docs + type: object + Kibana_HTTP_APIs_datatableDensity: + additionalProperties: false + description: Density configuration for the datatable. + properties: + height: + additionalProperties: false + type: object + properties: + header: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + max_lines: + default: 3 + maximum: 5 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines before the header is truncated. + value: + anyOf: + - additionalProperties: false + type: object + properties: + type: + enum: + - auto + type: string + required: + - type + - additionalProperties: false + type: object + properties: + lines: + default: 1 + maximum: 20 + minimum: 1 + type: number + type: + enum: + - custom + type: string + required: + - type + description: Number of lines to display per table body cell. + mode: + description: Display density mode. + enum: + - compact + - default + - expanded + type: string + title: datatableDensity + type: object + Kibana_HTTP_APIs_datatableESQL: + additionalProperties: false + description: Datatable state configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQLMetric' + maxItems: 1000 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + additionalProperties: false + type: object + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for ESQL datatable rows. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + title: Datatable (ES|QL) + type: object + Kibana_HTTP_APIs_datatableESQLMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - column + title: Datatable Metric (ES|QL) + type: object + Kibana_HTTP_APIs_datatableMetricCounterRate: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_datatableMetricCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricCumulativeSum: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_datatableMetricDifferences: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_datatableMetricFormula: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_datatableMetricLastValue: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_datatableMetricMovingAverage: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentile: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_datatableMetricPercentileRanks: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_datatableMetricStatsMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricSumMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_datatableMetricUniqueCountMetric: + additionalProperties: false + properties: + alignment: + description: Alignment of the columns. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for datatable metrics. Use dynamic coloring for numeric data and categorical/gradient mode for categorical data. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + summary: + additionalProperties: false + description: Summary row configuration + type: object + properties: + label: + description: Summary row label. + type: string + type: + description: Type of summary function to apply to the column. + enum: + - sum + - avg + - count + - min + - max + type: string + required: + - type + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_datatableNoESQL: + additionalProperties: false + description: Datatable state configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Array of metrics to display as columns in the datatable + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableMetricFormula' + maxItems: 1000 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + rows: + description: Array of operations to split the datatable rows by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableRowFilters' + maxItems: 50 + minItems: 1 + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + split_metrics_by: + description: Array of operations to split the metric columns by + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + maxItems: 20 + minItems: 1 + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - data_table + type: string + required: + - type + - data_source + - metrics + title: Datatable (DSL) + type: object + Kibana_HTTP_APIs_datatableRowDateHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowFilters: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_datatableRowHistogram: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_datatableRowRanges: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_datatableRowTerms: + additionalProperties: false + properties: + alignment: + description: Alignment of the rows. + enum: + - left + - center + - right + type: string + apply_color_to: + description: 'Column color target: `value` for cell text, `background` for cell background, or `badge` for a badge overlay.' + enum: + - value + - background + - badge + type: string + click_filter: + description: When `true`, enables one-click filtering on cell values. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + visible: + description: When `false`, hides the column from the datatable. + type: boolean + width: + description: Column width in pixels. + minimum: 0 + type: number + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_datatableStyling: + additionalProperties: false + description: Visual chart styling options + properties: + density: + $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableDensity' + paging: + description: Rows per page. When set, pagination is enabled with the specified number of rows. + enum: + - 10 + - 20 + - 30 + - 50 + - 100 + type: integer + row_numbers: + additionalProperties: false + description: Configuration for row numbers + type: object + properties: + visible: + description: When `true`, displays row numbers. + type: boolean + required: + - visible + sort_by: + anyOf: + - additionalProperties: false + description: Sort by a metric or row column + type: object + properties: + column_type: + description: Type of column to sort by. + enum: + - metric + - row + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: Index of the column or row to sort by (0-based). + minimum: 0 + type: number + required: + - column_type + - index + - direction + - additionalProperties: false + description: Sort by a pivoted metric column (created when metrics are pivoted by split_metrics_by) + type: object + properties: + column_type: + enum: + - pivoted_metric + type: string + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_direction' + index: + description: 0-based index into the "metrics" array for the metric to sort; use "values" to identify the pivoted column + minimum: 0 + type: number + values: + description: Array of pivot values, one for each split_metrics_by column in order + items: + type: string + maxItems: 20 + minItems: 1 + type: array + required: + - column_type + - index + - values + - direction + description: Sorting configuration. Only one column can be sorted at a time. Use "column_type" to specify the column type. + title: Datatable styling + type: object + Kibana_HTTP_APIs_dateHistogramOperation: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_delete_agent_policy_request: + additionalProperties: false + properties: + agentPolicyId: + description: The ID of the agent policy + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + title: delete_agent_policy_request + type: object + Kibana_HTTP_APIs_delete_agent_policy_response: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + title: delete_agent_policy_response + type: object + Kibana_HTTP_APIs_delete_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + title: delete_enrollment_api_key_response + type: object + Kibana_HTTP_APIs_delete_one_package_policy_response: + additionalProperties: false + properties: + id: + type: string + required: + - id + title: delete_one_package_policy_response + type: object + Kibana_HTTP_APIs_delete_package_datastream_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: delete_package_datastream_assets_response + type: object + Kibana_HTTP_APIs_delete_package_policies_request: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: delete_package_policies_request + type: object + Kibana_HTTP_APIs_delete_package_response: + additionalProperties: false + properties: + items: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + title: delete_package_response + type: object + Kibana_HTTP_APIs_deprecation_info: + additionalProperties: false + properties: + description: + type: string + replaced_by: + additionalProperties: + type: string + type: object + since: + type: string + required: + - description + title: deprecation_info + type: object + Kibana_HTTP_APIs_differencesOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_dry_run_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + packageVersion: + type: string + required: + - packagePolicyIds + title: dry_run_package_policies_request + type: object + Kibana_HTTP_APIs_dry_run_package_policy: + additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true + type: string + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + type: object + properties: + privileges: + additionalProperties: true + type: object + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + errors: + items: + additionalProperties: false + type: object + properties: + key: + type: string + message: + type: string + required: + - message + maxItems: 10 + type: array + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 + nullable: true + type: array + id: + type: string + inputs: + items: + additionalProperties: false + type: object + properties: + compiled_input: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + maxItems: 100 + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + title: dry_run_package_policy + type: object + Kibana_HTTP_APIs_durationFormat: + additionalProperties: false + description: Duration format between time units. + properties: + from: + description: Source time unit for conversion, for example `milliseconds`, `seconds`, `minutes`, `hours`, or `days`. + type: string + suffix: + description: Suffix appended to the formatted value. + type: string + to: + description: Display time unit after conversion, for example `seconds`, `minutes`, `hours`, or `days`. + type: string + type: + enum: + - duration + type: string + required: + - type + - from + - to + title: Duration Format + type: object + Kibana_HTTP_APIs_enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + title: enrollment_api_key + type: object + Kibana_HTTP_APIs_enrollment_api_key_response: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' + required: + - item + - action + title: enrollment_api_key_response + type: object + Kibana_HTTP_APIs_es_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + - esql_view + type: string + version: + type: string + required: + - id + - type + title: es_asset_reference + type: object + Kibana_HTTP_APIs_es-query-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + esqlQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition in Elasticsearch Query Language. + nullable: true + oneOf: + - additionalProperties: false + type: object + properties: + esql: + minLength: 1 + type: string + required: + - esql + - not: {} + esQuery: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - minLength: 1 + type: string + - not: {} + excludeHitsFromPreviousRun: + default: true + description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold. + type: string + index: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The indices to query. + nullable: true + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - not: {} + searchConfiguration: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + nullable: true + oneOf: + - additionalProperties: true + type: object + properties: {} + - not: {} + searchType: + default: esQuery + description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).' + enum: + - searchSource + - esQuery + - esqlQuery + type: string + size: + description: The number of documents to pass to the configured actions when the threshold condition is met. + maximum: 10000 + minimum: 0 + type: number + sourceFields: + description: The sourceFields param is ignored. + items: + additionalProperties: false + type: object + properties: + label: + type: string + searchPath: + type: string + required: + - label + - searchPath + maxItems: 5 + type: array + termField: + anyOf: + - minLength: 1 + type: string + - items: + type: string + maxItems: 4 + minItems: 2 + type: array + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + description: The field that is used to calculate the time window. + nullable: true + oneOf: + - minLength: 1 + type: string + - minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - size + - timeWindowSize + - timeWindowUnit + - threshold + - thresholdComparator + - timeField + - searchConfiguration + - esQuery + - index + - esqlQuery + title: ES Query Rule Params + type: object + rule_type_id: + enum: + - .es-query + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: ES query + type: object + Kibana_HTTP_APIs_esqlDataSource: + additionalProperties: false + description: Uses an ES|QL query as the data source. The query is executed at render time; resulting columns are available as fields. + properties: + query: + description: 'An ES|QL query that drives the data source. The query must produce a tabular result set; column names are used as field references. Example: "FROM logs-* | STATS count = COUNT(*) BY host.name".' + type: string + type: + enum: + - esql + type: string + required: + - type + - query + title: ES|QL Data Source + type: object + Kibana_HTTP_APIs_FailureStore: + anyOf: + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + - additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + enabled: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + required: + - enabled + required: + - lifecycle + - additionalProperties: false + type: object + properties: + lifecycle: + additionalProperties: false + type: object + properties: + disabled: + additionalProperties: false + type: object + properties: {} + required: + - disabled + required: + - lifecycle + Kibana_HTTP_APIs_FieldDefinition: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig' + type: object + Kibana_HTTP_APIs_FieldDefinitionConfig: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + - anyOf: + - additionalProperties: false + type: object + properties: + description: + type: string + format: + description: A non-empty string. + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + - geo_point + - integer + - short + - byte + - float + - half_float + - text + - wildcard + - version + - unsigned_long + - date_nanos + type: string + required: + - type + - additionalProperties: false + type: object + properties: + description: + type: string + format: + not: {} + type: + not: {} + required: + - description + - additionalProperties: false + type: object + properties: + description: + type: string + type: + enum: + - system + type: string + required: + - type + Kibana_HTTP_APIs_fieldMetricOperations: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_sumMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + title: Field Metric Operations + Kibana_HTTP_APIs_FilterCondition: + anyOf: + - additionalProperties: false + description: A condition that compares a field to a value or range using an operator as the key. + type: object + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + description: Contains comparison value. + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Ends-with comparison value. + eq: + anyOf: + - type: string + - type: number + - type: boolean + description: Equality comparison value. + field: + description: The document field to filter on. + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than comparison value. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: Greater-than-or-equal comparison value. + includes: + anyOf: + - type: string + - type: number + - type: boolean + description: Checks if multivalue field includes the value. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than comparison value. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: Less-than-or-equal comparison value. + neq: + anyOf: + - type: string + - type: number + - type: boolean + description: Inequality comparison value. + range: + additionalProperties: false + description: Range comparison values. + type: object + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + gte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lt: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + lte: + anyOf: + - type: string + - type: number + - type: boolean + description: A value that can be a string, number, or boolean. + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + description: Starts-with comparison value. + required: + - field + - additionalProperties: false + description: A condition that checks for the existence or non-existence of a field. + type: object + properties: + exists: + description: Indicates whether the field exists or not. + type: boolean + field: + description: The document field to check. + minLength: 1 + type: string + required: + - field + description: A basic filter condition, either unary or binary. + Kibana_HTTP_APIs_filterSimple: + additionalProperties: false + description: A KQL or Lucene query that filters panel data. Applied on top of any dashboard-level filters. + properties: + expression: + description: A query expression in KQL or Lucene syntax + type: string + language: + default: kql + description: 'Query language: `kql` (Kibana Query Language) or `lucene`. Defaults to `kql`.' + enum: + - kql + - lucene + type: string + required: + - expression + title: Filter + type: object + Kibana_HTTP_APIs_filtersOperation: + additionalProperties: false + properties: + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_filterWithLabel: + additionalProperties: false + description: A KQL or Lucene filter with an optional display label. + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + label: + description: Label for the filter + type: string + required: + - filter + title: Filter with Label + type: object + Kibana_HTTP_APIs_find_backfill_response: + additionalProperties: false + properties: + data: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_backfill_response' + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - data + title: find_backfill_response + type: object + Kibana_HTTP_APIs_find_maintenance_windows_response: + additionalProperties: false + properties: + maintenanceWindows: + description: The list of maintenance windows. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_response' + type: array + page: + description: The current page number. + type: number + per_page: + description: The number of maintenance windows returned per page. + type: number + total: + description: The total number of maintenance windows that match the query. + type: number + required: + - page + - per_page + - total + - maintenanceWindows + title: find_maintenance_windows_response + type: object + Kibana_HTTP_APIs_formatType: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_numericFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_byteFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_durationFormat' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_customFormat' + description: Number display format for the dimension value. + title: Format Type + Kibana_HTTP_APIs_formulaOperation: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_full_agent_policy: + additionalProperties: false + properties: + agent: + additionalProperties: false + type: object + properties: + download: + additionalProperties: false + type: object + properties: + auth: + additionalProperties: false + type: object + properties: + api_key: + type: string + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + password: + type: string + username: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + sourceURI: + type: string + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + features: + additionalProperties: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + type: object + internal: + nullable: true + limits: + additionalProperties: false + type: object + properties: + go_max_procs: + type: number + logging: + additionalProperties: false + type: object + properties: + files: + additionalProperties: false + type: object + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + level: + type: string + metrics: + additionalProperties: false + type: object + properties: + period: + type: string + to_files: + type: boolean + monitoring: + additionalProperties: false + type: object + properties: + _runtime_experimental: + type: string + apm: + nullable: true + diagnostics: + additionalProperties: false + type: object + properties: + limit: + additionalProperties: false + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + additionalProperties: false + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + protection: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + required: + - monitoring + - download + - features + - internal + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + fleet: + anyOf: + - additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + additionalProperties: true + type: object + properties: + id: + type: string + required: + - key + ssl: + additionalProperties: false + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + maxItems: 10 + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + required: + - hosts + - additionalProperties: false + type: object + properties: + kibana: + additionalProperties: false + type: object + properties: + hosts: + items: + type: string + maxItems: 100 + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + required: + - kibana + id: + type: string + inputs: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + additionalProperties: true + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + type: object + properties: + add_fields: + additionalProperties: true + type: object + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + required: + - add_fields + maxItems: 10000 + type: array + revision: + type: number + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + maxItems: 10000 + type: array + namespaces: + items: + type: string + maxItems: 100 + type: array + output_permissions: + additionalProperties: + additionalProperties: + nullable: true + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + type: object + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + maxItems: 100 + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10000 + type: array + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + signed: + additionalProperties: false + type: object + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + required: + - id + - outputs + - inputs + title: full_agent_policy + type: object + Kibana_HTTP_APIs_gaugeESQL: + additionalProperties: false + description: Gauge configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + label: + description: Label for the operation + type: string + max: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + min: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (ES|QL) + type: object + Kibana_HTTP_APIs_gaugeMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_gaugeMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_gaugeMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_gaugeMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the gauge fill. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + goal: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + label: + description: Label for the operation + type: string + max: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + min: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation, a static value, or a mathematical formula. + title: Field Metric, Static Value, or Formula Operation + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the gauge value. + type: string + ticks: + additionalProperties: false + description: Ticks configuration + type: object + properties: + mode: + description: Tick placement mode. + enum: + - auto + - bands + type: string + visible: + description: When `true`, displays tick marks on the gauge. + type: boolean + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + title: + additionalProperties: false + description: Title configuration + type: object + properties: + text: + description: Title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_gaugeNoESQL: + additionalProperties: false + description: Gauge configuration using a data view. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - gauge + type: string + required: + - type + - data_source + - metric + title: Gauge Chart (DSL) + type: object + Kibana_HTTP_APIs_gaugeShapeBullet: + additionalProperties: false + description: Bullet gauge shape. + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bullet + type: string + required: + - type + title: Shape (Bullet) + type: object + Kibana_HTTP_APIs_gaugeShapeCircular: + additionalProperties: false + description: Circular gauge shape. + properties: + type: + enum: + - circle + - semi_circle + - arc + type: string + required: + - type + title: Shape (Circular) + type: object + Kibana_HTTP_APIs_gaugeStyling: + additionalProperties: false + description: Visual chart styling options + properties: + shape: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeBullet' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeShapeCircular' + title: Gauge styling + type: object + Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`. + properties: + boundaryGeoField: + minLength: 1 + type: string + boundaryIndexId: + minLength: 1 + type: string + boundaryIndexQuery: + nullable: true + boundaryIndexTitle: + minLength: 1 + type: string + boundaryNameField: + minLength: 1 + type: string + boundaryType: + minLength: 1 + type: string + dateField: + minLength: 1 + type: string + entity: + minLength: 1 + type: string + geoField: + minLength: 1 + type: string + index: + minLength: 1 + type: string + indexId: + minLength: 1 + type: string + indexQuery: + nullable: true + required: + - index + - indexId + - geoField + - entity + - dateField + - boundaryType + - boundaryIndexTitle + - boundaryIndexId + - boundaryGeoField + - indexQuery + - boundaryIndexQuery + title: Geo Containment Rule Params + type: object + rule_type_id: + enum: + - .geo-containment + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Geo containment + type: object + Kibana_HTTP_APIs_get_agent_policy_outputs_response: + additionalProperties: false + properties: + item: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + required: + - item + title: get_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_agent_policy_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + required: + - item + title: get_agent_policy_response + type: object + Kibana_HTTP_APIs_get_bulk_assets_request: + additionalProperties: false + properties: + assetIds: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + required: + - assetIds + title: get_bulk_assets_request + type: object + Kibana_HTTP_APIs_get_bulk_assets_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + appLink: + type: string + attributes: + additionalProperties: false + type: object + properties: + description: + type: string + service: + type: string + title: + type: string + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + maxItems: 10000 + type: array + required: + - items + title: get_bulk_assets_response + type: object + Kibana_HTTP_APIs_get_categories_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' + maxItems: 10000 + type: array + required: + - items + title: get_categories_response + type: object + Kibana_HTTP_APIs_get_data_streams_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + required: + - name + maxItems: 10000 + type: array + required: + - items + title: get_data_streams_response + type: object + Kibana_HTTP_APIs_get_dependencies_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - title + maxItems: 1000 + type: array + required: + - items + title: get_dependencies_response + type: object + Kibana_HTTP_APIs_get_full_agent_policy_response: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' + required: + - item + title: get_full_agent_policy_response + type: object + Kibana_HTTP_APIs_get_info_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + metadata: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + required: + - item + title: get_info_response + type: object + Kibana_HTTP_APIs_get_inputs_response: + additionalProperties: false + properties: + connectors: + additionalProperties: + nullable: true + type: object + exporters: + additionalProperties: + nullable: true + type: object + extensions: + additionalProperties: + nullable: true + type: object + inputs: + items: + additionalProperties: false + type: object + properties: + id: + type: string + streams: + items: + additionalProperties: true + type: object + properties: + data_stream: + additionalProperties: true + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + id: + type: string + required: + - id + - data_stream + maxItems: 10000 + type: array + type: + type: string + required: + - id + - type + maxItems: 10000 + type: array + processors: + additionalProperties: + nullable: true + type: object + receivers: + additionalProperties: + nullable: true + type: object + service: + additionalProperties: false + type: object + properties: + extensions: + items: + type: string + maxItems: 1000 + type: array + pipelines: + additionalProperties: + additionalProperties: false + type: object + properties: + exporters: + items: + type: string + maxItems: 1000 + type: array + processors: + items: + type: string + maxItems: 1000 + type: array + receivers: + items: + type: string + maxItems: 1000 + type: array + type: object + required: + - inputs + title: get_inputs_response + type: object + Kibana_HTTP_APIs_get_installed_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' + maxItems: 10000 + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + nullable: true + maxItems: 2 + type: array + total: + type: number + required: + - items + - total + title: get_installed_packages_response + type: object + Kibana_HTTP_APIs_get_k8s_manifest_response: + additionalProperties: false + properties: + item: + type: string + required: + - item + title: get_k8s_manifest_response + type: object + Kibana_HTTP_APIs_get_limited_packages_response: + additionalProperties: false + properties: + items: + items: + type: string + maxItems: 10000 + type: array + required: + - items + title: get_limited_packages_response + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + maxItems: 1000 + type: array + required: + - ids + title: get_list_agent_policy_outputs_request + type: object + Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + type: object + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + type: object + properties: + integrations: + items: + additionalProperties: false + type: object + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + maxItems: 1000 + type: array + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + monitoring: + additionalProperties: false + type: object + properties: + output: + additionalProperties: false + type: object + properties: + id: + type: string + name: + type: string + required: + - id + - name + required: + - output + required: + - monitoring + - data + maxItems: 10000 + type: array + required: + - items + title: get_list_agent_policy_outputs_response + type: object + Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + additionalProperties: false + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + results: + items: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + type: string + required: + - message + name: + type: string + success: + type: boolean + required: + - name + - success + maxItems: 10000 + type: array + status: + type: string + required: + - status + title: get_one_bulk_operation_packages_response + type: object + Kibana_HTTP_APIs_get_package_info: + additionalProperties: true + properties: + agent: + additionalProperties: false + type: object + properties: + privileges: + additionalProperties: false + type: object + properties: + root: + type: boolean + asset_tags: + items: + additionalProperties: false + type: object + properties: + asset_ids: + items: + type: string + maxItems: 1000 + type: array + asset_types: + items: + type: string + maxItems: 100 + type: array + text: + type: string + required: + - text + maxItems: 1000 + type: array + assets: + additionalProperties: + nullable: true + type: object + categories: + items: + type: string + maxItems: 100 + type: array + conditions: + additionalProperties: true + type: object + properties: + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true + type: object + properties: + capabilities: + items: + type: string + maxItems: 10 + type: array + subscription: + type: string + kibana: + additionalProperties: true + type: object + properties: + version: + type: string + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true + type: object + properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + fields: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array + download: + type: string + elasticsearch: + additionalProperties: + nullable: true + type: object + format_version: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + type: object + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + path: + type: string + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - assets + title: get_package_info + type: object + Kibana_HTTP_APIs_get_packages_response: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' + maxItems: 10000 + type: array + required: + - items + title: get_packages_response + type: object + Kibana_HTTP_APIs_get_stats_response: + additionalProperties: false + properties: + response: + additionalProperties: false + type: object + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + required: + - response + title: get_stats_response + type: object + Kibana_HTTP_APIs_get_verification_key_id_response: + additionalProperties: false + properties: + id: + nullable: true + type: string + required: + - id + title: get_verification_key_id_response + type: object + Kibana_HTTP_APIs_gradientColorMapping: + additionalProperties: false + description: Gradient color mapping across categorical values. + properties: + gradient: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + maxItems: 3 + type: array + mapping: + items: + additionalProperties: false + type: object + properties: + values: + items: + anyOf: + - type: string + - type: number + - $ref: '#/components/schemas/Kibana_HTTP_APIs_range_key' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_multi_field_key' + maxItems: 100 + type: array + required: + - values + maxItems: 100 + type: array + mode: + enum: + - gradient + type: string + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + sort: + description: Sort direction + enum: + - asc + - desc + type: string + unassigned: + $ref: '#/components/schemas/Kibana_HTTP_APIs_unassignedColorSchema' + required: + - mode + - palette + title: Gradient Color Mapping + type: object + Kibana_HTTP_APIs_heatmapAxes: + additionalProperties: false + description: Axis configuration for X and Y axes + properties: + x: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapXAxis' + 'y': + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapYAxis' + title: Axes + type: object + Kibana_HTTP_APIs_heatmapCells: + additionalProperties: false + description: Cells configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show cell labels + type: boolean + title: Cells + type: object + Kibana_HTTP_APIs_heatmapESQL: + additionalProperties: false + description: Heatmap configuration using an ES|QL query. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_heatmapLegend: + additionalProperties: false + description: Legend configuration + properties: + position: + enum: + - top + - bottom + - left + - right + type: string + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_heatmapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_heatmapMetricDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_heatmapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_heatmapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_heatmapMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_heatmapMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_heatmapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color scale configuration for the heatmap cells. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_heatmapNoESQL: + additionalProperties: false + description: Heatmap configuration using a data view. + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapAxes' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - heatmap + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + 'y': + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_dateHistogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_histogramOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rangesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_filtersOperation' + description: Breakdown dimension configuration using date histogram, terms, numeric histogram, value ranges, or custom filters. + title: Breakdown Operation + required: + - type + - x + - data_source + - metric + title: Heatmap Chart (DSL) + type: object + Kibana_HTTP_APIs_heatmapStyling: + additionalProperties: false + description: Visual chart styling options + properties: + cells: + $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapCells' + title: Heatmap styling + type: object + Kibana_HTTP_APIs_heatmapXAxis: + additionalProperties: false + description: X axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + visible: + description: Show axis labels + type: boolean + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - scale + title: X Axis + type: object + Kibana_HTTP_APIs_heatmapYAxis: + additionalProperties: false + description: Y axis configuration + properties: + labels: + additionalProperties: false + type: object + properties: + visible: + description: Show axis labels + type: boolean + sort: + description: Axis sort order; omit or use undefined for no sorting + enum: + - asc + - desc + type: string + title: + additionalProperties: false + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + title: Y Axis + type: object + Kibana_HTTP_APIs_histogramOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + minLength: 1 + type: string + aggType: + default: count + description: The type of aggregation to perform. + type: string + filterKuery: + description: A Kibana Query Language (KQL) expression thats limits the scope of alerts. + type: string + groupBy: + default: all + description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + type: string + index: + anyOf: + - minLength: 1 + type: string + - items: + minLength: 1 + type: string + minItems: 1 + type: array + description: The indices to query. + termField: + description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + minLength: 1 + type: string + termSize: + description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + minimum: 1 + type: number + threshold: + items: + type: number + maxItems: 2 + minItems: 1 + type: array + thresholdComparator: + description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.' + enum: + - '>' + - < + - '>=' + - <= + - between + - notBetween + type: string + timeField: + description: The field that is used to calculate the time window. + minLength: 1 + type: string + timeWindowSize: + description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + minimum: 1 + type: number + timeWindowUnit: + description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.' + type: string + required: + - index + - timeField + - timeWindowSize + - timeWindowUnit + - thresholdComparator + - threshold + title: Index Threshold Rule Params + type: object + rule_type_id: + enum: + - .index-threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Index threshold + type: object + Kibana_HTTP_APIs_IngestStreamLifecycle: + anyOf: + - additionalProperties: false + type: object + properties: + dsl: + additionalProperties: false + type: object + properties: + data_retention: + description: A non-empty string. + minLength: 1 + type: string + downsample: + items: + type: object + properties: + after: + description: A non-empty string. + minLength: 1 + type: string + fixed_interval: + description: A non-empty string. + minLength: 1 + type: string + required: + - after + - fixed_interval + type: array + required: + - dsl + - additionalProperties: false + type: object + properties: + ilm: + additionalProperties: false + type: object + properties: + policy: + description: A non-empty string. + minLength: 1 + type: string + required: + - policy + required: + - ilm + - additionalProperties: false + type: object + properties: + inherit: + additionalProperties: false + type: object + properties: {} + required: + - inherit + Kibana_HTTP_APIs_install_kibana_assets_request: + additionalProperties: false + properties: + force: + type: boolean + space_ids: + description: When provided, assets are installed in the specified spaces instead of the current space. + items: + type: string + maxItems: 100 + minItems: 1 + type: array + title: install_kibana_assets_request + type: object + Kibana_HTTP_APIs_install_kibana_assets_response: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + title: install_kibana_assets_response + type: object + Kibana_HTTP_APIs_install_package_from_registry_request: + additionalProperties: false + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + title: install_package_from_registry_request + type: object + Kibana_HTTP_APIs_install_package_response: + additionalProperties: false + properties: + _meta: + additionalProperties: false + type: object + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name items: - example: d4e7abb0-b462-11ec-9a8d-698504725a43 + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + required: + - items + - _meta + title: install_package_response + type: object + Kibana_HTTP_APIs_install_rule_assets_request: + additionalProperties: false + properties: + force: + type: boolean + title: install_rule_assets_request + type: object + Kibana_HTTP_APIs_installation_info: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 100 + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + type: object + properties: + data_stream: + type: string + features: + additionalProperties: true + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' + maxItems: 10000 + type: array + installed_kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' + maxItems: 10000 + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + type: object + properties: + error: + type: string + name: + type: string + started_at: + type: string + latest_install_failed_attempts: + items: + additionalProperties: true + type: object + properties: + created_at: + type: string + error: + additionalProperties: true + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + target_version: + type: string + required: + - created_at + - target_version + - error + maxItems: 10 + type: array + name: + type: string + namespaces: + items: + type: string + maxItems: 100 + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + title: installation_info + type: object + Kibana_HTTP_APIs_installed_package: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + required: + - name + - title + maxItems: 10000 + type: array + description: + type: string + icons: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + title: installed_package + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema: + additionalProperties: false + description: A filter that evaluates a single field condition such as equality, range, or existence. + properties: + condition: + description: A filter condition with strict operator/value type matching. + discriminator: + mapping: + exists: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + is: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + is_one_of: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + range: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + propertyName: operator + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - condition + type: string + required: + - type + - condition + title: condition + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema: + additionalProperties: false + description: A filter expressed as a raw [Elasticsearch Query DSL](https://www.elastic.co/docs/reference/query-languages/querydsl) object, used for queries that cannot be represented by condition or group filters. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch Query DSL object passed directly to the query. + type: object + field: + description: Field name for scripted filters where the field cannot be extracted from the DSL query. + type: string + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + params: + description: Filter parameters metadata. May contain display values, formats, and parameters for scripted filters. + nullable: true + type: + enum: + - dsl + type: string + required: + - type + - dsl + - params + title: dsl + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema: + additionalProperties: false + description: A filter that combines multiple conditions or nested groups using a logical `and` or `or` operator. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + group: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - group + type: string + required: + - type + - group + title: group + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema: + additionalProperties: false + description: A filter that applies an Elasticsearch geo query, used for geographic boundary and shape matching. + properties: + controlled_by: + description: Identifier of the panel that manages this filter. When set, the filter is treated as owned by that panel. + type: string + data_view_id: + description: Identifier of the data view used as context for this filter. + type: string + disabled: + description: When `true`, the filter is inactive and does not affect query results. Defaults to `false`. + type: boolean + dsl: + additionalProperties: + nullable: true + description: Elasticsearch geo query DSL object. + type: object + is_multi_index: + description: When `true`, the filter can be applied across multiple indices. Defaults to `false`. + type: boolean + label: + description: Human-readable label for the filter, used for display purposes. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + type: + enum: + - spatial + type: string + required: + - type + - dsl + title: spatial + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists: + additionalProperties: false + description: Matches documents where `field` exists and contains a non-null value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - exists + type: string + required: + - field + - operator + title: exists + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is: + additionalProperties: false + description: Matches documents where `field` equals a single specified value. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is + type: string + value: + anyOf: + - title: value + type: string + - title: value + type: number + - title: value + type: boolean + description: Single value to compare against the field. + required: + - field + - operator + - value + title: is + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of: + additionalProperties: false + description: Matches documents where `field` equals any value in a provided list. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - is_one_of + type: string + value: + anyOf: + - items: + type: string + maxItems: 10000 + type: array + - items: + type: number + maxItems: 10000 + type: array + - items: + type: boolean + maxItems: 10000 + type: array + description: Homogeneous array of values to match against the field. + required: + - field + - operator + - value + title: is_one_of + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range: + additionalProperties: false + description: Matches documents where `field` falls within a specified numeric or date range. + properties: + field: + description: Name of the document field the condition evaluates. + type: string + negate: + description: When `true`, the filter is negated and matches documents that do NOT satisfy the condition. Defaults to `false`. + type: boolean + operator: + enum: + - range + type: string + value: + additionalProperties: false + description: Boundary values for a range comparison. + type: object + properties: + format: + description: Elasticsearch [date format](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/mapping-date-format) string applied when parsing date boundary values. For example, `strict_date_optional_time` or `epoch_millis`. + type: string + gt: + anyOf: + - type: number + - type: string + description: Greater than. + gte: + anyOf: + - type: number + - type: string + description: Greater than or equal to. + lt: + anyOf: + - type: number + - type: string + description: Less than. + lte: + anyOf: + - type: number + - type: string + description: Less than or equal to. + required: + - field + - operator + - value + title: range + type: object + Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter: + additionalProperties: false + description: Logical group that combines one or more conditions or nested groups. + properties: + conditions: + description: Ordered list of conditions or nested groups combined by the group `operator`. + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_is_one_of' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_range' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_condition_exists' + description: A filter condition with strict operator/value type matching. + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_groupFilter' + type: array + operator: + description: Logical operator applied across all entries in `conditions`. Use `and` to require all conditions, or `or` to require at least one. + enum: + - and + - or + type: string + required: + - operator + - conditions + title: kbn-as-code-filters-schema_groupFilter + type: object + Kibana_HTTP_APIs_kbn-as-code-meta: + additionalProperties: false + properties: + created_at: + description: Timestamp when the object was created (ISO 8601). + type: string + created_by: + description: User profile ID of the user who created the object. + type: string + managed: + description: When `true`, the object is managed by Kibana and cannot be edited by users. + type: boolean + owner: + description: Identifier of the plugin or team that owns this object. + type: string + updated_at: + description: Timestamp when the object was last updated (ISO 8601). + type: string + updated_by: + description: User profile ID of the user who last updated the object. + type: string + version: + description: Internal version identifier for optimistic concurrency control. + type: string + title: kbn-as-code-meta + type: object + Kibana_HTTP_APIs_kbn-as-code-query: + additionalProperties: false + description: A search query consisting of an expression and its language. Supports KQL and Lucene syntax. + properties: + expression: + description: A query expression in KQL or Lucene syntax. + type: string + language: + description: Query language. Use `kql` for Kibana Query Language (KQL) or `lucene` for Lucene query syntax. + enum: + - kql + - lucene + type: string + required: + - expression + - language + title: Query + type: object + Kibana_HTTP_APIs_kbn-composite-runtime-field-schema: + additionalProperties: false + properties: + fields: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + type: object + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + enum: + - composite + type: string + required: + - type + - fields + title: Composite runtime field + type: object + Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema: + additionalProperties: false + properties: + id: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - id + title: kbn-content-management-utils-referenceSchema + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control: + additionalProperties: false + description: An ES|QL variable control whose selected value is injected into ES|QL visualizations using the `?variable_name` syntax. Options can come from a fixed list or an ES|QL query. Define the options source in `config`. + properties: + config: + discriminator: + mapping: + STATIC_VALUES: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + VALUES_FROM_QUERY: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + propertyName: control_type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - esql_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: esql_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control: + additionalProperties: false + description: A dropdown control that filters data by selecting field values from a data view. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - options_list_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: options_list_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control: + additionalProperties: false + description: A slider control that filters data by selecting a numeric range for the configured field. Define the data view, field, and selection settings in `config`. + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - range_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: range_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control: + additionalProperties: false + description: A control panel that filters a time field to a selected sub-range of the global time range. Define the start and end positions in `config` as fractions of the global range (0 to 1). + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grow: + default: false + description: When `true`, the control expands to fill any available horizontal space. Defaults to `false`. + type: boolean + id: + description: The unique ID of the control + type: string + type: + enum: + - time_slider_control + type: string + width: + default: medium + description: Minimum width of the control panel. + enum: + - small + - medium + - large + type: string + required: + - type + - config + title: time_slider_control + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values: + additionalProperties: false + description: An ES|QL variable control with a fixed list of selectable options defined directly in `available_options`. + properties: + available_options: + description: A fixed list of option strings displayed in the control. + items: + type: string + maxItems: 1000 + type: array + control_type: + enum: + - STATIC_VALUES + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - available_options + title: STATIC_VALUES + type: object + Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query: + additionalProperties: false + description: An ES|QL variable control whose selectable options are dynamically retrieved by running an ES|QL query. + properties: + control_type: + enum: + - VALUES_FROM_QUERY + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + esql_query: + description: An ES|QL query whose results populate the list of available options in the control popover. + type: string + selected_options: + description: The list of currently selected option values. + items: + type: string + maxItems: 10000 + type: array + single_select: + default: true + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `true`. + type: boolean + title: + description: A human-readable title for the control. + type: string + variable_name: + description: The name of the ES|QL variable that this control populates. The variable is referenced in ES|QL queries using the `?variable_name` syntax. + type: string + variable_type: + description: The ES|QL variable type that determines how the selected value is substituted into the query. Accepts `fields`, `values`, `functions`, `time_literal`, or `multi_values`. + enum: + - fields + - values + - functions + - time_literal + - multi_values + type: string + required: + - selected_options + - variable_name + - variable_type + - control_type + - esql_query + title: VALUES_FROM_QUERY + type: object + Kibana_HTTP_APIs_kbn-dashboard-access-control: + additionalProperties: false + description: Access control settings for the dashboard. + properties: + access_mode: + description: Controls edit access to the dashboard. Set to `write_restricted` to prevent edits by users without explicit write permission. Defaults to `default` (all viewers can edit). + enum: + - write_restricted + - default + type: string + title: Access control + type: object + Kibana_HTTP_APIs_kbn-dashboard-data: + additionalProperties: false + properties: + access_control: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-access-control' + description: + description: A short description of the dashboard. + type: string + filters: + description: Filters applied across all panels, including pinned panels. + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + options: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-options' + panels: + default: [] + description: Panels and sections in the dashboard. Each entry is either a panel (with a `type` and `config`) or a collapsible section (with a `title`, `collapsed` state, and nested `panels`). + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-section' + maxItems: 100 + type: array + pinned_panels: + default: [] + description: An array of control panels and their state in the control group. + items: + discriminator: + mapping: + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-esql-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-options-list-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-range-slider-control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-controls-group-schema-time-slider-control' + maxItems: 100 + type: array + project_routing: + description: Controls [cross-project search](https://www.elastic.co/docs/explore-analyze/cross-project-search/cross-project-search-project-routing) behavior for this dashboard (Serverless only). Set to `_alias:_origin` to scope data to the current project, or `_alias:*` to search across all projects. When omitted, the space default applies. + type: string + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + refresh_interval: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema' + tags: + description: Tag IDs to associate with this dashboard. + items: + type: string + maxItems: 100 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + description: A human-readable title for the dashboard. + minLength: 1 + type: string + required: + - title + title: kbn-dashboard-data + type: object + Kibana_HTTP_APIs_kbn-dashboard-dropped-panel-warning: + additionalProperties: false + description: A panel that was excluded from the response because its type is not supported by the API. + properties: + message: + description: Human-readable explanation of why the panel was dropped. + type: string + panel_config: + additionalProperties: true + description: The original configuration of the dropped panel. + type: object + properties: {} + panel_references: + description: Saved object references used by the dropped panel. + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + maxItems: 100 + type: array + panel_type: + description: The type identifier of the dropped panel. + type: string + type: + enum: + - dropped_panel + type: string + required: + - type + - message + - panel_type + - panel_config + title: Dropped panel + type: object + Kibana_HTTP_APIs_kbn-dashboard-options: + additionalProperties: false + default: + auto_apply_filters: true + hide_panel_borders: false + hide_panel_titles: false + sync_colors: false + sync_cursor: true + sync_tooltips: false + use_margins: true + description: Display and behavior settings for the dashboard. + properties: + auto_apply_filters: + default: true + description: When `true`, control filter changes are applied automatically. When `false`, control filter changes are applied manually through the dashboard's search update button. Defaults to `true`. + type: boolean + hide_panel_borders: + default: false + description: When `true`, panel borders are hidden. Defaults to `false`. + type: boolean + hide_panel_titles: + default: false + description: When `true`, panel titles are hidden. Defaults to `false`. + type: boolean + sync_colors: + default: false + description: When `true`, colors are synchronized across panels that share a data source. Defaults to `false`. + type: boolean + sync_cursor: + default: true + description: When `true`, the cursor position is synchronized across panels. Defaults to `true`. + type: boolean + sync_tooltips: + default: false + description: When `true`, tooltips are synchronized across panels. Defaults to `false`. + type: boolean + use_margins: + default: true + description: When `true`, panels are separated by a margin. Defaults to `true`. + type: boolean + title: Options + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-grid: + additionalProperties: false + description: The position and size of the panel on the dashboard grid. + properties: + h: + default: 15 + description: The height of the panel in grid units. Minimum `1`. Defaults to `15`. + minimum: 1 + type: number + w: + default: 24 + description: The width of the panel in grid units. Minimum `1`, maximum `48`. Defaults to `24`. + maximum: 48 + minimum: 1 + type: number + x: + description: The x coordinate of the panel in grid units. + type: number + 'y': + description: The y coordinate of the panel in grid units. + type: number + required: + - x + - 'y' + title: Panel grid + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_aiops_change_point_chart' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - aiops_change_point_chart + type: string + required: + - grid + - type + - config + title: Change point detection chart + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-service-map-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - apm_service_map + type: string + required: + - grid + - type + - config + title: APM Service map + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + tabs: + description: Inline tab configuration. Used when no `ref_id` is set. Currently supports one tab. + items: + anyOf: + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + discriminator: + mapping: + data_view_reference: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + data_view_spec: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + filters: + default: [] + description: List of filters to apply to the data in the tab. + items: + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + discriminator: + mapping: + condition: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + dsl: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + group: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + spatial: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + maxItems: 100 + type: array + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-query' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + rows_per_page: + description: The number of rows to display per page in the data table. If omitted, defaults to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: The number of documents to sample for the data table. If omitted, defaults to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + view_mode: + default: documents + description: Discover view mode. Choose "documents" (search hits), "patterns" (pattern analysis), or "aggregated" (field statistics). + enum: + - documents + - patterns + - aggregated + type: string + required: + - data_source + - additionalProperties: false + type: object + properties: + column_order: + description: Ordered list of field names to display in the data table. If omitted, defaults to the advanced setting "defaultColumns" or the referenced saved object. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation settings keyed by field name (e.g. widths). Keys should correspond to entries in `column_order` when both are set. + type: object + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + density: + description: Data grid density. Choose "compact", "expanded", or "normal" for row spacing. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Header row height. Use a number (1–5) or "auto" to size based on content. If omitted, defaults to Discover or embeddable defaults (e.g. user preference / local storage). + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: Data row height. Use a number (1–20) or "auto" to size based on content. If omitted, defaults to the advanced setting "discover:rowHeightOption". + sort: + default: [] + description: Sort configuration for the data table (field and direction). + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + required: + - data_source + maxItems: 1 + minItems: 1 + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - tabs + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + overrides: + additionalProperties: false + default: {} + type: object + properties: + column_order: + description: When set, overrides column order for the data table relative to the referenced saved object (`ref_id`) or the inline tab in `tabs`. If omitted, the source configuration is used. + items: + description: Field name of a column in display order. + type: string + maxItems: 100 + type: array + column_settings: + additionalProperties: + additionalProperties: false + type: object + properties: + width: + description: Optional width of the column in pixels. + minimum: 0 + type: number + description: Per-column presentation overrides (e.g. widths) keyed by field name. When set, merges with the source configuration for the referenced session or inline tab. + type: object + density: + description: 'Data grid row spacing: `compact`, `expanded`, or `normal`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + enum: + - compact + - expanded + - normal + type: string + header_row_height: + anyOf: + - maximum: 5 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Header row height: number (1–5) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used.' + row_height: + anyOf: + - maximum: 20 + minimum: 1 + type: number + - enum: + - auto + type: string + description: 'Data row height: number (1–20) or `auto`. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:rowHeightOption".' + rows_per_page: + description: Number of rows per page. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleRowsPerPage". + maximum: 10000 + minimum: 1 + type: number + sample_size: + description: Number of documents to sample. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, falls back to the source or to the advanced setting "discover:sampleSize". + maximum: 10000 + minimum: 10 + type: number + sort: + description: Sort configuration (field and direction) for the data table. When set, overrides the referenced saved object or the inline tab config in `tabs`. If omitted, the source configuration is used. + items: + additionalProperties: false + type: object + properties: + direction: + description: 'The direction to sort the field by: Use "asc" for ascending or "desc" for descending.' + enum: + - asc + - desc + type: string + name: + description: The name of the field to sort by. + type: string + required: + - name + - direction + maxItems: 100 + type: array + ref_id: + type: string + selected_tab_id: + description: Tab to select from the referenced saved object. If omitted, defaults to the first tab. + type: string + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - discover_session + type: string + required: + - grid + - type + - config + title: Discover session + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control: + additionalProperties: false + properties: + config: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-static-values' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-controls-schemas-options-list-esql-control-schema-values-from-query' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - esql_control + type: string + required: + - grid + - type + - config + title: ES|QL variable control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-image: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Image embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_click_image + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_image + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + image_config: + additionalProperties: false + type: object + properties: + alt_text: + type: string + background_color: + type: string + object_fit: + default: contain + description: How the image should be sized within its container + enum: + - fill + - contain + - cover + - none + type: string + src: + anyOf: + - additionalProperties: false + properties: + file_id: + type: string + type: + enum: + - file + type: string + required: + - type + - file_id + title: file + type: object + - additionalProperties: false + properties: + type: + enum: + - url + type: string + url: + description: URL of the image + type: string + required: + - type + - url + title: url + type: object + description: Image source + required: + - src + title: + type: string + required: + - image_config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - image + type: string + required: + - grid + - type + - config + title: Image + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-links: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + layout: + description: Denote whether to display the links in a horizontal or vertical layout + enum: + - horizontal + - vertical + type: string + links: + description: The list of links to display + items: + discriminator: + mapping: + dashboardLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + externalLink: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-link-type-externalLink' + maxItems: 100 + type: array + title: + type: string + required: + - links + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the Links library item + title: Reference ID + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Links embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - links + type: string + required: + - grid + - type + - config + title: Links + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown: + additionalProperties: false + properties: + config: + anyOf: + - additionalProperties: false + description: Panel configuration stored inline + properties: + content: + type: string + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + settings: + additionalProperties: false + type: object + properties: + open_links_in_new_tab: + default: true + type: boolean + title: + type: string + required: + - content + - settings + title: By value + type: object + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + description: The unique identifier of the markdown library item. + type: string + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Markdown panel config + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - markdown + type: string + required: + - grid + - type + - config + title: Markdown + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + display_settings: + additionalProperties: false + type: object + properties: + hide_action_bar: + description: When `true`, the search bar, sorting options, and select all toggle are hidden from the control. + type: boolean + hide_exclude: + description: When `true`, the exclude mode toggle is hidden from the control. + type: boolean + hide_exists: + description: When `true`, the exists filter option is hidden from the control. + type: boolean + hide_sort: + description: When `true`, the sort selector is hidden from the control. + type: boolean + placeholder: + description: Placeholder text displayed in the control input when no option is selected. + type: string + exclude: + default: false + description: When `true`, the control filters to documents that do NOT match the selected options. Defaults to `false`. + type: boolean + exists_selected: + default: false + description: When `true`, the control filters to documents where the field exists, regardless of the field's value. Defaults to `false`. + type: boolean + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + run_past_timeout: + default: false + description: When `true`, the options list query continues running even if it exceeds the configured timeout threshold. Defaults to `false`. + type: boolean + search_technique: + default: wildcard + description: The matching technique used when searching available options. `prefix` matches values starting with the search term, `wildcard` matches values containing the search term, and `exact` requires a complete match. Only applies to string and IP fields. Defaults to `wildcard`. + enum: + - prefix + - wildcard + - exact + type: string + selected_options: + default: [] + description: The list of currently selected option values. + items: + anyOf: + - type: string + - type: number + description: A selected option value. Accepts a string or a number. + maxItems: 10000 + type: array + single_select: + default: false + description: When `true`, only one option can be selected at a time. Selecting a new option deselects any previously selected option. Defaults to `false`. + type: boolean + sort: + additionalProperties: false + default: + by: _count + direction: desc + description: 'Defines how the available options are sorted in the control popover. Defaults to `{ by: "_count", direction: "desc" }`.' + type: object + properties: + by: + description: The field used to sort the available options list. `_count` sorts by document count and `_key` sorts alphabetically by option value. + enum: + - _count + - _key + type: string + direction: + description: The sort direction. `asc` sorts ascending and `desc` sorts descending. + enum: + - asc + - desc + type: string + required: + - by + - direction + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - options_list_control + type: string + required: + - grid + - type + - config + title: Options list control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + data_view_id: + description: The ID of the data view that provides field options for this control. + minLength: 1 + type: string + field_name: + description: The name of the field in the data view that this control filters on. + minLength: 1 + type: string + ignore_validations: + default: false + description: When `true`, the control skips selection validation and does not report which selections are responsible for returning zero results. Defaults to `false`. + type: boolean + step: + default: 1 + description: The step size between selectable range values. + minimum: 0 + type: number + title: + description: A human-readable title for the control. + type: string + use_global_filters: + default: true + description: When `true`, the control's available options are narrowed by the page's active filters. Defaults to `true`. + type: boolean + value: + description: The selected range as a two-element array of strings representing the lower and upper bound values, for example `["10", "50"]`. + items: + type: string + maxItems: 2 + minItems: 2 + type: array + required: + - data_view_id + - field_name + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - range_slider_control + type: string + required: + - grid + - type + - config + title: Range slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-alerts-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_alerts + type: string + required: + - grid + - type + - config + title: SLO alerts + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-burn-rate-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_burn_rate + type: string + required: + - grid + - type + - config + title: SLO burn rate + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-error-budget-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_error_budget + type: string + required: + - grid + - type + - config + title: SLO error budget + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview: + additionalProperties: false + properties: + config: + description: SLO Overview embeddable schema + discriminator: + mapping: + groups: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + single: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + propertyName: overview_mode + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-single-overview-embeddable' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-group-overview-embeddable' + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - slo_overview + type: string + required: + - grid + - type + - config + title: SLO overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics monitors embeddable schema + type: object + properties: + description: + type: string + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + view: + description: View mode for the monitors embeddable (defaults to cardView) + enum: + - cardView + - compactView + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_monitors + type: string + required: + - grid + - type + - config + title: Synthetics monitors + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview: + additionalProperties: false + properties: + config: + additionalProperties: false + description: Synthetics stats overview embeddable schema + type: object + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + additionalProperties: false + type: object + properties: + locations: + description: Filter by monitor locations + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + monitor_ids: + description: Filter by monitor IDs + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 5000 + type: array + monitor_types: + description: Filter by monitor types + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 10 + type: array + projects: + description: Filter by project + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + tags: + description: Filter by tags + items: + additionalProperties: false + type: object + properties: + label: + description: Display label for the filter option + type: string + value: + description: Value for the filter option + type: string + required: + - label + - value + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + title: + type: string + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - synthetics_stats_overview + type: string + required: + - grid + - type + - config + title: Synthetics stats overview + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control: + additionalProperties: false + properties: + config: + additionalProperties: false + type: object + properties: + end_percentage_of_time_range: + default: 1 + description: The end of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + is_anchored: + default: false + description: When `true`, the start of the time window is fixed at the beginning of the global time range. Only the end of the window can be adjusted. Defaults to `false`. + type: boolean + start_percentage_of_time_range: + default: 0 + description: The start of the selected time window expressed as a fraction of the global time range, where `0` is the beginning and `1` is the end of the range. + maximum: 1 + minimum: 0 + type: number + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - time_slider_control + type: string + required: + - grid + - type + - config + title: Time slider control + type: object + Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis: + additionalProperties: false + properties: + config: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleESQL' + description: Panel configuration stored inline + title: By value + - additionalProperties: false + description: Panel configuration stored in a linked library item + properties: + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ref_id: + type: string + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + required: + - ref_id + title: By reference + type: object + description: Lens embeddable schema + grid: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-grid' + id: + description: The unique ID of the panel. + type: string + type: + enum: + - vis + type: string + required: + - grid + - type + - config + title: Visualization + type: object + Kibana_HTTP_APIs_kbn-dashboard-section: + additionalProperties: false + description: A collapsible group of panels. + properties: + collapsed: + default: false + description: When `true`, the section is collapsed and its panels are not rendered until expanded. Useful for improving initial load time on large dashboards. Defaults to `false`. + type: boolean + grid: + additionalProperties: false + type: object + properties: + 'y': + description: The y coordinate of the section in grid units. + type: number + required: + - 'y' + id: + description: The unique ID of the section. + type: string + panels: + default: [] + description: The panels that belong to the section. + items: + discriminator: + mapping: + aiops_change_point_chart: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + apm_service_map: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + discover_session: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + esql_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + image: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + links: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + markdown: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + options_list_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + range_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + slo_alerts: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + slo_burn_rate: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + slo_error_budget: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + slo_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + synthetics_monitors: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + synthetics_stats_overview: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + time_slider_control: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + vis: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-apm_service_map' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-aiops_change_point_chart' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-discover_session' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-esql_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-image' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-links' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-markdown' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-options_list_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-range_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_alerts' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_burn_rate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_error_budget' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-slo_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_monitors' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-synthetics_stats_overview' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-time_slider_control' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-dashboard-panel-type-vis' + maxItems: 100 + type: array + title: + description: The title of the section. + type: string + required: + - title + - grid + title: Section + type: object + Kibana_HTTP_APIs_kbn-data-service-server-refreshIntervalSchema: + additionalProperties: false + description: Specifies the auto-refresh interval for the object. + properties: + pause: + description: When `true`, auto-refresh is paused. + type: boolean + value: + description: The refresh interval in milliseconds. + type: number + required: + - pause + - value + title: Refresh interval + type: object + Kibana_HTTP_APIs_kbn-data-view-field-setting: + additionalProperties: false + description: Display overrides for a field. These settings can define a custom label, description, and format. + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + title: Field settings + type: object + Kibana_HTTP_APIs_kbn-data-view-reference-schema: + additionalProperties: false + properties: + ref_id: + description: 'The id of the Kibana data view to use as the data source. Example: "my-data-view".' + type: string + type: + enum: + - data_view_reference + type: string + required: + - type + - ref_id + title: Data view reference + type: object + Kibana_HTTP_APIs_kbn-data-view-spec-schema: + additionalProperties: false + properties: + field_settings: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-settings-entry' + type: object + index_pattern: + description: 'The index pattern (Elasticsearch index expression) to use as the data source. Example: "my-index-*".' + title: Index pattern + type: string + time_field: + description: 'The name of the time field in the index. Used for time-based filtering. Example: "@timestamp".' + title: Time field + type: string + type: + enum: + - data_view_spec + type: string + required: + - type + - index_pattern + title: Data view inline spec + type: object + Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema: + additionalProperties: false + description: Specifies the time range for a query. + properties: + from: + description: The start of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now-7d`) or ISO 8601 timestamps. + type: string + mode: + description: The time range mode. Use `absolute` for fixed start and end timestamps. Use `relative` for [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions that are re-evaluated at query time (for example, `now-7d`). + enum: + - absolute + - relative + type: string + to: + description: The end of the time range. Accepts Elasticsearch [date math](https://www.elastic.co/docs/reference/elasticsearch/rest-apis/common-options#date-math) expressions (for example, `now`) or ISO 8601 timestamps. + type: string + required: + - from + - to + title: Time range + type: object + Kibana_HTTP_APIs_kbn-field-format: + additionalProperties: false + description: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. + properties: + params: + nullable: true + type: + type: string + required: + - type + - params + title: Format + type: object + Kibana_HTTP_APIs_kbn-field-settings-entry: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-composite-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-field-setting' + description: Display overrides for an indexed field, or a runtime field definition when `type` is set to a runtime field kind. + title: Field settings or runtime field + Kibana_HTTP_APIs_kbn-link-panel-type-dashboardLink: + additionalProperties: false + properties: + destination: + description: Linked dashboard saved object id + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + type: object + properties: + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + type: + enum: + - dashboardLink + type: string + required: + - type + - destination + title: kbn-link-panel-type-dashboardLink + type: object + Kibana_HTTP_APIs_kbn-link-type-externalLink: + additionalProperties: false + properties: + destination: + description: The external URL to link to + type: string + label: + description: The label of the link to be displayed in the UI + type: string + options: + additionalProperties: false + default: + encode_url: true + open_in_new_tab: true + type: object + properties: + encode_url: + default: true + description: Whether to escape the URL with percent encoding + type: boolean + open_in_new_tab: + default: true + description: Whether to open this link in a new tab when clicked + type: boolean + type: + enum: + - externalLink + type: string + required: + - type + - destination + title: kbn-link-type-externalLink + type: object + Kibana_HTTP_APIs_kbn-runtime-field-schema: + additionalProperties: false + properties: + custom_description: + description: Add a description to the field. It's displayed next to the field on the Discover, Lens, and Data View Management pages. + minLength: 1 + title: Custom description + type: string + custom_label: + description: Create a label to display in place of the field name in Discover, Maps, Lens, Visualize, and TSVB. Useful for shortening a long field name. Queries and filters use the original field name. + minLength: 1 + title: Custom label + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-field-format' + script: + description: The script that defines the runtime field. This should be a painless script that computes the field value at query time. Runtime fields without a script retrieve values from _source. If the field doesn't exist in _source, a search request returns no value. + minLength: 1 + title: Script + type: string + type: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-runtime-field-type' + required: + - type + title: Runtime field + type: object + Kibana_HTTP_APIs_kbn-runtime-field-type: + description: The type of the runtime field (e.g., "keyword", "long", "date"). + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + title: Type + type: string + Kibana_HTTP_APIs_kibana_asset_reference: + additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + title: kibana_asset_reference + type: object + Kibana_HTTP_APIs_lastValueOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyColorByValue: + additionalProperties: false + deprecated: true + description: Legacy color by value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + description: Determines whether the range is interpreted as absolute or as a percentage of the data. + enum: + - absolute + - percentage + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value + type: object + Kibana_HTTP_APIs_legacyColorByValueAbsolute: + additionalProperties: false + deprecated: true + description: Legacy color by absolute value configuration + properties: + palette: + description: The legacy palette name. + type: string + range: + enum: + - absolute + type: string + shift: + description: When `true`, shifts the palette colors so they start from a different offset. Defaults to `false`. + type: boolean + steps: + description: Array of ordered color steps defining the range each color is applied. + items: + additionalProperties: false + type: object + properties: + color: + description: The color to use for this step. + type: string + gte: + description: The lower bound of range from which this color applies (inclusive). + nullable: true + type: number + lt: + description: The upper bound of range to which this color applies (exclusive). + nullable: true + type: number + lte: + description: The upper bound of range to which this color applies (inclusive). + nullable: true + type: number + required: + - color + maxItems: 100 + minItems: 1 + type: array + type: + enum: + - legacy_dynamic + type: string + required: + - type + - range + - steps + - palette + - shift + title: Legacy color by value (absolute) + type: object + Kibana_HTTP_APIs_legacyMetricCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_legacyMetricLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_legacyMetricNoESQL: + additionalProperties: false + description: Legacy Metric configuration using a data view. Superseded by the Metric chart type. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricPercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - legacy_metric + type: string + required: + - type + - data_source + - metric + title: Legacy Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_legacyMetricPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_legacyMetricPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_legacyMetricStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricSumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_legacyMetricUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyColorByValueAbsolute' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration based on the metric value. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + alignment: + default: top + description: Label alignment + enum: + - top + - bottom + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + size: + description: Font size for the label and value + enum: + - xs + - s + - m + - l + - xl + - xxl + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + values: + additionalProperties: false + description: Values configuration + type: object + properties: + alignment: + default: left + description: Value alignment + enum: + - left + - center + - right + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_legendSize: + description: Legend size. + enum: + - auto + - s + - m + - l + - xl + title: Legend Size + type: string + Kibana_HTTP_APIs_lensApiConfigNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_legacyMetricNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyChartNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_gaugeNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_heatmapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_datatableNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleNoESQL' + title: Visualizations (DSL) + Kibana_HTTP_APIs_lensPanelFilters: + description: Filters applied to the panel + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 100 + title: lensPanelFilters + type: array + Kibana_HTTP_APIs_lensResponseItem: + additionalProperties: false + properties: + data: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensApiConfigNoESQL' + id: + type: string + meta: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-meta' + required: + - id + - data + - meta + title: Visualization Response + type: object + Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + anyOf: + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + - additionalProperties: false + type: object + properties: + count: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + required: + - comparator + - value + criteria: + items: + items: + additionalProperties: false + type: object + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + anyOf: + - type: string + - type: number + required: + - field + - comparator + - value + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + additionalProperties: false + type: object + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + required: + - logViewId + - type + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - criteria + - count + - timeUnit + - timeSize + - logView + description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`. + title: Log Threshold Rule Params + rule_type_id: + enum: + - logs.alert.document.count + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Log threshold + type: object + Kibana_HTTP_APIs_maintenance_window_response: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_response' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + - disabled + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + title: maintenance_window_response + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_recurring_request: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + title: maintenance_window_schedule_recurring_request + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_recurring_response: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + title: maintenance_window_schedule_recurring_response + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_request: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_recurring_request' + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: maintenance_window_schedule_request + type: object + Kibana_HTTP_APIs_maintenance_window_schedule_response: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_recurring_response' + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + title: maintenance_window_schedule_response + type: object + Kibana_HTTP_APIs_maintenance_window_scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + required: + - query + required: + - alerting + title: maintenance_window_scope + type: object + Kibana_HTTP_APIs_metricBarBackgroundChart: + additionalProperties: false + description: Bar chart shown as background context behind the primary metric value. + properties: + max_value: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticOperationDefinition' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_differencesOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_movingAverageOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_cumulativeSumOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_counterRateOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_countMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_uniqueCountMetricOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_lastValueOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_percentileRanksOperation' + description: Metric dimension configuration, supporting field-based aggregations (count, sum, average, median, standard deviation, unique count, last value), percentile operations, time-series operations (differences, moving average, cumulative sum, counter rate), and mathematical formulas. + title: Metric Operation + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Bar Background Chart + type: object + Kibana_HTTP_APIs_metricBreakdownDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_metricBreakdownHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_metricBreakdownRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_metricBreakdownTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + columns: + default: 3 + description: Number of columns. + type: number + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_metricCompareToBaseline: + additionalProperties: false + properties: + baseline: + default: 0 + description: Baseline value. + type: number + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - baseline + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Baseline + type: object + Kibana_HTTP_APIs_metricCompareToPrimary: + additionalProperties: false + properties: + icon: + description: When `true`, displays the icon for the secondary value. + type: boolean + palette: + description: 'Color palette name. Accepted values: ''default'', ''elastic_line_optimized'', ''severity'', ''eui_amsterdam'', ''kibana_v7_legacy'', ''elastic_brand_2023''. Defaults to `default`.' + type: string + to: + enum: + - primary + type: string + value: + description: When `true`, displays the secondary value. + type: boolean + required: + - to + title: Compare To Primary + type: object + Kibana_HTTP_APIs_metricComplementaryBar: + additionalProperties: false + properties: + max_value: + additionalProperties: false + type: object + properties: + column: + description: Column to use + type: string + label: + description: Label for the operation + type: string + required: + - column + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_simple_orientation' + type: + enum: + - bar + type: string + required: + - type + - max_value + title: Complementary Bar + type: object + Kibana_HTTP_APIs_metricComplementaryViz: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBarBackgroundChart' + - additionalProperties: false + type: object + properties: + type: + enum: + - trend + type: string + required: + - type + description: Secondary visualization displayed behind the primary metric value, either a bar chart (with optional max value) or a trend line. + title: Complementary Visualization + Kibana_HTTP_APIs_metricESQL: + additionalProperties: false + description: Metric chart configuration for ES|QL queries + properties: + breakdown_by: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + column: + description: Column to use + type: string + columns: + default: 3 + description: Number of columns. + type: number + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - additionalProperties: false + type: object + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryBar' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + type: + enum: + - primary + type: string + required: + - column + - type + - additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + column: + description: Column to use + type: string + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + type: + enum: + - secondary + type: string + required: + - column + - type + maxItems: 2 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (ES|QL) + type: object + Kibana_HTTP_APIs_metricIconConfig: + additionalProperties: false + description: Icon configuration for the metric chart + properties: + alignment: + description: 'Icon alignment. Accepted values: `left`, `right`. Defaults to `right`.' + enum: + - left + - right + type: string + name: + description: Icon name + enum: + - alert + - asterisk + - bell + - bolt + - bug + - compute + - editor_comment + - flag + - globe + - heart + - map_marker + - pin + - sort_down + - sort_up + - star_empty + - tag + - temperature + type: string + required: + - name + title: Icon Configuration + type: object + Kibana_HTTP_APIs_metricNoESQL: + additionalProperties: false + description: Metric chart configuration for standard queries + properties: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metrics: + description: Metric dimensions to display. The first must be a primary metric; an optional second must be a secondary metric. + items: + anyOf: + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricPrimaryFormula' + - anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondarySumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricSecondaryFormula' + maxItems: 2 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - metric + type: string + required: + - type + - data_source + - metrics + title: Metric Chart (DSL) + type: object + Kibana_HTTP_APIs_metricPrimaryCounterRate: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryCumulativeSum: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricPrimaryDifferences: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricPrimaryFormula: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - primary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricPrimaryLastValue: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricPrimaryMovingAverage: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentile: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricPrimaryPercentileRanks: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricPrimaryStatsMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimarySumMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricPrimaryUniqueCountMetric: + additionalProperties: false + properties: + apply_color_to: + description: 'Color target: `value` colors the metric text, `background` colors the cell or panel background.' + enum: + - value + - background + type: string + background_chart: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricComplementaryViz' + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorByValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + description: Color configuration for the primary metric value or background. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + subtitle: + description: Subtitle below the primary metric value. + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - primary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`. + properties: + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + comparator: + type: string + customMetric: + additionalProperties: false + type: object + properties: + aggregation: + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + required: + - type + - id + - field + - aggregation + metric: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + warningComparator: + type: string + warningThreshold: + items: + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + type: array + filterQuery: + type: string + nodeType: + type: string + schema: + type: string + sourceId: + type: string + required: + - criteria + - nodeType + - sourceId + title: Metric Inventory Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.inventory.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric inventory threshold + type: object + Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`. + properties: + alertOnGroupDisappear: + description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + comparator: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - additionalProperties: false + type: object + properties: + aggType: + type: string + comparator: + type: string + metric: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - metric + - aggType + - additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + customMetrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + equation: + type: string + label: + type: string + threshold: + description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: 'The type of units for the time window: seconds, minutes, hours, or days.' + type: string + warningComparator: + type: string + warningThreshold: + items: + description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + type: number + type: array + required: + - threshold + - comparator + - timeUnit + - timeSize + - aggType + - customMetrics + type: array + filterQuery: + description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.' + sourceId: + type: string + required: + - criteria + - sourceId + title: Metric Threshold Rule Params + type: object + rule_type_id: + enum: + - metrics.alert.threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Metric threshold + type: object + Kibana_HTTP_APIs_metricSecondaryCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - type + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_metricSecondaryDifferences: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - operation + - of + - type + title: Differences Operation + type: object + Kibana_HTTP_APIs_metricSecondaryFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + type: + enum: + - secondary + type: string + required: + - operation + - formula + - type + title: Formula Operation + type: object + Kibana_HTTP_APIs_metricSecondaryLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - time_field + - type + title: Last Value Operation + type: object + Kibana_HTTP_APIs_metricSecondaryMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + - type + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Operation + type: object + Kibana_HTTP_APIs_metricSecondaryPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_metricSecondaryStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondarySumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_metricSecondaryUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_noColor' + compare: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToBaseline' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_metricCompareToPrimary' + description: Compare the secondary metric to a baseline value or to the primary metric. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + type: + enum: + - secondary + type: string + required: + - field + - operation + - type + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_metricStyling: + additionalProperties: false + description: Visual chart styling options + properties: + icon: + $ref: '#/components/schemas/Kibana_HTTP_APIs_metricIconConfig' + primary: + additionalProperties: false + type: object + properties: + labels: + additionalProperties: false + description: Labels (title and subtitle) configuration + type: object + properties: + alignment: + description: 'Horizontal alignment for the title and subtitle text. Accepted values: `left`, `center`, `right`. Defaults to `left`.' + enum: + - left + - center + - right + type: string + position: + description: Position of the primary metric value (top, middle, or bottom). + enum: + - top + - middle + - bottom + type: string + value: + additionalProperties: false + description: Primary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for the primary metric value. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + sizing: + description: Controls how the primary value text is sized within the panel. 'auto' selects a font size from predefined breakpoints based on panel height, then shrinks if the text overflows horizontally. 'fill' scales the text to be as large as possible, filling all available space. + enum: + - auto + - fill + type: string + secondary: + additionalProperties: false + type: object + properties: + label: + additionalProperties: false + type: object + properties: + placement: + description: Label placement relative to the secondary metric value (before or after). + enum: + - before + - after + type: string + visible: + description: When `true`, displays the label. + type: boolean + value: + additionalProperties: false + description: Secondary metric value configuration + type: object + properties: + alignment: + description: 'Alignment for secondary values. Accepted values: `left`, `center`, `right`. Defaults to `right`.' + enum: + - left + - center + - right + type: string + title: metricStyling + type: object + Kibana_HTTP_APIs_minMaxAvgMedianStdDevMetricOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Cluster Health Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cluster_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Cluster health + type: object + Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CPU Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_cpu_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CPU usage + type: object + Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Disk Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_disk_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Disk usage + type: object + Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: ES Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_elasticsearch_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Elasticsearch version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Memory Usage Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_jvm_memory_usage + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: JVM memory usage + type: object + Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Kibana Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_kibana_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Kibana version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: License Expiration Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_license_expiration + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: License expiration + type: object + Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Logstash Version Mismatch Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_logstash_version_mismatch + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Logstash version mismatch + type: object + Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Missing Monitoring Data Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_missing_monitoring_data + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Missing monitoring data + type: object + Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: Nodes Changed Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_nodes_changed + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Nodes changed + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Search Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_search_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool search rejections + type: object + Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + threshold: + type: number + required: + - duration + title: Thread Pool Write Rejections Rule Params + type: object + rule_type_id: + enum: + - monitoring_alert_thread_pool_write_rejections + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Thread pool write rejections + type: object + Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + title: CCR Read Exceptions Rule Params + type: object + rule_type_id: + enum: + - monitoring_ccr_read_exceptions + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: CCR read exceptions + type: object + Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: true + description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`. + properties: + duration: + type: string + filterQuery: + type: string + filterQueryText: + type: string + indexPattern: + type: string + limit: + type: string + threshold: + type: number + required: + - duration + - indexPattern + title: Large Shard Size Rule Params + type: object + rule_type_id: + enum: + - monitoring_shard_size + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Large shard size + type: object + Kibana_HTTP_APIs_mosaicESQL: + additionalProperties: false + description: Mosaic chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + additionalProperties: false + description: Metric configuration for ES|QL mode, combining generic options, primary metric options, and column selection + type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic + type: string + required: + - type + - data_source + - metric + title: Mosaic Chart (ES|QL) + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation type: string - type: array - Cases_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_owner_filter: - description: > - A filter to limit the response to a specific set of applications. If - this parameter is omitted, the response contains information about all - the cases that the user has access to read. - example: cases - in: query - name: owner - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owner' - - $ref: '#/components/schemas/Cases_owners' - Cases_page_index: - description: The page number to return. - example: 1 - in: query - name: page - required: false - schema: - default: 1 - type: integer - Cases_page_size: - description: The number of items to return. Limited to 100 items. - example: 20 - in: query - name: perPage - required: false - schema: - default: 20 - maximum: 100 - type: integer - Cases_reporters: - description: Filters the returned cases by the user name of the reporter. - example: elastic - in: query - name: reporters - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_search: - description: >- - An Elasticsearch simple_query_string query that filters the objects in - the response. - example: Case title 1 - in: query - name: search - schema: - type: string - Cases_searchFields: - description: The fields to perform the simple_query_string parsed query against. - in: query - name: searchFields - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' - Cases_severity: - description: The severity of the case. - example: low - in: query - name: severity - schema: - enum: - - critical - - high - - low - - medium - type: string - Cases_sort_order: - description: Determines the sort order. - example: desc - in: query - name: sortOrder - required: false - schema: - default: desc - enum: - - asc - - desc - type: string - Cases_sortField: - description: Determines which field is used to sort the results. - example: updatedAt - in: query - name: sortField - schema: - default: createdAt - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - type: string - Cases_status: - description: Filters the returned cases by state. - example: open - in: query - name: status - schema: - enum: - - closed - - in-progress - - open - type: string - Cases_tags: - description: Filters the returned cases by tags. - example: tag-1 - in: query - name: tags - schema: - oneOf: - - $ref: '#/components/schemas/Cases_string' - - $ref: '#/components/schemas/Cases_string_array' - Cases_to: - description: > - Returns only cases that were created before a specific date. The date - must be specified as a KQL data range or date match expression. - example: now+1d - in: query - name: to - schema: - type: string - Cases_user_action_types: - description: Determines the types of user actions to return. - in: query - name: types - schema: - items: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user - example: create_case + - terms type: string - type: array - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Short_URL_APIs_idParam: - description: The identifier for the short URL. - in: path - name: id - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - schemas: - Alerting_401_response: + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByDateHistogram: + additionalProperties: false properties: - error: - enum: - - Unauthorized - example: Unauthorized + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - message: + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - statusCode: + operation: enum: - - 401 - example: 401 - type: integer - title: Unsuccessful rule API response + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation type: object - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response + Kibana_HTTP_APIs_mosaicGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation type: object + Kibana_HTTP_APIs_mosaicGroupByHistogram: + additionalProperties: false properties: - array: - description: Indicates whether the field is an array. - type: boolean - dynamic: - description: Indicates whether it is a dynamic field mapping. + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string format: - description: > - Indicates the format of the field. For example, if the `type` is - `date_range`, the `format` can be - `epoch_millis||strict_date_optional_time`. + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - ignore_above: - description: >- - Specifies the maximum length of a string field. Longer strings are - not indexed or stored. - type: integer - index: - description: Indicates whether field values are indexed. - type: boolean - path: - description: TBD + operation: + enum: + - range type: string - properties: - additionalProperties: + ranges: + items: + additionalProperties: false type: object properties: - type: - description: The data type for each object property. + gt: + description: Greater than. + type: number + label: + description: Label. type: string - description: > - Details about the object properties. This property is applicable - when `type` is `object`. + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_mosaicGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object - required: - description: Indicates whether the field is required. + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - scaling_factor: - description: > - The scaling factor to use when encoding values. This property is - applicable when `type` is `scaled_float`. Values will be multiplied - by this factor at index time and rounded to the closest long value. - type: integer - type: - description: Specifies the data type for the field. - example: scaled_float + label: + description: Label for the operation type: string - APM_UI_400_response: + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation type: object + Kibana_HTTP_APIs_mosaicLegend: + additionalProperties: false + description: Legend configuration for mosaic chart appearance and behavior properties: - error: - description: Error type - example: Not Found + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - message: - description: Error message - example: Not Found + title: Legend + type: object + Kibana_HTTP_APIs_mosaicMetricCounterRate: + additionalProperties: false + properties: + field: + description: Field to be used for the metric type: string - statusCode: - description: Error status code - example: 400 - type: number - APM_UI_401_response: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation type: object + Kibana_HTTP_APIs_mosaicMetricCountMetric: + additionalProperties: false properties: - error: - description: Error type - example: Unauthorized + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - message: - description: Error message + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - description: Error status code - example: 401 + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_mosaicMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_mosaicMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_mosaicMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_mosaicMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_mosaicMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window type: number - APM_UI_403_response: + required: + - operation + - of + title: Moving Average Operation type: object + Kibana_HTTP_APIs_mosaicMetricPercentile: + additionalProperties: false properties: - error: - description: Error type - example: Forbidden + field: + description: Field to be used for the metric type: string - message: - description: Error message + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - description: Error status code - example: 403 + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile type: number - APM_UI_404_response: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation type: object + Kibana_HTTP_APIs_mosaicMetricPercentileRanks: + additionalProperties: false properties: - error: - description: Error type - example: Not Found + field: + description: Field to be used for the metric type: string - message: - description: Error message - example: Not Found + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - description: Error status code - example: 404 + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank type: number - APM_UI_500_response: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation type: object + Kibana_HTTP_APIs_mosaicMetricStatsMetric: + additionalProperties: false properties: - error: - description: Error type - example: Internal Server Error + field: + description: Field to be used for the metric type: string - message: - description: Error message + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - description: Error status code - example: 500 - type: number - APM_UI_501_response: + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation type: object + Kibana_HTTP_APIs_mosaicMetricSumMetric: + additionalProperties: false properties: - error: - description: Error type - example: Not Implemented + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - message: - description: Error message - example: Not Implemented + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - statusCode: - description: Error status code - example: 501 - type: number - APM_UI_agent_configuration_intake_object: + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation type: object + Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric: + additionalProperties: false properties: - agent_name: - description: >- - The agent name is used by the UI to determine which settings to - display. + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - APM_UI_agent_configuration_object: - description: Agent configuration + - field + - operation + title: Unique Count Metric Operation type: object + Kibana_HTTP_APIs_mosaicNoESQL: + additionalProperties: false + description: Mosaic chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions properties: - '@timestamp': - description: Timestamp - example: 1730194190636 - type: number - agent_name: - description: Agent name + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: type: string - applied_by_agent: - description: Applied by agent - example: true + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_breakdown_by: + description: Array of group breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupBreakdownByFilters' + maxItems: 100 + minItems: 1 + type: array + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: type: boolean - etag: - description: > - `etag` is sent by the APM agent to indicate the `etag` of the last - successfully applied configuration. If the `etag` matches an - existing configuration its `applied_by_agent` property will be set - to `true`. Every time a configuration is edited `applied_by_agent` - is reset to `false`. - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicLegend' + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_mosaicStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - mosaic type: string - service: - $ref: '#/components/schemas/APM_UI_service_object' - settings: - $ref: '#/components/schemas/APM_UI_settings_object' required: - - service - - settings - - '@timestamp' - - etag - APM_UI_agent_configurations_response: + - type + - data_source + - metric + title: Mosaic Chart (DSL) type: object + Kibana_HTTP_APIs_mosaicStyling: + additionalProperties: false + description: Visual chart styling options properties: - configurations: - description: Agent configuration - items: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - type: array - APM_UI_agent_keys_object: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Mosaic styling type: object + Kibana_HTTP_APIs_movingAverageOperation: + additionalProperties: false properties: - name: - description: The name of the APM agent key. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - privileges: - description: > - The APM agent key privileges. It can take one or more of the - following values: - - * `event:write`, which is required for ingesting APM agent events. * - `config_agent:read`, which is required for APM agents to read agent - configuration remotely. + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_multi_field_key: + additionalProperties: false + properties: + keys: items: - enum: - - event:write - - config_agent:read type: string + maxItems: 100 type: array + type: + enum: + - multi_field_key + type: string required: - - name - - privileges - APM_UI_agent_keys_response: + - type + - keys + title: Multi Field Key type: object + Kibana_HTTP_APIs_new_agent_policy: + additionalProperties: false properties: - agentKey: - description: Agent key + advanced_settings: + additionalProperties: false type: object properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - required: - - id - - name - - api_key - - encoded - APM_UI_annotation_search_response: - type: object - properties: - annotations: - description: Annotations + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_features_disable_policy_change_acks_enabled: + nullable: true + agent_internal: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + agent_features: items: + additionalProperties: false type: object properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version + enabled: + type: boolean + name: type: string + required: + - name + - enabled + maxItems: 100 type: array - APM_UI_base_source_map_object: - type: object - properties: - compressionAlgorithm: - description: Compression Algorithm - type: string - created: - description: Created date - type: string - decodedSha256: - description: Decoded SHA-256 - type: string - decodedSize: - description: Decoded size - type: number - encodedSha256: - description: Encoded SHA-256 - type: string - encodedSize: - description: Encoded size - type: number - encryptionAlgorithm: - description: Encryption Algorithm - type: string - id: - description: Identifier - type: string - identifier: - description: Identifier - type: string - packageName: - description: Package name - type: string - relative_url: - description: Relative URL + agentless: + additionalProperties: false + type: object + properties: + cloud_connectors: + additionalProperties: false + type: object + properties: + enabled: + type: boolean + target_csp: + enum: + - aws + - azure + - gcp + type: string + required: + - enabled + cluster_id: + type: string + resources: + additionalProperties: false + type: object + properties: + requests: + additionalProperties: false + type: object + properties: + cpu: + type: string + memory: + type: string + bumpRevision: + type: boolean + data_output_id: + nullable: true type: string - type: - description: Type + description: type: string - APM_UI_create_annotation_object: - type: object - properties: - '@timestamp': - description: The date and time of the annotation. It must be in ISO 8601 format. + download_source_id: + nullable: true type: string - message: - description: >- - The message displayed in the annotation. It defaults to - `service.version`. + fleet_server_host_id: + nullable: true type: string - service: - description: The service that identifies the configuration to create or update. - type: object - properties: - environment: - description: The environment of the service. - type: string - version: - description: The version of the service. - type: string - required: - - version - tags: - description: > - Tags are used by the Applications UI to distinguish APM annotations - from other annotations. Tags may have additional functionality in - future releases. It defaults to `[apm]`. While you can add - additional tags, you cannot remove the `apm` tag. + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: - type: string + additionalProperties: false + type: object + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + maxItems: 100 type: array - required: - - '@timestamp' - - service - APM_UI_create_annotation_response: - type: object - properties: - _id: - description: Identifier + has_agent_version_conditions: + type: boolean + has_fleet_server: + type: boolean + id: type: string - _index: - description: Index + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + is_verifier: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + min_agent_version: + nullable: true type: string - _source: - description: Response + monitoring_diagnostics: + additionalProperties: false type: object properties: - '@timestamp': - type: string - annotation: + limit: + additionalProperties: false type: object properties: - title: - type: string - type: + burst: + type: number + interval: type: string - event: + uploader: + additionalProperties: false type: object properties: - created: + init_dur: type: string - message: + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + maxItems: 3 + type: array + monitoring_http: + additionalProperties: false + type: object + properties: + buffer: + additionalProperties: false + type: object + properties: + enabled: + default: false + type: boolean + enabled: + type: boolean + host: type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: - items: - type: string - type: array - APM_UI_delete_agent_configurations_response: - type: object - properties: - result: - description: Result + port: + maximum: 65353 + minimum: 0 + type: number + monitoring_output_id: + nullable: true type: string - APM_UI_delete_service_object: - description: Service - type: object - properties: - service: - $ref: '#/components/schemas/APM_UI_service_object' - required: - - service - APM_UI_search_agent_configuration_object: - type: object - properties: - error: - description: > - If provided, the agent configuration will be marked as error and - `applied_by_agent` will be set to `false`. - - This is useful for cases where the agent configuration was not - applied successfully. + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 type: string - etag: - description: If etags match then `applied_by_agent` field will be set to `true` - example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 + namespace: + minLength: 1 type: string - mark_as_applied_by_agent: - description: > - `markAsAppliedByAgent=true` means "force setting it to true - regardless of etag". - - This is needed for Jaeger agent that doesn't have etags + overrides: + additionalProperties: + nullable: true + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_agent_version_conditions: + items: + additionalProperties: false + type: object + properties: + name: + type: string + title: + type: string + version_condition: + type: string + required: + - name + - title + - version_condition + maxItems: 1000 + nullable: true + type: array + required_versions: + items: + additionalProperties: false + type: object + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + maxItems: 100 + nullable: true + type: array + space_ids: + items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + deprecated: true + description: Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API. + nullable: true type: boolean - service: - $ref: '#/components/schemas/APM_UI_service_object' + unenroll_timeout: + minimum: 0 + type: number required: - - service - APM_UI_search_agent_configuration_response: + - name + - namespace + title: new_agent_policy type: object + Kibana_HTTP_APIs_new_enrollment_api_key: + additionalProperties: false properties: - _id: - description: Identifier + expiration: type: string - _index: - description: Index + name: type: string - _score: - description: Score - type: number - _source: - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_service_agent_name_response: - type: object - properties: - agentName: - description: Agent name - example: nodejs + policy_id: type: string - APM_UI_service_environment_object: + required: + - policy_id + title: new_enrollment_api_key type: object + Kibana_HTTP_APIs_new_maintenance_window: + additionalProperties: false properties: - alreadyConfigured: - description: Already configured + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean - name: - description: Service environment name - example: ALL_OPTION_VALUE + schedule: + additionalProperties: false + type: object + properties: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_request' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string - APM_UI_service_environments_response: + required: + - title + - schedule + title: new_maintenance_window type: object + Kibana_HTTP_APIs_new_output_elasticsearch: + additionalProperties: false properties: - environments: - description: Service environment list + allow_edit: items: - $ref: '#/components/schemas/APM_UI_service_environment_object' + type: string + maxItems: 1000 type: array - APM_UI_service_object: - description: Service - type: object - properties: - environment: - description: The environment of the service. - example: prod + ca_sha256: + nullable: true type: string - name: - description: The name of the service. - example: node + ca_trusted_fingerprint: + nullable: true type: string - APM_UI_settings_object: - additionalProperties: - type: string - description: Agent configuration settings - type: object - APM_UI_single_agent_configuration_response: - allOf: - - type: object - properties: - id: - type: string - required: - - id - - $ref: '#/components/schemas/APM_UI_agent_configuration_object' - APM_UI_source_maps_response: - type: object - properties: - artifacts: - description: Artifacts + config_yaml: + nullable: true + type: string + hosts: items: - allOf: - - type: object - properties: - body: - type: object - properties: - bundleFilepath: - type: string - serviceName: - type: string - serviceVersion: - type: string - sourceMap: - type: object - properties: - file: - type: string - mappings: - type: string - sourceRoot: - type: string - sources: - items: - type: string - type: array - sourcesContent: - items: - type: string - type: array - version: - type: number - - $ref: '#/components/schemas/APM_UI_base_source_map_object' + format: uri + type: string + maxItems: 10 + minItems: 1 type: array - APM_UI_upload_source_map_object: - type: object - properties: - bundle_filepath: - description: >- - The absolute path of the final bundle as used in the web - application. + id: type: string - service_name: - description: The name of the service that the service map should apply to. + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: type: string - service_version: - description: The version of the service that the service map should apply to. + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true type: string - sourcemap: - description: > - The source map. It can be a string or file upload. It must follow - the - - [source map format specification](https://tc39.es/ecma426/). - format: binary + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency type: string - required: - - service_name - - service_version - - bundle_filepath - - sourcemap - APM_UI_upload_source_maps_response: - allOf: - - type: object + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object properties: - body: - type: string - - $ref: '#/components/schemas/APM_UI_base_source_map_object' - Cases_actions: - enum: - - add - - create - - delete - - push_to_service - - update - example: create - type: string - Cases_add_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true type: - description: The type of comment. enum: - - alert - example: alert + - elasticsearch type: string + write_to_logs_streams: + nullable: true + type: boolean required: - - alertId - - index - - owner - - rule + - name - type - title: Add case comment request properties for alerts - Cases_add_case_comment_request: - description: >- - The add comment to case API request body varies depending on whether you - are adding an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - title: Add case comment request - Cases_add_case_file_request: - description: >- - Defines the file that will be attached to the case. Optional parameters - will be generated automatically from the file metadata if not defined. + - hosts + title: new_output_elasticsearch type: object + Kibana_HTTP_APIs_new_output_kafka: + additionalProperties: false properties: - file: - description: The file being attached to the case. - format: binary + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos type: string - filename: - description: >- - The desired name of the file being attached to the case, it can be - different than the name of the file in the filesystem. **This should - not include the file extension.** + broker_timeout: + type: number + ca_sha256: + nullable: true type: string - required: - - file - title: Add case file request properties - Cases_add_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 + ca_trusted_fingerprint: + nullable: true type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. + client_id: + type: string + compression: enum: - - user - example: user + - gzip + - snappy + - lz4 + - none type: string - required: - - comment - - owner - - type - title: Add case comment request properties for user comments - type: object - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts - type: object - properties: - alertId: - items: - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 - type: string - type: array - created_at: - example: '2023-11-06T19:29:38.424Z' - format: date-time + compression_level: + nullable: true + type: number + config_yaml: + nullable: true type: string - created_by: + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + hash: type: string - required: - - email - - full_name - - username - id: - example: 73362370-ab1a-11ec-985f-97e55adae8b9 - type: string - index: + random: + type: boolean + headers: + items: + additionalProperties: false + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: items: - example: .internal.alerts-security.alerts-default-000001 type: string + maxItems: 10 + minItems: 1 type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: nullable: true type: string - pushed_by: + random: + additionalProperties: false + type: object + properties: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: false nullable: true type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - required: - - email - - full_name - - username - rule: + secrets: + additionalProperties: false type: object properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true - type: string + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: + type: string type: enum: - - alert - example: alert + - kafka type: string - updated_at: - format: date-time + username: nullable: true type: string - updated_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username version: - example: WzMwNDgsMV0= type: string required: + - name - type - Cases_alert_identifiers: - description: > - The alert identifiers. It is required only when `type` is `alert`. You - can use an array of strings to add multiple alerts to a case, provided - that they all relate to the same rule; `index` must also be an array - with the same length or number of elements. Adding multiple alerts in - this manner is recommended rather than calling the API multiple times. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - oneOf: - - type: string - - items: - type: string - maxItems: 1000 - type: array - title: Alert identifiers - x-state: Technical preview - Cases_alert_indices: - description: > - The alert indices. It is required only when `type` is `alert`. If you - are adding multiple alerts to a case, use an array of strings; the - position of each index name in the array must match the position of the - corresponding alert identifier in the `alertId` array. This - functionality is in technical preview and may be changed or removed in a - future release. Elastic will work to fix any issues, but features in - technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - items: + - hosts + - auth_type + title: new_output_kafka + type: object + Kibana_HTTP_APIs_new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: type: string maxItems: 1000 type: array - title: Alert indices - x-state: Technical preview - Cases_alert_response_properties: - type: object - properties: - attached_at: - format: date-time + ca_sha256: + nullable: true type: string - id: - description: The alert identifier. + ca_trusted_fingerprint: + nullable: true type: string - index: - description: The alert index. + config_yaml: + nullable: true type: string - Cases_assignees: - description: An array containing users that are assigned to the case. - items: - type: object - properties: - uid: - description: >- - A unique identifier for the user profile. These identifiers can be - found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + hosts: + items: type: string - required: - - uid - maxItems: 10 - nullable: true - type: array - Cases_attachment_totals: - description: Counts of alerts, events, and user comments attached to a case. - properties: - alerts: - description: Number of alert attachments on the case. - type: integer - events: - description: Number of event attachments on the case. - type: integer - userComments: - description: Number of user comment attachments on the case. - type: integer - required: - - alerts - - events - - userComments - title: Attachment totals - type: object - Cases_case_categories: - items: - $ref: '#/components/schemas/Cases_case_category' - maxItems: 100 - type: array - Cases_case_category: - description: A word or phrase that categorizes the case. - maxLength: 50 - type: string - Cases_case_close_sync_reason: - description: > - The close reason to sync to attached alerts when closing the case. Can - be one of following predefined reasons: [false_positive, duplicate, - true_positive, benign_positive, automated_closure, other] or a custom - reason provided by the user. - oneOf: - - enum: - - false_positive - - duplicate - - true_positive - - benign_positive - - automated_closure - - other + maxItems: 10 + minItems: 1 + type: array + id: type: string - - type: string - Cases_case_description: - description: The description for the case. - maxLength: 30000 - type: string - Cases_case_observable: - description: A single observable attached to a case. - properties: - createdAt: - description: When the observable was created. - example: '2024-11-14T10:00:00.000Z' - format: date-time + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: type: string - description: - description: An optional description for the observable. - example: Source IP + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: nullable: true type: string - id: - description: The observable identifier. - example: df927ab8-54ed-47d6-be07-9948c255c097 - type: string - typeKey: - description: The observable type key. - example: observable-type-ipv4 - type: string - updatedAt: - description: When the observable was last updated. - example: '2024-11-14T10:00:00.000Z' - format: date-time + proxy_id: nullable: true type: string - value: - description: The observable value. - example: 10.0.0.8 + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash type: string required: - - id - - typeKey - - value - - description - - createdAt - - updatedAt - title: Case observable + - name + - type + - hosts + title: new_output_logstash type: object - Cases_case_response_closed_by_properties: - nullable: true + Kibana_HTTP_APIs_new_output_remote_elasticsearch: + additionalProperties: false properties: - email: - example: null + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: nullable: true type: string - full_name: - example: null + ca_trusted_fingerprint: nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + config_yaml: nullable: true type: string - required: - - email - - full_name - - username - title: Case response properties for closed_by - type: object - Cases_case_response_created_by_properties: - title: Case response properties for created_by - type: object - properties: - email: - example: null + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: nullable: true type: string - full_name: - example: null + kibana_url: nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + name: type: string - username: - example: elastic + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: nullable: true type: string - required: - - email - - full_name - - username - Cases_case_response_get_case: - description: > - Case details returned by the get case API. The comments property is not - included in the response. Use the find case comments API to retrieve - comments. totalComment reflects the actual number of user comments. - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: nullable: true type: string - closed_at: - format: date-time + secrets: + additionalProperties: false + type: object + properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: nullable: true type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + write_to_logs_streams: + nullable: true + type: boolean + required: + - name + - type + - hosts + title: new_output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_new_rule: + additionalProperties: false + properties: + actions: + default: [] items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: type: string - - type: boolean - type: array - description: - example: A case description. + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval tags: - example: - - tag-1 + default: [] + description: The tags for the rule. items: type: string type: array - title: - example: Case title 1 - type: string - total_observables: - description: The number of observables attached to the case. - example: 0 - nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - description: >- - The number of user comments on the case. Use the find case comments - API to retrieve comment content. - example: 1 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== + required: + - name + - consumer + - schedule + - rule_type_id + title: new_rule + type: object + Kibana_HTTP_APIs_new_rule_action: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. type: string required: - - closed_at - - closed_by - - connector - - created_at - - created_by - - description - - duration - - external_service - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - title: Get case response + title: new_rule_action type: object - Cases_case_response_properties: - title: Case response properties + Kibana_HTTP_APIs_new_rule_action_alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. + type: string + required: + - days + - hours + - timezone + title: new_rule_action_alerts_filter type: object + Kibana_HTTP_APIs_new_rule_action_frequency: + additionalProperties: false properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when `notify_when` is set to `onThrottleInterval`. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true type: string - closed_at: - format: date-time + required: + - summary + - notify_when + - throttle + title: new_rule_action_frequency + type: object + Kibana_HTTP_APIs_noColor: + additionalProperties: false + description: Explicitly disables coloring + properties: + type: + enum: + - none + type: string + required: + - type + title: No Color + type: object + Kibana_HTTP_APIs_numericFormat: + additionalProperties: false + description: Number or percentage format with optional decimal places, suffix, and compact notation. + properties: + compact: + default: false + description: When `true`, uses compact notation (for example, 1.2k instead of 1,200). Defaults to `false`. + type: boolean + decimals: + default: 2 + description: Number of decimal places to display. + type: number + suffix: + description: Suffix appended to the formatted value. + type: string + type: + description: 'Value format type: `number` for plain numbers, `percent` for percentages.' + enum: + - number + - percent + type: string + required: + - type + title: Numeric Format + type: object + Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - description: An array of comment objects for the case. + params: + additionalProperties: true + description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`. + properties: + alertOnGroupDisappear: + type: boolean + alertOnNoData: + type: boolean + criteria: + items: + additionalProperties: false + type: object + properties: + aggType: + enum: + - custom + type: string + comparator: + type: string + equation: + type: string + label: + type: string + metrics: + items: + anyOf: + - additionalProperties: false + type: object + properties: + aggType: + type: string + field: + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + - field + - additionalProperties: false + type: object + properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + required: + - name + - aggType + type: array + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + type: string + required: + - threshold + - comparator + - timeUnit + - timeSize + - metrics + type: array + groupBy: + anyOf: + - type: string + - items: + type: string + type: array + noDataBehavior: + enum: + - recover + - remainActive + - alertOnNoData + type: string + searchConfiguration: + additionalProperties: false + type: object + properties: + filter: + items: + additionalProperties: false + type: object + properties: + meta: + additionalProperties: + nullable: true + type: object + query: + additionalProperties: + nullable: true + type: object + required: + - meta + type: array + index: + anyOf: + - type: string + - additionalProperties: false + type: object + properties: + allowHidden: + type: boolean + allowNoIndex: + type: boolean + fieldAttrs: + additionalProperties: + additionalProperties: false + type: object + properties: + count: + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + type: object + fieldFormats: + additionalProperties: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + type: object + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + aggregatable: + type: boolean + count: + minimum: 0 + type: number + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + esTypes: + items: + type: string + type: array + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + name: + maxLength: 1000 + type: string + readFromDocValues: + type: boolean + runtimeField: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + script: + maxLength: 1000000 + type: string + scripted: + type: boolean + searchable: + type: boolean + shortDotsEnable: + type: boolean + subType: + additionalProperties: false + type: object + properties: + multi: + additionalProperties: false + type: object + properties: + parent: + type: string + required: + - parent + nested: + additionalProperties: false + type: object + properties: + path: + type: string + required: + - path + type: + default: string + maxLength: 1000 + type: string + required: + - name + type: object + id: + type: string + managed: + type: boolean + name: + type: string + namespaces: + items: + type: string + type: array + runtimeFieldMap: + additionalProperties: + anyOf: + - additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + - additionalProperties: false + type: object + properties: + fields: + additionalProperties: + additionalProperties: false + type: object + properties: + customDescription: + maxLength: 300 + type: string + customLabel: + type: string + format: + additionalProperties: false + type: object + properties: + id: + type: string + params: + nullable: true + required: + - params + popularity: + minimum: 0 + type: number + type: + enum: + - keyword + - long + - double + - date + - ip + - boolean + - geo_point + type: string + required: + - type + type: object + script: + additionalProperties: false + type: object + properties: + source: + type: string + required: + - source + type: + enum: + - composite + type: string + required: + - type + type: object + sourceFilters: + items: + additionalProperties: false + type: object + properties: + clientId: + anyOf: + - type: string + - type: number + value: + type: string + required: + - value + type: array + timeFieldName: + type: string + title: + type: string + type: + type: string + typeMeta: + additionalProperties: true + type: object + properties: {} + version: + type: string + required: + - title + query: + additionalProperties: false + type: object + properties: + language: + type: string + query: + type: string + required: + - language + - query + required: + - index + - query + required: + - criteria + - searchConfiguration + title: Custom Threshold Rule Params + type: object + rule_type_id: + enum: + - observability.rules.custom_threshold + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - discriminator: - mapping: - alert: '#/components/schemas/Cases_alert_comment_response_properties' - event: '#/components/schemas/Cases_event_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_event_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - maxItems: 10000 - title: Case response properties for comments + type: string type: array - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Custom threshold + type: object + Kibana_HTTP_APIs_operationTimeScaleSetting: + description: Time scale + enum: + - s + - m + - h + - d + title: Operation Time Scale Setting + type: string + Kibana_HTTP_APIs_output_elasticsearch: + additionalProperties: true + properties: + allow_edit: items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean + type: string + maxItems: 1000 type: array - description: - example: A case description. + ca_sha256: + nullable: true type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 + ca_trusted_fingerprint: nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string - incremental_id: - description: > - A monotonically increasing number assigned to each case, unique per - space. This value is generated asynchronously after the case is - created and may not be present immediately in the response. - example: 1 + config_yaml: nullable: true - type: integer - observables: - description: Observables attached to the case. - items: - $ref: '#/components/schemas/Cases_case_observable' - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + type: string + hosts: items: + format: uri type: string + maxItems: 10 + minItems: 1 type: array - title: - example: Case title 1 + id: type: string - total_observables: - description: The number of observables attached to the case. - example: 0 + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: nullable: true - type: integer - totalAlerts: - example: 0 - type: integer - totalComment: - example: 0 - type: integer - totalEvents: - description: The number of events attached to the case. - example: 0 - type: integer - updated_at: - format: date-time + type: boolean + otel_exporter_config_yaml: nullable: true type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency type: string - required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - observables - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - total_observables - - updated_at - - updated_by - - version - Cases_case_response_pushed_by_properties: - nullable: true - properties: - email: - example: null + proxy_id: nullable: true type: string - full_name: - example: null + secrets: + additionalProperties: true + type: object + properties: + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true + type: + enum: + - elasticsearch type: string + write_to_logs_streams: + nullable: true + type: boolean required: - - email - - full_name - - username - title: Case response properties for pushed_by + - name + - type + - hosts + title: output_elasticsearch type: object - Cases_case_response_updated_by_properties: - nullable: true + Kibana_HTTP_APIs_output_kafka: + additionalProperties: true properties: - email: - example: null + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: nullable: true type: string - full_name: - example: null + ca_trusted_fingerprint: nullable: true type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + client_id: type: string - username: - example: elastic - nullable: true + compression: + enum: + - gzip + - snappy + - lz4 + - none type: string - required: - - email - - full_name - - username - title: Case response properties for updated_by - type: object - Cases_case_severity: - description: The severity of the case. - enum: - - critical - - high - - low - - medium - type: string - Cases_case_status: - description: The status of the case. - enum: - - closed - - in-progress - - open - type: string - Cases_case_tags: - description: > - The words and phrases that help categorize cases. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_case_title: - description: A title for the case. - maxLength: 160 - type: string - Cases_closure_types: - description: >- - Indicates whether a case is automatically closed when it is pushed to - external systems (`close-by-pushing`) or not automatically closed - (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - type: string - Cases_connector_properties_cases_webhook: - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - fields: - example: null + compression_level: + nullable: true + type: number + config_yaml: nullable: true type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: true + type: object + properties: + hash: + type: string + random: + type: boolean + headers: + items: + additionalProperties: true + type: object + properties: + key: + type: string + value: + type: string + required: + - key + - value + maxItems: 100 + type: array + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: type: string name: - description: The name of the connector. type: string - type: - description: The type of connector. + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + partition: enum: - - .cases-webhook - example: .cases-webhook + - random + - round_robin + - hash type: string - required: - - fields - - id - - name - - type - title: Create or upate case request properties for Cases Webhook connector - Cases_connector_properties_jira: - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: + additionalProperties: true type: object properties: - issueType: - description: The type of issue. - nullable: true - type: string - parent: - description: The key of the parent issue, when the issue type is sub-task. - nullable: true - type: string - priority: - description: The priority of the issue. - nullable: true + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true + type: object + properties: + group_events: + type: number + sasl: + additionalProperties: true + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 type: string - required: - - issueType - - parent - - priority - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. + secrets: + additionalProperties: true + type: object + properties: + password: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: type: string type: - description: The type of connector. enum: - - .jira - example: .jira + - kafka + type: string + username: + nullable: true + type: string + version: type: string required: - - fields - - id - name - type - title: Create or update case request properties for a Jira connector - Cases_connector_properties_none: - description: Defines properties for connectors when type is `.none`. + - hosts + - auth_type + title: output_kafka type: object + Kibana_HTTP_APIs_output_logstash: + additionalProperties: true properties: - fields: - description: >- - An object containing the connector fields. To create a case without - a connector, specify null. To update a case to remove the connector, - specify null. - example: null + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: nullable: true type: string + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. To update a case to remove the connector, - specify `none`. - example: none type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean name: - description: >- - The name of the connector. To create a case without a connector, use - `none`. To update a case to remove the connector, specify `none`. - example: none type: string - type: - description: >- - The type of connector. To create a case without a connector, use - `.none`. To update a case to remove the connector, specify `.none`. - enum: - - .none - example: .none + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true type: string - required: - - fields - - id - - name - - type - title: Create or update case request properties for no connector - Cases_connector_properties_resilient: - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + proxy_id: nullable: true + type: string + secrets: + additionalProperties: true type: object properties: - issueTypes: - description: The type of incident. - items: - type: string - type: array - severityCode: - description: The severity code of the incident. - type: string - required: - - issueTypes - - severityCode - id: - description: The identifier for the connector. - type: string - name: - description: The name of the connector. - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true type: - description: The type of connector. enum: - - .resilient - example: .resilient + - logstash type: string required: - - fields - - id - name - type - title: Create case request properties for a IBM Resilient connector - Cases_connector_properties_servicenow: - description: Defines properties for connectors when type is `.servicenow`. + - hosts + title: output_logstash type: object + Kibana_HTTP_APIs_output_remote_elasticsearch: + additionalProperties: true properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - impact: - description: The effect an incident had on business. - nullable: true - type: string - severity: - description: The severity of the incident. - nullable: true - type: string - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - urgency: - description: The extent to which the incident resolution can be delayed. - nullable: true - type: string - required: - - category - - impact - - severity - - subcategory - - urgency - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + allow_edit: + items: + type: string + maxItems: 1000 + type: array + ca_sha256: + nullable: true type: string - name: - description: The name of the connector. + ca_trusted_fingerprint: + nullable: true type: string - type: - description: The type of connector. - enum: - - .servicenow - example: .servicenow + config_yaml: + nullable: true type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow ITSM connector - Cases_connector_properties_servicenow_sir: - description: Defines properties for connectors when type is `.servicenow-sir`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs. - nullable: true - type: boolean - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs. - nullable: true - type: boolean - priority: - description: The priority of the issue. - nullable: true - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs. - nullable: true - type: boolean - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true type: string name: - description: The name of the connector. type: string - type: - description: The type of connector. + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: enum: - - .servicenow-sir - example: .servicenow-sir + - balanced + - custom + - throughput + - scale + - latency type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow SecOps connector - Cases_connector_properties_swimlane: - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: true type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - nullable: true - type: string - required: - - caseId - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. + service_token: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: + additionalProperties: true + type: object + properties: + key: + anyOf: + - additionalProperties: true + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + service_token: + nullable: true type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' + nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean type: - description: The type of connector. enum: - - .swimlane - example: .swimlane + - remote_elasticsearch type: string + write_to_logs_streams: + nullable: true + type: boolean required: - - fields - - id - name - type - title: Create case request properties for a Swimlane connector - Cases_connector_types: - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - type: string - Cases_create_case_request: - description: >- - The create case API request body varies depending on the type of - connector. + - hosts + title: output_remote_elasticsearch + type: object + Kibana_HTTP_APIs_output_shipper: + additionalProperties: true properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields that are - not specified in the request are set to null. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' + compression_level: + nullable: true + type: number + disk_queue_compression_enabled: + nullable: true + type: boolean + disk_queue_enabled: + default: false + nullable: true + type: boolean + disk_queue_encryption_enabled: + nullable: true + type: boolean + disk_queue_max_size: + nullable: true + type: number + disk_queue_path: + nullable: true + type: string + loadbalance: + nullable: true + type: boolean + max_batch_bytes: + nullable: true + type: number + mem_queue_events: + nullable: true + type: number + queue_flush_timeout: + nullable: true + type: number required: - - connector - - description - - owner - - settings - - tags - - title - title: Create case request - type: object - Cases_event_comment_response_properties: - title: Case response properties for event comments + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + title: output_shipper type: object + Kibana_HTTP_APIs_output_ssl: + additionalProperties: true properties: - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - eventId: - items: - example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f - type: string - type: array - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + certificate: type: string - index: + certificate_authorities: items: - example: .internal.alerts-security.alerts-default-000001 type: string + maxItems: 10 type: array - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true + key: type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: + verification_mode: enum: - - event - example: event - type: string - updated_at: - example: null - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd + - full + - none + - certificate + - strict type: string - required: - - type - Cases_external_service: - nullable: true + title: output_ssl type: object + Kibana_HTTP_APIs_package_icon: + additionalProperties: false properties: - connector_id: - type: string - connector_name: + dark_mode: + type: boolean + path: type: string - external_id: + size: type: string - external_title: + src: type: string - external_url: + title: type: string - pushed_at: - format: date-time + type: type: string - pushed_by: - nullable: true - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - Cases_find_comments_response: - title: Find case comments response + required: + - src + title: package_icon type: object + Kibana_HTTP_APIs_package_list_item: + additionalProperties: true properties: - comments: - description: Paginated list of user comments for the case. + categories: items: - $ref: '#/components/schemas/Cases_user_comment_response_properties' + type: string + maxItems: 100 type: array - page: - description: The current page index. - type: integer - per_page: - description: The number of items per page. - type: integer - total: - description: The total number of comments. - type: integer - required: - - comments - - page - - per_page - - total - Cases_owner: - description: > - The application that owns the cases: Stack Management, Observability, or - Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - type: string - Cases_owners: - items: - $ref: '#/components/schemas/Cases_owner' - type: array - Cases_payload_alert_comment: - type: object - properties: - comment: - type: object - properties: - alertId: - oneOf: - - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d - type: string - - items: - type: string - type: array - index: - oneOf: - - example: .alerts-observability.logs.alerts-default - type: string - - items: - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - nullable: true - type: string - name: - description: The rule name. - example: security_rule - nullable: true - type: string - type: - enum: - - alert - type: string - Cases_payload_assignees: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: - type: object - properties: - connector: + conditions: + additionalProperties: true type: object properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + elastic: + additionalProperties: true type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + capabilities: items: type: string + maxItems: 10 type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. + subscription: type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. + kibana: + additionalProperties: true + type: object + properties: + version: type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: + data_streams: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + description: + type: string + discovery: + additionalProperties: true type: object properties: + datasets: + items: + additionalProperties: true + type: object + properties: + name: + type: string + required: + - name + maxItems: 100 + type: array fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - items: + items: + additionalProperties: true + type: object + properties: + name: type: string - type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - description: + required: + - name + maxItems: 100 + type: array + download: type: string - owner: - $ref: '#/components/schemas/Cases_owner' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + format_version: + type: string + icons: items: - type: string + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + maxItems: 100 type: array - title: + id: type: string - Cases_payload_delete: - description: >- - If the `action` is `delete` and the `type` is `delete_case`, the payload - is nullable. - nullable: true - type: object - Cases_payload_description: - type: object - properties: - description: + installationInfo: + $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' + integration: type: string - Cases_payload_pushed: - type: object - properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: - type: object - properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: - type: object - properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: - type: object - properties: - status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: - type: object - properties: - tags: - example: - - tag-1 - items: - type: string - type: array - Cases_payload_title: - type: object - properties: - title: + internal: + type: boolean + latestVersion: type: string - Cases_payload_user_comment: - type: object - properties: - comment: + name: + type: string + owner: + additionalProperties: true type: object properties: - comment: + github: type: string - owner: - $ref: '#/components/schemas/Cases_owner' type: enum: - - user + - elastic + - partner + - community type: string - Cases_related_case: - description: > - Summary of a case returned when listing cases that contain a given - alert. This is a subset of the full case response. - properties: - createdAt: - description: When the case was created. - format: date-time + path: type: string - description: - description: The case description. + policy_templates: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + readme: type: string - id: - description: The case identifier. + release: + enum: + - ga + - beta + - experimental type: string + signature_path: + type: string + source: + additionalProperties: true + type: object + properties: + license: + type: string + required: + - license status: - $ref: '#/components/schemas/Cases_case_status' + type: string title: - description: The case title. type: string - totals: - $ref: '#/components/schemas/Cases_attachment_totals' + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + var_groups: + items: + additionalProperties: true + type: object + properties: + description: + type: string + name: + type: string + options: + items: + additionalProperties: true + type: object + properties: + description: + type: string + hide_in_deployment_modes: + items: + enum: + - default + - agentless + type: string + maxItems: 2 + type: array + name: + type: string + title: + type: string + vars: + items: + type: string + maxItems: 100 + type: array + required: + - name + - title + - vars + maxItems: 100 + type: array + selector_title: + type: string + title: + type: string + required: + - name + - title + - selector_title + - options + maxItems: 100 + type: array + vars: + items: + additionalProperties: + nullable: true + type: object + maxItems: 1000 + type: array + version: + type: string + required: + - name + - version + - title + - id + title: package_list_item + type: object + Kibana_HTTP_APIs_package_metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + title: package_metadata + type: object + Kibana_HTTP_APIs_package_policy_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + type: object + properties: + data_stream: + type: string + features: + additionalProperties: false + type: object + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + required: + - data_stream + - features + maxItems: 100 + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string required: - - id - - title - - description - - status - - createdAt - - totals - title: Related case + - name + - version + title: package_policy_package type: object - Cases_response_4xx: + Kibana_HTTP_APIs_package_policy_response: + additionalProperties: false properties: - error: - example: Unauthorized + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. + items: + type: string + maxItems: 1000 + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true type: string - message: + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 + nullable: true type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful cases API response - type: object - Cases_rule: - description: > - The rule that is associated with the alerts. It is required only when - `type` is `alert`. This functionality is in technical preview and may be - changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - title: Alerting rule - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - name: - description: The rule name. - example: security_rule + created_at: type: string - x-state: Technical preview - Cases_searchFieldsType: - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - type: string - Cases_searchFieldsTypeArray: - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - type: array - Cases_set_case_configuration_request: - description: >- - External connection details, such as the closure type and default - connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true type: object properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true + privileges: + additionalProperties: true type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. + properties: + cluster: + items: + type: string + maxItems: 100 + type: array + enabled: + type: boolean + global_data_tags: items: + additionalProperties: false type: object properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle + name: + description: The name of the custom field. Cannot contain spaces. type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. required: - - key - - label - - required - - type - maxItems: 10 - minItems: 0 + - name + - value + maxItems: 100 + nullable: true type: array - owner: - $ref: '#/components/schemas/Cases_owner' - templates: - $ref: '#/components/schemas/Cases_templates' - required: - - closure_type - - connector - - owner - title: Set case configuration request - type: object - Cases_settings: - description: An object that contains the case settings. - type: object - properties: - extractObservables: - description: > - When true, observables (e.g. IPs, hashes, URLs) are automatically - extracted from case comments. Optional; defaults to false when - omitted. - example: false - type: boolean - syncAlerts: - description: Turns alert syncing on or off. - example: true - type: boolean - required: - - syncAlerts - Cases_string: - type: string - Cases_string_array: - items: - $ref: '#/components/schemas/Cases_string' - maxItems: 100 - type: array - Cases_template_tags: - description: > - The words and phrases that help categorize templates. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_templates: - items: - type: object - properties: - caseFields: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false type: object properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, therefore - it is recommended to set it to `null`. + compiled_input: nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector IDs, - use the find connectors API. - example: none + type: string + keep_enabled: + type: boolean + migrate_from: type: string name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use - the find connectors API. - example: none type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - description: Custom field values in the template. - items: - type: object - properties: - key: - description: The unique key for the custom field. - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle + type: string + var_group_selections: + additionalProperties: type: string - value: - description: > - The default value for the custom field when a case uses - the template. If the `type` is `text`, the default value - must be a string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + maxItems: 100 + type: array + - additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: - type: string + - type: number - type: boolean - type: array - x-state: Technical preview - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - description: - description: A description for the template. - type: string - key: - description: > - A unique key for the template. Must be lower case and composed - only of a-z, 0-9, '_', and '-' characters. It is used in API calls - to refer to a specific template. + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + properties: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. type: string - name: - description: The name of the template. + maxItems: 1000 + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 1000 + type: array + spaceIds: + items: type: string - tags: - $ref: '#/components/schemas/Cases_template_tags' - type: array - x-state: Technical preview - Cases_update_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: type: string - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owner' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert + updated_by: type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + anyOf: + - additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package level variable. version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd + description: Package policy ES version. type: string required: - - alertId - - id - - index - - owner - - rule - - type - - version - title: Update case comment request properties for alerts - Cases_update_case_comment_request: - description: >- - The update case comment API request body varies depending on whether you - are updating an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - title: Update case comment request - Cases_update_case_configuration_request: - description: > - You can update settings such as the closure type, custom fields, - templates, and the default connector for cases. + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + title: package_policy_response + type: object + Kibana_HTTP_APIs_package_policy_status_response: + additionalProperties: false properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. + body: + additionalProperties: false type: object properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + message: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. + - message + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + title: package_policy_status_response + type: object + Kibana_HTTP_APIs_percentileOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_percentileRanksOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_pieESQL: + additionalProperties: false + description: Pie chart configuration for ES|QL queries + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: + additionalProperties: false type: object properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 + description: Label for the operation type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean required: - - key - - label - - required - - type + - column + maxItems: 100 + minItems: 1 type: array - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: > - The version of the connector. To retrieve the version value, use the - get configuration API. - example: WzIwMiwxXQ== - type: string - required: - - version - title: Update case configuration request - type: object - Cases_update_case_request: - description: >- - The update case API request body varies depending on the type of - connector. - properties: - cases: - description: An array containing one or more case objects. + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) items: + additionalProperties: false + description: ES|QL column reference for primary metric type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - closeReason: - $ref: '#/components/schemas/Cases_case_close_sync_reason' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: >- - #/components/schemas/Cases_connector_properties_cases_webhook - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: >- - #/components/schemas/Cases_connector_properties_servicenow_sir - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields - that are not specified in the request are set to null. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key - value must exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified - in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, - it cannot be explicitly set to null. However, for cases - that existed when the required custom field was added, - the default value stored in Elasticsearch is - `undefined`. The value returned in the API and user - interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - id: - description: The identifier for the case. - maxLength: 30000 + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use type: string - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: > - The current version of the case. To determine this value, use - the get case or search cases (`_find`) APIs. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - id - - version + - column maxItems: 100 minItems: 1 type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie + type: string required: - - cases - title: Update case request + - type + - data_source + - metrics + title: Pie Chart (ES|QL) type: object - Cases_update_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. + Kibana_HTTP_APIs_pieGroupByDateHistogram: + additionalProperties: false properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - owner: - $ref: '#/components/schemas/Cases_owner' - type: - description: The type of comment. + operation: enum: - - user - example: user + - date_histogram type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - comment - - id - - owner - - type - - version - title: Update case comment request properties for user comments + - operation + - field + title: Date Histogram Operation type: object - Cases_user_actions_find_response_properties: + Kibana_HTTP_APIs_pieGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation type: object + Kibana_HTTP_APIs_pieGroupByHistogram: + additionalProperties: false properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - created_by: + operation: + enum: + - histogram + type: string + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_pieGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_pieGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array required: - - email - - full_name - - username - id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation type: string - owner: - $ref: '#/components/schemas/Cases_owner' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - description: The type of action. + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_pieLegend: + additionalProperties: false + description: Legend configuration for pie chart + properties: + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_pieMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - assignees - - category - - comment - - connector - - create_case - - customFields - - delete_case - - description - - extended_fields - - observables - - pushed - - settings - - severity - - status - - tags - - title - example: create_case + - counter_rate type: string - version: - example: WzM1ODg4LDFd + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - action - - comment_id - - created_at - - created_by - - id - - owner - - payload - - type - - version - Cases_user_comment_response_properties: - title: Case response properties for user comments + - field + - operation + title: Counter Rate Operation type: object + Kibana_HTTP_APIs_pieMetricCountMetric: + additionalProperties: false properties: - comment: - example: A new comment. + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + operation: + enum: + - count type: string - owner: - $ref: '#/components/schemas/Cases_owner' - pushed_at: - example: null - format: date-time - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - user - example: user + - cumulative_sum type: string - updated_at: - example: null - format: date-time - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - type - Data_views_400_response: - title: Bad request + - field + - operation + title: Cumulative Sum Operation type: object + Kibana_HTTP_APIs_pieMetricDifferences: + additionalProperties: false properties: - error: - example: Bad Request + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - message: + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - statusCode: - example: 400 - type: number required: - - statusCode - - error - - message - Data_views_404_response: + - operation + - of + title: Differences Operation type: object + Kibana_HTTP_APIs_pieMetricFormula: + additionalProperties: false properties: - error: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: enum: - - Not Found - example: Not Found + - formula type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - statusCode: + time_scale: + description: Time scale enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: >- - Allows the data view saved object to exist before the data is available. - Defaults to `false`. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation type: object + Kibana_HTTP_APIs_pieMetricLastValue: + additionalProperties: false properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. + - field + - operation + - time_field + title: Last Value Operation type: object + Kibana_HTTP_APIs_pieMetricMovingAverage: + additionalProperties: false properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - customLabel: - description: Custom label for the field. + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - operation + - of + title: Moving Average Operation type: object + Kibana_HTTP_APIs_pieMetricPercentile: + additionalProperties: false properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - fromId: - description: The saved object reference to change. + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + operation: + enum: + - percentile type: string - toId: - description: New saved object reference value to replace the old value. + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + - field + - operation + title: Percentile Operation type: object + Kibana_HTTP_APIs_pieMetricPercentileRanks: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - field + - operation + title: Percentile Ranks Operation type: object + Kibana_HTTP_APIs_pieMetricStatsMetric: + additionalProperties: false properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation type: object + Kibana_HTTP_APIs_pieMetricSumMetric: + additionalProperties: false properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false - description: Reloads the data view fields after the data view is updated. + description: When `true`, treats empty buckets as null instead of zero. type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - data_view - Kibana_HTTP_APIs_action_id_response: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_pieMetricUniqueCountMetric: additionalProperties: false properties: - actionId: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - actionId - title: action_id_response + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_action_message_response: + Kibana_HTTP_APIs_pieNoESQL: additionalProperties: false + description: Pie chart configuration for standard queries properties: - message: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_pieMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_pieStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - pie type: string required: - - message - title: action_message_response + - type + - data_source + - metrics + title: Pie Chart (DSL) type: object - Kibana_HTTP_APIs_agent_policy_response: + Kibana_HTTP_APIs_pieStyling: additionalProperties: false + description: Visual chart styling options properties: - advanced_settings: + donut_hole: + description: 'Donut hole size. Accepted values: `none` (full pie), `s`, `m`, `l`.' + enum: + - none + - s + - m + - l + type: string + labels: additionalProperties: false + description: Label configuration for pie chart slice labels inside or outside the pie type: object properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: + position: + description: 'Slice label position: `inside` or `outside`.' + enum: + - inside + - outside + type: string + visible: + description: When `true`, displays slice labels. + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Pie chart styling + type: object + Kibana_HTTP_APIs_QueryStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: + items: + type: string + type: array + queries: items: - additionalProperties: false type: object properties: - enabled: - type: boolean - name: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: + type: object + properties: + id: + type: string + run_id: + type: string + required: + - id + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats type: string required: - - name - - enabled - maxItems: 100 + - id + - title + - description + - esql type: array - agentless: + rules: + items: + type: string + type: array + stream: additionalProperties: false type: object properties: - cloud_connectors: + description: + type: string + field_descriptions: + additionalProperties: + type: string + type: object + query: additionalProperties: false type: object properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp + esql: + type: string + view: type: string required: - - enabled - cluster_id: + - view + - esql + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - query type: string - resources: - additionalProperties: false - type: object - properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - agents: - type: number - agents_per_version: + required: + - description + - type + - query + required: + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_range_key: + additionalProperties: false + properties: + from: + anyOf: + - type: string + - type: number + ranges: items: additionalProperties: false type: object properties: - count: - type: number - version: + from: + anyOf: + - type: string + - type: number + label: type: string + to: + anyOf: + - type: string + - type: number required: - - version - - count - maxItems: 1000 + - from + - to + - label + maxItems: 100 type: array - created_at: - type: string - data_output_id: - nullable: true + to: + anyOf: + - type: string + - type: number + type: + enum: + - range_key type: string - description: + required: + - type + - from + - to + - ranges + title: Range Key + type: object + Kibana_HTTP_APIs_rangesOperation: + additionalProperties: false + properties: + field: + description: Field to be used for the range. type: string - download_source_id: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - fips_agents: - type: number - fleet_server_host_id: - nullable: true + operation: + enum: + - range type: string - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + ranges: items: additionalProperties: false type: object properties: - name: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - value: - anyOf: - - type: string - - type: number - required: - - name - - value + lte: + description: Less than or equal to. + type: number maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean - id: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_reauthorize_transform_request: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + type: object + properties: + transformId: + type: string + required: + - transformId + maxItems: 1000 + type: array + required: + - transforms + title: reauthorize_transform_request + type: object + Kibana_HTTP_APIs_RecursiveRecord: + additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - nullable: true + - {} + type: array + - items: {} + type: array + - $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord' + type: object + Kibana_HTTP_APIs_regionMapESQL: + additionalProperties: false + description: Region Map configuration using an ES|QL query, mapping metric values to geographic regions by color. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number - is_default: - type: boolean - is_default_fleet_server: - type: boolean - is_managed: - type: boolean - is_preconfigured: - type: boolean - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - is_verifier: + hide_title: type: boolean - keep_monitoring_alive: + ignore_global_filters: default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - min_agent_version: - nullable: true - type: string - monitoring_diagnostics: + metric: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - monitoring_http: + region: additionalProperties: false type: object properties: - buffer: + column: + description: Column to use + type: string + ems: additionalProperties: false type: object properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + label: + description: Label for the operation type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: - nullable: true + required: + - column + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 + type: + enum: + - region_map type: string - namespace: - minLength: 1 + required: + - type + - data_source + - metric + - region + title: Region Map (ES|QL) + type: object + Kibana_HTTP_APIs_regionMapNoESQL: + additionalProperties: false + description: Region Map configuration using a data view, mapping metric values to geographic regions by color. + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_agent_version_conditions: + drilldowns: items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition - maxItems: 1000 - nullable: true + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - package_policies: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: anyOf: - - items: - type: string - maxItems: 10000 - type: array - - description: >- - This field is present only when retrieving a single agent - policy, or when retrieving a list of agent policies with the - ?full=true parameter - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 - type: array - required_versions: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_formulaOperation' + description: Metric dimension using a field-based aggregation or a mathematical formula. + title: Field Metric or Formula Operation + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 - nullable: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array - revision: + region: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_regionMapRegionFilters' + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 type: number - schema_version: + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - space_ids: - items: - type: string - maxItems: 100 - type: array - status: + type: enum: - - active - - inactive + - region_map type: string - supports_agentless: - default: false - description: Indicates whether the agent policy supports agentless integrations. - nullable: true + required: + - type + - data_source + - metric + - region + title: Region Map (DSL) + type: object + Kibana_HTTP_APIs_regionMapRegionDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. type: boolean - unenroll_timeout: - minimum: 0 - type: number - unprivileged_agents: - type: number - updated_at: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - updated_by: + operation: + enum: + - date_histogram type: string - version: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - id - - name - - namespace - - is_protected - - status - - updated_at - - updated_by - - revision - title: agent_policy_response + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_request: + Kibana_HTTP_APIs_regionMapRegionFilters: additionalProperties: false properties: - forceDelete: - default: false - description: >- - When false (default), invalidate the API key and mark the token as - inactive. When true, also delete the token document. - type: boolean - includeHidden: - default: false - description: >- - When true, allow deletion of hidden enrollment tokens - (managed/agentless policies). Defaults to false. - type: boolean - kuery: - description: KQL query to select enrollment tokens to delete. - type: string - tokenIds: - description: List of enrollment token IDs to delete. + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + filters: items: - type: string - maxItems: 10000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array - title: bulk_delete_enrollment_api_keys_request + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_bulk_delete_enrollment_api_keys_response: + Kibana_HTTP_APIs_regionMapRegionHistogram: additionalProperties: false properties: - action: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram type: string - count: - type: number - errorCount: - type: number - successCount: - type: number required: - - action - - count - - successCount - - errorCount - title: bulk_delete_enrollment_api_keys_response + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_bulk_get_agent_policies_response: + Kibana_HTTP_APIs_regionMapRegionRanges: additionalProperties: false properties: - items: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' - maxItems: 10000 + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array required: - - items - title: bulk_get_agent_policies_response + - operation + - field + - ranges + title: Ranges Operation type: object - Kibana_HTTP_APIs_bulk_get_package_policies_response: + Kibana_HTTP_APIs_regionMapRegionTerms: additionalProperties: false properties: - items: + ems: + additionalProperties: false + type: object + properties: + boundaries: + description: EMS boundaries + type: string + join: + description: EMS join field + type: string + required: + - boundaries + - join + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - maxItems: 10000 + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - items - title: bulk_get_package_policies_response + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_request: + Kibana_HTTP_APIs_review_upgrade_request: additionalProperties: false properties: - force: - default: false - type: boolean - packages: - items: - anyOf: - - type: string - - additionalProperties: false - type: object - properties: - name: - type: string - prerelease: - type: boolean - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 - type: array + action: + enum: + - accept + - decline + - pending + type: string + target_version: + type: string required: - - packages - title: bulk_install_packages_from_registry_request + - action + - target_version + title: review_upgrade_request type: object - Kibana_HTTP_APIs_bulk_install_packages_from_registry_response: + Kibana_HTTP_APIs_review_upgrade_response: additionalProperties: false properties: - items: - items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_success - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_bulk_install_packages_response_item_error - maxItems: 10000 - type: array + success: + type: boolean required: - - items - title: bulk_install_packages_from_registry_response + - success + title: review_upgrade_response type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_error: + Kibana_HTTP_APIs_rollback_package_response: additionalProperties: false properties: - error: - anyOf: - - type: string - - nullable: true - name: + success: + type: boolean + version: type: string - statusCode: + required: + - version + - success + title: rollback_package_response + type: object + Kibana_HTTP_APIs_rule_flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + properties: + enabled: + description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state. + type: boolean + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states within the defined look back window time. + maximum: 20 + minimum: 2 type: number required: - - name - - statusCode - title: bulk_install_packages_response_item_error + - look_back_window + - status_change_threshold + title: rule_flapping type: object - Kibana_HTTP_APIs_bulk_install_packages_response_item_success: + Kibana_HTTP_APIs_rule_response: additionalProperties: false properties: - name: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when 'notify_when' is set to 'onThrottleInterval'. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true type: string - result: + artifacts: additionalProperties: false type: object properties: - assets: + dashboards: items: - anyOf: - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + description: User-created content that describes alert causes and remediation. + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: error: - nullable: true - installSource: - type: string - installType: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last rule execution. + type: number + last_execution_date: + description: The date and time of the last rule execution. type: string status: + description: Status of rule execution. enum: - - installed - - already_installed + - ok + - active + - error + - warning + - pending + - unknown type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message required: - - error - - installType - version: + - status + - last_execution_date + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + id: + description: The identifier for the rule. type: string - required: - - name - - version - - result - title: bulk_install_packages_response_item_success - type: object - Kibana_HTTP_APIs_bulk_namespace_customization_request: - additionalProperties: false - properties: - disable: - description: >- - Namespaces to disable namespace-level customization for on each - package. - items: - type: string - maxItems: 100 - type: array - enable: - description: >- - Namespaces to enable namespace-level customization for on each - package. + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: Outcome of the last rule run. Value can be succeeded, warning, or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: + nullable: true + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: items: + description: 'List of identifiers of muted alerts. ' type: string - maxItems: 100 type: array - packages: - description: Package names to apply the customization changes to. + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next rule run. + nullable: true + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + tags: items: + description: The tags for the rule. type: string - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - title: bulk_namespace_customization_request - type: object - Kibana_HTTP_APIs_bulk_namespace_customization_response: - additionalProperties: false - properties: - items: - items: - additionalProperties: false - type: object - properties: - error: - type: string - name: - type: string - namespace_customization_enabled_for: - description: >- - The opt-in list on the package. Returned whenever the package - is installed: the new list on success, or the unchanged list - when the request is rejected (for example, because of a - namespace-prefix restriction). - items: - type: string - maxItems: 100 - type: array - success: - type: boolean - required: - - name - - success - maxItems: 1000 type: array + throttle: + deprecated: true + description: Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + updated_at: + description: The date and time of the latest updates to the rule. + type: string + updated_by: + description: The identifier for the user who was the last to update the rule. + nullable: true + type: string required: - - items - title: bulk_namespace_customization_response + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + title: rule_response type: object - Kibana_HTTP_APIs_bulk_rollback_packages_request: + Kibana_HTTP_APIs_schedule_request: additionalProperties: false properties: - packages: - items: - additionalProperties: false - type: object - properties: - name: - description: Package name to rollback + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + type: object + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: type: string - required: - - name - maxItems: 1000 - minItems: 1 - type: array - required: - - packages - title: bulk_rollback_packages_request - type: object - Kibana_HTTP_APIs_bulk_rollback_packages_response: - additionalProperties: false - properties: - taskId: + minItems: 1 + type: array + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. type: string required: - - taskId - title: bulk_rollback_packages_response + - start + - duration + title: schedule_request type: object - Kibana_HTTP_APIs_bulk_uninstall_packages_request: + Kibana_HTTP_APIs_security_bulk_create_or_update_roles_response: additionalProperties: false + description: The response payload for the bulk create-or-update roles API. properties: - force: - default: false - type: boolean - packages: + created: items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - maxItems: 1000 - minItems: 1 + description: The name of a role that was created. + type: string type: array - required: - - packages - title: bulk_uninstall_packages_request - type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_request: - additionalProperties: false - properties: - force: - default: false - type: boolean - packages: + errors: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_bulk_roles_error_detail' + type: object + noop: items: - additionalProperties: false - type: object - properties: - name: - type: string - version: - type: string - required: - - name - maxItems: 1000 - minItems: 1 + description: The name of a role that was unchanged by the request. + type: string type: array - prerelease: - type: boolean - upgrade_package_policies: - default: false - type: boolean - required: - - packages - title: bulk_upgrade_packages_request + updated: + items: + description: The name of a role that was updated. + type: string + type: array + title: security_bulk_create_or_update_roles_response type: object - Kibana_HTTP_APIs_bulk_upgrade_packages_response: + Kibana_HTTP_APIs_security_bulk_roles_error_detail: additionalProperties: false + description: Error information for a single role in a bulk create-or-update request. properties: - taskId: + reason: + description: A human readable error reason. + type: string + type: + description: The error type. type: string required: - - taskId - title: bulk_upgrade_packages_response + - type + - reason + title: security_bulk_roles_error_detail type: object - Kibana_HTTP_APIs_category_summary_item: + Kibana_HTTP_APIs_security_query_roles_body: additionalProperties: false + description: The request body for querying roles. properties: - count: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters' + from: type: number - id: - type: string - parent_id: - type: string - parent_title: - type: string - title: + query: type: string - required: - - id - - title - - count - title: category_summary_item + size: + type: number + sort: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort' + title: security_query_roles_body type: object - Kibana_HTTP_APIs_copy_agent_policy_request: + Kibana_HTTP_APIs_security_query_roles_filters: additionalProperties: false + description: The filter criteria for the query. properties: - description: - type: string - name: - minLength: 1 - type: string - required: - - name - title: copy_agent_policy_request + showReservedRoles: + type: boolean + title: security_query_roles_filters type: object - Kibana_HTTP_APIs_create_custom_integration_request: + Kibana_HTTP_APIs_security_query_roles_response: additionalProperties: false + description: The response payload for a roles query. properties: - datasets: + count: + description: The number of roles returned in this response page. + type: number + roles: items: - additionalProperties: false - type: object - properties: - name: - type: string - type: - enum: - - logs - - metrics - - traces - - synthetics - - profiling - type: string - required: - - name - - type - maxItems: 10 + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_response' type: array - force: - type: boolean - integrationName: + total: + description: The total number of roles that match the query. + type: number + required: + - roles + - count + - total + title: security_query_roles_response + type: object + Kibana_HTTP_APIs_security_query_roles_sort: + additionalProperties: false + description: The sort criteria for the query. + properties: + direction: + enum: + - asc + - desc + type: string + field: type: string required: - - integrationName - - datasets - title: create_custom_integration_request + - field + - direction + title: security_query_roles_sort type: object - Kibana_HTTP_APIs_create_package_policy_request: + Kibana_HTTP_APIs_security_role_elasticsearch: additionalProperties: false + description: The Elasticsearch cluster, index, and remote cluster security privileges for the role. properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + cluster: items: + description: Cluster privileges that define the cluster level actions that users can perform. type: string + maxItems: 100 + type: array + indices: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges' maxItems: 1000 - nullable: true type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - description: - description: Package policy description - type: string - enabled: - type: boolean - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. - type: boolean - global_data_tags: + remote_cluster: items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges' maxItems: 100 - nullable: true type: array - id: - description: Package policy unique identifier - type: string - inputs: + remote_indices: items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges' maxItems: 1000 type: array - is_managed: + run_as: + items: + description: A username that members of this role can impersonate. + type: string + maxItems: 100 + type: array + title: security_role_elasticsearch + type: object + Kibana_HTTP_APIs_security_role_indices_privileges: + additionalProperties: false + description: The indices privileges entry. + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean - name: - description: Unique name for the package policy. - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: - nullable: true - type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true - type: string - policy_ids: + names: items: - description: >- - IDs of the agent policies which that package policy will be added - to. + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string - maxItems: 1000 + maxItems: 100 + minItems: 1 type: array - spaceIds: + privileges: items: + description: The index level privileges that the role members have for the data streams and indices. type: string maxItems: 100 + minItems: 1 type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. Deprecated in favor of the Fleet agentless policies API. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - name - - package - - inputs - title: create_package_policy_request - type: object - Kibana_HTTP_APIs_create_package_policy_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_response' - required: - - item - title: create_package_policy_response - type: object - Kibana_HTTP_APIs_delete_agent_policy_request: - additionalProperties: false - properties: - agentPolicyId: - description: The ID of the agent policy + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string - force: - description: bypass validation checks that can prevent agent policy deletion - type: boolean required: - - agentPolicyId - title: delete_agent_policy_request + - names + - privileges + title: security_role_indices_privileges type: object - Kibana_HTTP_APIs_delete_agent_policy_response: + Kibana_HTTP_APIs_security_role_kibana_application: additionalProperties: false + description: A raw Elasticsearch application privilege entry tied to Kibana. properties: - id: - type: string - name: + application: type: string + privileges: + items: + type: string + type: array + resources: + items: + type: string + type: array required: - - id - - name - title: delete_agent_policy_response + - application + - privileges + - resources + title: security_role_kibana_application type: object - Kibana_HTTP_APIs_delete_enrollment_api_key_response: + Kibana_HTTP_APIs_security_role_kibana_privilege: additionalProperties: false + description: The Kibana privilege entry for the role. properties: - action: - enum: - - deleted - type: string + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + maxItems: 50 + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + maxItems: 50 + type: array + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + maxItems: 100 + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + description: A space that the privilege applies to. + type: string + maxItems: 1000 + type: array + default: + - '*' required: - - action - title: delete_enrollment_api_key_response + - base + title: security_role_kibana_privilege type: object - Kibana_HTTP_APIs_delete_one_package_policy_response: + Kibana_HTTP_APIs_security_role_kibana_privilege_response: additionalProperties: false + description: A Kibana privilege entry returned for a role. properties: - id: - type: string + _reserved: + items: + description: A reserved Kibana privilege granted globally. + type: string + type: array + base: + items: + description: A base Kibana privilege. + type: string + type: array + feature: + additionalProperties: + items: + description: A privilege the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. The wildcard `*` indicates all spaces. + type: string + type: array required: - - id - title: delete_one_package_policy_response + - spaces + - base + - feature + title: security_role_kibana_privilege_response type: object - Kibana_HTTP_APIs_delete_package_datastream_assets_response: + Kibana_HTTP_APIs_security_role_put_payload: additionalProperties: false + description: The role definition to create or update. properties: - success: - type: boolean + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege' + type: array + metadata: + additionalProperties: + nullable: true + type: object required: - - success - title: delete_package_datastream_assets_response + - elasticsearch + title: security_role_put_payload type: object - Kibana_HTTP_APIs_delete_package_policies_request: + Kibana_HTTP_APIs_security_role_remote_cluster_privileges: additionalProperties: false + description: The remote cluster privileges entry. properties: - force: - type: boolean - packagePolicyIds: + clusters: items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string - maxItems: 1000 + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + maxItems: 100 + minItems: 1 type: array required: - - packagePolicyIds - title: delete_package_policies_request + - privileges + - clusters + title: security_role_remote_cluster_privileges type: object - Kibana_HTTP_APIs_delete_package_response: + Kibana_HTTP_APIs_security_role_remote_indices_privileges: additionalProperties: false + description: The remote indices privileges entry. properties: - items: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + maxItems: 100 + minItems: 1 type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + maxItems: 1000 + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + maxItems: 100 + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + maxItems: 100 + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string required: - - items - title: delete_package_response + - clusters + - names + - privileges + title: security_role_remote_indices_privileges type: object - Kibana_HTTP_APIs_deprecation_info: + Kibana_HTTP_APIs_security_role_response: additionalProperties: false + description: A Kibana role definition returned by the Roles API. properties: + _transform_error: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_transform_error' + type: array + _unrecognized_applications: + items: + description: Application names found on the role that are not recognized by Kibana. + type: string + type: array description: + description: A description for the role. type: string - replaced_by: + elasticsearch: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch' + kibana: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege_response' + type: array + metadata: additionalProperties: - type: string + nullable: true type: object - since: + name: + description: The role name. type: string + transient_metadata: + additionalProperties: + nullable: true + type: object required: - - description - title: deprecation_info + - name + - elasticsearch + - kibana + title: security_role_response type: object - x-oas-optional: true - Kibana_HTTP_APIs_dry_run_package_policies_request: + Kibana_HTTP_APIs_security_role_transform_error: additionalProperties: false + description: Diagnostic information about a role whose Kibana privileges could not be transformed. properties: - packagePolicyIds: + reason: + description: The reason the role could not be fully transformed. + type: string + state: items: - type: string - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_application' type: array - packageVersion: - type: string required: - - packagePolicyIds - title: dry_run_package_policies_request + - reason + title: security_role_transform_error type: object - Kibana_HTTP_APIs_dry_run_package_policy: - additionalProperties: true + Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload: + additionalProperties: false + description: The request body for bulk creating or updating roles. + properties: + roles: + additionalProperties: + $ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload' + type: object + required: + - roles + title: security_roles_bulk_create_or_update_payload + type: object + Kibana_HTTP_APIs_simplified_create_package_policy_request: + additionalProperties: false properties: additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + description: Additional data stream permissions that will be added to the agent policy. items: type: string - maxItems: 1000 + maxItems: 100 nullable: true type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string + cloud_connector: + additionalProperties: false + type: object + properties: + cloud_connector_id: + description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created. + type: string + enabled: + default: false + description: Whether cloud connectors are enabled for this policy. + type: boolean + name: + description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials. + maxLength: 255 + minLength: 1 + type: string + target_csp: + description: Target cloud service provider. If not provided, will be auto-detected from inputs. + enum: + - aws + - azure + - gcp + type: string condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string description: - description: Package policy description + description: Policy description. type: string - elasticsearch: - additionalProperties: true - type: object - properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - errors: - items: - additionalProperties: false - type: object - properties: - key: - type: string - message: - type: string - required: - - message - maxItems: 10 - type: array force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. type: boolean global_data_tags: items: @@ -57165,2217 +106955,4668 @@ components: - name - value maxItems: 100 - nullable: true type: array id: + description: Policy unique identifier. type: string inputs: - items: + additionalProperties: additionalProperties: false type: object properties: - compiled_input: - nullable: true condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object deprecated: $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' enabled: + description: Enable or disable that input. Defaults to `true` (enabled). type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string streams: - items: + additionalProperties: additionalProperties: false type: object properties: - compiled_stream: - nullable: true condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset deprecated: $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string var_group_selections: additionalProperties: type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. + description: Variable group selections. Maps var_group name to the selected option name within that group. type: object vars: additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + description: Input streams. Refer to the integration documentation to know which streams are available. type: object vars: additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false + type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + policy_template: + description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used. + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + anyOf: + - type: string + - type: number + - type: boolean + - items: + type: string + maxItems: 100 + type: array + - items: + type: number + maxItems: 100 + type: array + - additionalProperties: false type: object + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + title: simplified_create_package_policy_request + type: object + Kibana_HTTP_APIs_slo-alerts-embeddable: + additionalProperties: false + description: SLO Alerts embeddable schema + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: + - url + - label + - trigger - type - - enabled - - streams - - deprecated - - compiled_input + title: url_drilldown + type: object maxItems: 100 type: array - is_managed: + hide_border: type: boolean - missingVars: + hide_title: + type: boolean + slos: + default: [] + description: List of SLOs to display alerts for items: - type: string + additionalProperties: false + type: object + properties: + slo_id: + description: SLO ID + type: string + slo_instance_id: + default: '*' + description: SLO instance ID + type: string + required: + - slo_id maxItems: 100 type: array - name: - description: Unique name for the package policy. + title: type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + title: slo-alerts-embeddable + type: object + Kibana_HTTP_APIs_slo-burn-rate-embeddable: + additionalProperties: false + description: SLO Burn Rate embeddable schema + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + duration: + description: Duration for the burn rate chart in the format [value][unit], e.g. 5m, 3h, or 6d + type: string + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the burn rate for + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string + required: + - slo_id + - duration + title: slo-burn-rate-embeddable + type: object + Kibana_HTTP_APIs_slo-error-budget-embeddable: + additionalProperties: false + description: SLO Error Budget embeddable schema + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + slo_id: + description: The ID of the SLO to display the error budget for + type: string + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). + type: string + title: + type: string + required: + - slo_id + title: slo-error-budget-embeddable + type: object + Kibana_HTTP_APIs_slo-group-overview-embeddable: + additionalProperties: false + description: SLO Group Overview embeddable schema + properties: + description: + type: string + drilldowns: + items: + additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + group_filters: + additionalProperties: false + default: + group_by: status + type: object + properties: + filters: + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeConditionFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeGroupFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeDSLFilterSchema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-as-code-filters-schema_asCodeSpatialFilterSchema' + description: A filter applied to query results. Can be a field condition (`condition`), a logical group of conditions (`group`), a raw Elasticsearch DSL query (`dsl`), or a geo spatial query (`spatial`). + maxItems: 500 + type: array + group_by: + default: status + enum: + - slo.tags + - status + - slo.indicator.type + - _index + type: string + groups: + items: + type: string + maxItems: 100 + type: array + kql_query: + type: string + hide_border: + type: boolean + hide_title: + type: boolean + overview_mode: + enum: + - groups type: string - output_id: - nullable: true + title: type: string - overrides: + required: + - overview_mode + title: slo-group-overview-embeddable + type: object + Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - inputs: - additionalProperties: - nullable: true + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - policy_ids: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`. + properties: + dependencies: + items: + additionalProperties: false + type: object + properties: + actionGroupsToSuppressOn: + items: + type: string + type: array + ruleId: + type: string + required: + - ruleId + - actionGroupsToSuppressOn + type: array + sloId: + type: string + windows: + items: + additionalProperties: false + type: object + properties: + actionGroup: + type: string + burnRateThreshold: + type: number + id: + type: string + longWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + maxBurnRateThreshold: + nullable: true + type: number + shortWindow: + additionalProperties: false + type: object + properties: + unit: + type: string + value: + type: number + required: + - value + - unit + required: + - id + - burnRateThreshold + - maxBurnRateThreshold + - longWindow + - shortWindow + - actionGroup + type: array + required: + - sloId + - windows + title: SLO Burn Rate Rule Params + type: object + rule_type_id: + enum: + - slo.rules.burnRate + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - description: >- - IDs of the agent policies which that package policy will be added - to. type: string - maxItems: 1000 - type: array - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. nullable: true - type: boolean - updated_at: type: string - updated_by: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: SLO burn rate + type: object + Kibana_HTTP_APIs_slo-single-overview-embeddable: + additionalProperties: false + description: SLO Single Overview embeddable schema + properties: + description: type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: + drilldowns: + items: additionalProperties: false - type: object properties: - frozen: + encode_url: + default: true + description: When true, URL is escaped using percent encoding type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_open_panel_menu + type: string type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string - value: - nullable: true required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - version: - description: Package policy ES version. - type: string - required: - - name - - enabled - - package - - inputs - title: dry_run_package_policy - type: object - Kibana_HTTP_APIs_enrollment_api_key: - additionalProperties: false - properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + hide_border: type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. + hide_title: + type: boolean + overview_mode: + enum: + - single type: string - created_at: + remote_name: + description: The name of the remote SLO type: string - hidden: - type: boolean - id: + slo_id: + description: The ID of the SLO type: string - name: - description: The name of the enrollment API key. + slo_instance_id: + default: '*' + description: ID of the SLO instance. Set when the SLO uses group_by; identifies which instance to show. Defaults to * (all instances). type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. + title: type: string required: - - id - - api_key_id - - api_key - - active - - created_at - title: enrollment_api_key + - slo_id + - overview_mode + title: slo-single-overview-embeddable type: object - Kibana_HTTP_APIs_enrollment_api_key_response: + Kibana_HTTP_APIs_staticColor: additionalProperties: false + description: Fixed color for all values in the dimension. properties: - action: + color: + description: The static color to be used for all values. + type: string + type: enum: - - created + - static type: string - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_enrollment_api_key' required: - - item - - action - title: enrollment_api_key_response + - type + - color + title: Static Color type: object - Kibana_HTTP_APIs_es_asset_reference: + Kibana_HTTP_APIs_staticOperationDefinition: additionalProperties: false properties: - deferred: - type: boolean - id: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - type: + operation: enum: - - index - - index_template - - component_template - - ingest_pipeline - - ilm_policy - - data_stream_ilm_policy - - transform - - ml_model - - knowledge_base - - esql_view - type: string - version: + - static_value type: string + value: + default: 100 + description: Static value + type: number required: - - id - - type - title: es_asset_reference + - operation + title: Static Operation Definition type: object - Kibana_HTTP_APIs_full_agent_policy: + Kibana_HTTP_APIs_StreamlangConditionBlock: additionalProperties: false + type: object properties: - agent: - additionalProperties: false - type: object - properties: - download: - additionalProperties: false + condition: + $ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps' + customIdentifier: + type: string + required: + - condition + Kibana_HTTP_APIs_StreamlangStep: + anyOf: + - anyOf: + - additionalProperties: false + description: Grok processor - Extract fields from text using grok patterns type: object properties: - auth: - additionalProperties: false + action: + enum: + - grok + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with grok patterns + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern_definitions: + additionalProperties: + type: string type: object - properties: - api_key: - type: string - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - password: - type: string - username: - type: string - proxy_headers: + patterns: + description: Grok patterns applied in order to extract fields + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser + type: object + properties: + action: + enum: + - dissect + type: string + append_separator: + description: Separator inserted when target fields are concatenated + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to parse with dissect pattern + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + pattern: + description: Dissect pattern describing field boundaries + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - additionalProperties: false + description: Date processor - Parse dates from strings using one or more expected formats + type: object + properties: + action: + enum: + - date + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + formats: + description: Accepted input date formats, tried in order + items: + description: A non-empty string. + minLength: 1 + type: string + type: array + from: + description: Source field containing the date/time text + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + locale: + description: Optional locale for date parsing + minLength: 1 + type: string + output_format: + description: Optional output format for storing the parsed date as text + minLength: 1 + type: string + timezone: + description: Optional timezone for date parsing + minLength: 1 + type: string + to: + description: Target field for the parsed date (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - formats + - additionalProperties: false + type: object + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - additionalProperties: false + type: object + properties: + action: + enum: + - math + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: A non-empty string. + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - to + - additionalProperties: false + description: Rename processor - Change a field name and optionally its location + type: object + properties: + action: + enum: + - rename + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Existing source field to rename or move + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip when source field is missing + type: boolean + override: + description: Allow overwriting the target field if it already exists + type: boolean + to: + description: New field name or destination path + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - additionalProperties: false + description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs) + type: object + properties: + action: + enum: + - set + type: string + copy_from: + description: Copy value from another field instead of providing a literal + minLength: 1 + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + override: + description: Allow overwriting an existing target field + type: boolean + to: + description: Target field to set or create + minLength: 1 + type: string + value: + description: Literal value to assign to the target field + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - additionalProperties: false + description: Append processor - Append one or more values to an existing or new array field + type: object + properties: + action: + enum: + - append + type: string + allow_duplicates: + description: If true, do not deduplicate appended values + type: boolean + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + to: + description: Array field to append values to + minLength: 1 + type: string + value: + description: Values to append (must be literal, no templates) + items: {} + minItems: 1 + type: array + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - to + - value + - additionalProperties: false + description: Remove by prefix processor - Remove a field and all nested fields matching the prefix + type: object + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove along with all its nested fields + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + required: + - action + - from + - additionalProperties: false + description: Remove processor - Delete one or more fields from the document + type: object + properties: + action: + enum: + - remove + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Field to remove from the document + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false + type: object + properties: + action: + enum: + - replace + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + replacement: + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - pattern + - replacement + - additionalProperties: false + description: Redact processor - Mask sensitive data using Grok patterns + type: object + properties: + action: + enum: + - redact + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to redact sensitive data from + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing (defaults to true) + type: boolean + pattern_definitions: additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + type: string + description: Custom pattern definitions to use in the patterns type: object - proxy_url: + patterns: + description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}") + items: + description: A non-empty string. + minLength: 1 + type: string + minItems: 1 + type: array + prefix: + description: Prefix to prepend to the redacted pattern name (defaults to "<") type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - sourceURI: + suffix: + description: Suffix to append to the redacted pattern name (defaults to ">") type: string - ssl: - additionalProperties: false - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - target_directory: + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - patterns + - additionalProperties: false + type: object + properties: + action: + enum: + - uppercase type: string - timeout: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - sourceURI - features: - additionalProperties: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled + - action + - from + - additionalProperties: false type: object - internal: - nullable: true - limits: - additionalProperties: false + properties: + action: + enum: + - lowercase + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object properties: - go_max_procs: - type: number - logging: - additionalProperties: false + action: + enum: + - trim + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - additionalProperties: false type: object properties: - files: - additionalProperties: false - type: object - properties: - interval: - type: string - keepfiles: - type: number - rotateeverybytes: - type: number - level: + action: + enum: + - join type: string - metrics: - additionalProperties: false - type: object - properties: - period: - type: string - to_files: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + delimiter: + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + items: + minLength: 1 + type: string + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - monitoring: - additionalProperties: false + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - delimiter + - to + - additionalProperties: false + description: Split processor - Split a field value into an array using a separator type: object properties: - _runtime_experimental: + action: + enum: + - split type: string - apm: - nullable: true - diagnostics: - additionalProperties: false - type: object - properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to split into an array + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - http: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - logs: + ignore_missing: + description: Skip processing when source field is missing type: boolean - metrics: + preserve_trailing: + description: Preserve empty trailing fields in the split result type: boolean - namespace: + separator: + description: Regex separator used to split the field value into an array + minLength: 1 type: string - pprof: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: + to: + description: Target field for the split array (defaults to source) + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - separator + - additionalProperties: false + type: object + properties: + action: + enum: + - sort + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Array field to sort + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - use_output: + ignore_missing: + description: Skip processing when source field is missing + type: boolean + order: + description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc" + enum: + - asc + - desc + type: string + to: + description: Target field for the sorted array (defaults to source) + minLength: 1 type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - enabled - - metrics - - logs - - traces - - apm - protection: - additionalProperties: false + - action + - from + - additionalProperties: false + description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string) type: object properties: - enabled: + action: + enum: + - convert + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: + description: Source field to convert to a different data type + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails type: boolean - signing_key: + ignore_missing: + description: Skip processing when source field is missing + type: boolean + to: + description: Target field for the converted value (defaults to source) + minLength: 1 type: string - uninstall_token_hash: + type: + description: 'Target data type: integer, long, double, boolean, or string' + enum: + - integer + - long + - double + - boolean + - string type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - enabled - - uninstall_token_hash - - signing_key - required: - - monitoring - - download - - features - - internal - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - fleet: - anyOf: + - action + - from + - type - additionalProperties: false type: object properties: - hosts: + action: + enum: + - concat + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + from: items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: anyOf: - - type: string - - type: boolean - - type: number - nullable: true - type: object - proxy_url: + - type: object + properties: + type: + enum: + - field + type: string + value: + minLength: 1 + type: string + required: + - type + - value + - type: object + properties: + type: + enum: + - literal + type: string + value: + type: string + required: + - type + - value + minItems: 1 + type: array + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - additionalProperties: true - type: object - properties: - id: - type: string - required: - - key - ssl: - additionalProperties: false + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - from + - to + - allOf: + - additionalProperties: false type: object properties: - certificate: + action: + enum: + - network_direction type: string - certificate_authorities: - items: - type: string - maxItems: 10 - type: array - key: + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 type: string - renegotiation: + description: + description: Human-readable notes about this processor step type: string - verification_mode: + destination_ip: + minLength: 1 type: string - required: - - hosts + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + source_ip: + minLength: 1 + type: string + target_field: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - source_ip + - destination_ip + - anyOf: + - additionalProperties: false + type: object + properties: + internal_networks: + items: + type: string + type: array + required: + - internal_networks + - additionalProperties: false + type: object + properties: + internal_networks_field: + minLength: 1 + type: string + required: + - internal_networks_field - additionalProperties: false + description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors type: object properties: - kibana: - additionalProperties: false - type: object - properties: - hosts: - items: + action: + enum: + - json_extract + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + extractions: + description: List of extraction specifications + items: + description: A single extraction specification + type: object + properties: + selector: + description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name") + minLength: 1 type: string - maxItems: 100 - type: array - path: - type: string - protocol: - type: string - required: - - hosts - - protocol + target_field: + description: Target field to store the extracted value + minLength: 1 + type: string + type: + description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers. + enum: + - keyword + - integer + - long + - double + - boolean + type: string + required: + - selector + - target_field + minItems: 1 + type: array + field: + description: Source field containing the JSON string to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when source field is missing + type: boolean + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - field + - extractions + - additionalProperties: false + type: object + properties: + action: + enum: + - enrich + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + policy_name: + description: A non-empty string. + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - policy_name + - to + - additionalProperties: false + description: Registered domain processor - extracts domain, registered_domain, top_level_domain, subdomain from a FQDN + type: object + properties: + action: + enum: + - registered_domain + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + expression: + description: The string expression containing the FQDN to parse + minLength: 1 + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + ignore_missing: + description: Skip processing when expression field is missing + type: boolean + prefix: + description: The prefix for the output columns. The extracted parts are available as prefix.part_name + minLength: 1 + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs + required: + - action + - expression + - prefix + - additionalProperties: false + description: Manual ingest pipeline wrapper around native Elasticsearch processors + type: object + properties: + action: + description: Manual ingest pipeline - executes raw Elasticsearch ingest processors + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + description: Custom identifier to correlate this processor across outputs + minLength: 1 + type: string + description: + description: Human-readable notes about this processor step + type: string + ignore_failure: + description: Continue pipeline execution if this processor fails + type: boolean + on_failure: + description: Fallback processors to run when a processor fails + items: + additionalProperties: {} + type: object + type: array + processors: + description: List of raw Elasticsearch ingest processors to run + items: + additionalProperties: {} + type: object + type: array + tag: + description: Optional ingest processor tag for Elasticsearch + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + description: Conditional expression controlling whether this processor runs required: - - kibana - id: + - action + - processors + - $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock' + Kibana_HTTP_APIs_StreamUpsertRequest: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest' + Kibana_HTTP_APIs_sumMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - inputs: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudESQL: + additionalProperties: false + description: Tag Cloud configuration using an ES|QL query. + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - namespace: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - namespace - id: - type: string - meta: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - package: - additionalProperties: true - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - package_policy_id: - type: string - processors: - items: - additionalProperties: true - type: object - properties: - add_fields: - additionalProperties: true - type: object - properties: - fields: - additionalProperties: - anyOf: - - type: string - - type: number - type: object - target: - type: string - required: - - target - - fields - required: - - add_fields - maxItems: 10000 - type: array - revision: - type: number - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - - package_policy_id - maxItems: 10000 - type: array - namespaces: - items: - type: string - maxItems: 100 - type: array - output_permissions: - additionalProperties: - additionalProperties: - nullable: true - type: object - type: object - outputs: - additionalProperties: - additionalProperties: true - type: object - properties: - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - maxItems: 100 - type: array - proxy_headers: - additionalProperties: - anyOf: - - type: string - - type: boolean - - type: number - nullable: true + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown type: object - proxy_url: - type: string - type: - type: string - required: - - type - type: object - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true - type: object - revision: - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 10000 + maxItems: 100 type: array - service: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: additionalProperties: false type: object properties: - extensions: - items: - type: string - maxItems: 1000 - type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object - signed: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: additionalProperties: false type: object properties: - data: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use type: string - signature: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string required: - - data - - signature + - column + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud + type: string required: - - id - - outputs - - inputs - title: full_agent_policy + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (ES|QL) type: object - Kibana_HTTP_APIs_get_agent_policy_outputs_response: + Kibana_HTTP_APIs_tagcloudMetricCounterRate: additionalProperties: false properties: - item: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: get_agent_policy_outputs_response + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_get_agent_policy_response: + Kibana_HTTP_APIs_tagcloudMetricCountMetric: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_agent_policy_response' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: get_agent_policy_response + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_get_bulk_assets_request: + Kibana_HTTP_APIs_tagcloudMetricCumulativeSum: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Cumulative Sum Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricDifferences: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricFormula: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricLastValue: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricMovingAverage: + additionalProperties: false + properties: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricPercentile: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricPercentileRanks: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricStatsMetric: + additionalProperties: false + properties: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricSumMetric: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric: additionalProperties: false properties: - assetIds: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - id - - type - maxItems: 10000 - type: array + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - assetIds - title: get_bulk_assets_request + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_get_bulk_assets_response: + Kibana_HTTP_APIs_tagcloudNoESQL: additionalProperties: false + description: Tag Cloud configuration using a data view. properties: - items: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: items: - additionalProperties: false - type: object - properties: - appLink: - type: string - attributes: - additionalProperties: false + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - description: + label: type: string - service: + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter type: string - title: + type: + enum: + - discover_drilldown type: string - id: - type: string - type: - type: string - updatedAt: - type: string - required: - - id - - type - - attributes - maxItems: 10000 + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + metric: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudMetricFormula' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudStyling' + tag_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_tagcloudTagFilters' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - tag_cloud + type: string required: - - items - title: get_bulk_assets_response + - type + - data_source + - metric + - tag_by + title: Tag Cloud Chart (DSL) type: object - Kibana_HTTP_APIs_get_categories_response: + Kibana_HTTP_APIs_tagcloudStyling: additionalProperties: false + description: Visual chart styling options properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_category_summary_item' - maxItems: 10000 - type: array - required: - - items - title: get_categories_response + caption: + additionalProperties: false + description: Caption configuration representing the metric and the tag_by operations labels + type: object + properties: + visible: + default: true + description: When `true`, displays the caption. + type: boolean + font_size: + additionalProperties: false + description: Font size range for tags. + type: object + properties: + max: + default: 72 + description: Maximum font size. + maximum: 120 + type: number + min: + default: 18 + description: Minimum font size. + minimum: 1 + type: number + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + title: Tag cloud styling type: object - Kibana_HTTP_APIs_get_data_streams_response: + Kibana_HTTP_APIs_tagcloudTagDateHistogram: additionalProperties: false properties: - items: - items: - additionalProperties: false - type: object - properties: - name: - type: string - required: - - name - maxItems: 10000 - type: array + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - items - title: get_data_streams_response + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_get_dependencies_response: + Kibana_HTTP_APIs_tagcloudTagFilters: additionalProperties: false properties: - items: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version: - type: string - required: - - name - - version - - title - maxItems: 1000 + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - items - title: get_dependencies_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_get_full_agent_policy_response: + Kibana_HTTP_APIs_tagcloudTagHistogram: additionalProperties: false properties: - item: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: anyOf: - - type: string - - $ref: '#/components/schemas/Kibana_HTTP_APIs_full_agent_policy' - required: - - item - title: get_full_agent_policy_response - type: object - Kibana_HTTP_APIs_get_info_response: - additionalProperties: false - properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' - metadata: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_metadata' + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram + type: string required: - - item - - metadata - title: get_info_response + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_get_inputs_response: + Kibana_HTTP_APIs_tagcloudTagRanges: additionalProperties: false properties: - connectors: - additionalProperties: - nullable: true - type: object - exporters: - additionalProperties: - nullable: true - type: object - extensions: - additionalProperties: - nullable: true - type: object - inputs: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: additionalProperties: false type: object properties: - id: - type: string - streams: - items: - additionalProperties: true - type: object - properties: - data_stream: - additionalProperties: true - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - id: - type: string - required: - - id - - data_stream - maxItems: 10000 - type: array - type: + gt: + description: Greater than. + type: number + label: + description: Label. type: string - required: - - id - - type - maxItems: 10000 + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - processors: - additionalProperties: - nullable: true - type: object - receivers: - additionalProperties: - nullable: true + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_tagcloudTagTerms: + additionalProperties: false + properties: + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: + additionalProperties: false type: object - service: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: additionalProperties: false type: object properties: - extensions: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: items: + description: Values to include. type: string - maxItems: 1000 + maxItems: 100 type: array - pipelines: - additionalProperties: - additionalProperties: false - type: object - properties: - exporters: - items: - type: string - maxItems: 1000 - type: array - processors: - items: - type: string - maxItems: 1000 - type: array - receivers: - items: - type: string - maxItems: 1000 - type: array - x-oas-optional: true - type: object + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - inputs - title: get_inputs_response + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_get_installed_packages_response: + Kibana_HTTP_APIs_termsOperation: additionalProperties: false properties: - items: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installed_package' - maxItems: 10000 - type: array - searchAfter: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: - anyOf: - - type: string - - type: number - - type: boolean - - nullable: true - nullable: true - maxItems: 2 + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 type: array - total: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - items - - total - title: get_installed_packages_response + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_get_k8s_manifest_response: + Kibana_HTTP_APIs_termsRankByAlphabetical: additionalProperties: false + description: Terms ranked alphabetically. properties: - item: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabeticalDirection' + type: + enum: + - alphabetical type: string required: - - item - title: get_k8s_manifest_response + - type + - direction + title: Terms Rank By Alphabetical type: object - Kibana_HTTP_APIs_get_limited_packages_response: + Kibana_HTTP_APIs_termsRankByAlphabeticalDirection: + description: Sort direction for alphabetical ranking. + enum: + - asc + - desc + title: termsRankByAlphabeticalDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomCountOperation: additionalProperties: false + description: Terms ranked by count, either of all documents or of a specific field. properties: - items: - items: - type: string - maxItems: 10000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - count + type: string + type: + enum: + - custom + type: string required: - - items - title: get_limited_packages_response + - type + - direction + - operation + title: Terms Rank By Custom Count Operation type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_request: + Kibana_HTTP_APIs_termsRankByCustomDirection: + description: Sort direction for custom ranking. + enum: + - asc + - desc + title: termsRankByCustomDirection + type: string + Kibana_HTTP_APIs_termsRankByCustomOperation: additionalProperties: false + description: Terms ranked by custom operation. properties: - ids: - description: list of package policy ids - items: - type: string - maxItems: 1000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + - unique_count + - sum + - last_value + type: string + type: + enum: + - custom + type: string required: - - ids - title: get_list_agent_policy_outputs_request + - type + - field + - direction + - operation + title: Terms Rank By Custom Operation type: object - Kibana_HTTP_APIs_get_list_agent_policy_outputs_response: + Kibana_HTTP_APIs_termsRankByMetric: additionalProperties: false + description: Terms ranked by a linked metric. properties: - items: - items: - additionalProperties: false - type: object - properties: - agentPolicyId: - type: string - data: - additionalProperties: false - type: object - properties: - integrations: - items: - additionalProperties: false - type: object - properties: - id: - type: string - integrationPolicyName: - type: string - name: - type: string - pkgName: - type: string - maxItems: 1000 - type: array - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - monitoring: - additionalProperties: false - type: object - properties: - output: - additionalProperties: false - type: object - properties: - id: - type: string - name: - type: string - required: - - id - - name - required: - - output - required: - - monitoring - - data - maxItems: 10000 - type: array + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetricDirection' + metric_index: + default: 0 + description: Zero-based index into the metrics array identifying which metric to rank by. + minimum: 0 + type: number + type: + enum: + - metric + type: string required: - - items - title: get_list_agent_policy_outputs_response + - type + - direction + title: Terms Rank By Metric type: object - Kibana_HTTP_APIs_get_one_bulk_operation_packages_response: + Kibana_HTTP_APIs_termsRankByMetricDirection: + description: Sort direction for metric-based ranking. + enum: + - asc + - desc + title: termsRankByMetricDirection + type: string + Kibana_HTTP_APIs_termsRankByPercentileOperation: additionalProperties: false + description: Terms ranked by a percentile of a numeric field, for example the 95th percentile of response time. properties: - error: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: The percentile threshold (0–100) at which to compute the field value used for ranking terms. + type: number + type: + enum: + - custom + type: string + required: + - type + - field + - direction + - operation + title: Terms Rank By Percentile Operation + type: object + Kibana_HTTP_APIs_termsRankByPercentileRankOperation: + additionalProperties: false + description: 'Terms ranked by the percentile rank of a single value: the proportion of field values at or below that value.' + properties: + direction: + $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomDirection' + field: + description: Numeric field to be used for the custom operation. + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: The numeric value for which to compute the percentile rank (the percentage of field values at or below this value). + type: number + type: + enum: + - custom + type: string + required: + - type + - field + - direction + - operation + title: Terms Rank By Percentile Rank Operation + type: object + Kibana_HTTP_APIs_termsRankByRare: + additionalProperties: false + description: Terms ranked by rarity. + properties: + max: + description: Maximum number of rare terms to include. + type: number + type: + enum: + - rare + type: string + required: + - type + - max + title: Terms Rank By Rarity + type: object + Kibana_HTTP_APIs_termsRankBySignificant: + additionalProperties: false + description: Terms ranked by significance. + properties: + type: + enum: + - significant + type: string + required: + - type + title: Terms Rank By Significance + type: object + Kibana_HTTP_APIs_transform-health-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - message: - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - message - results: - items: - additionalProperties: false - type: object - properties: - error: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: additionalProperties: false type: object properties: - message: + id: type: string required: - - message - name: - type: string - success: - type: boolean - required: - - name - - success - maxItems: 10000 - type: array - status: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - required: - - status - title: get_one_bulk_operation_packages_response - type: object - Kibana_HTTP_APIs_get_package_info: - additionalProperties: true - properties: - agent: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: additionalProperties: false - type: object + description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`. properties: - privileges: + excludeTransforms: + default: [] + items: + type: string + nullable: true + type: array + includeTransforms: + items: + type: string + type: array + testsConfig: additionalProperties: false + nullable: true type: object properties: - root: - type: boolean - asset_tags: - items: - additionalProperties: false - type: object - properties: - asset_ids: - items: - type: string - maxItems: 1000 - type: array - asset_types: - items: - type: string - maxItems: 100 - type: array - text: - type: string - required: - - text - maxItems: 1000 - type: array - assets: - additionalProperties: - nullable: true + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: false + type: boolean + healthCheck: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + notStarted: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - notStarted + - errorMessages + - healthCheck + required: + - includeTransforms + - testsConfig + title: Transform Health Rule Params type: object - categories: - items: - type: string - maxItems: 100 - type: array - conditions: - additionalProperties: true + rule_type_id: + enum: + - transform_health + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true - type: object - properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: - type: string - kibana: - additionalProperties: true - type: object - properties: - version: - type: string + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string required: - - deprecated - data_streams: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Transform health + type: object + Kibana_HTTP_APIs_treemapESQL: + additionalProperties: false + description: Treemap chart configuration schema for ES|QL queries, defining metrics and breakdown dimensions using column-based configuration + properties: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' description: type: string - discovery: - additionalProperties: true - type: object - properties: - datasets: - items: - additionalProperties: true + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown type: object + - additionalProperties: false properties: - name: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown type: string required: - - name - maxItems: 100 - type: array - fields: - items: - additionalProperties: true + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - name: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable type: string required: - - name - maxItems: 100 - type: array - download: - type: string - elasticsearch: - additionalProperties: - nullable: true - type: object - format_version: - type: string - icons: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column maxItems: 100 + minItems: 1 type: array - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - internal: + hide_border: type: boolean - keepPoliciesUpToDate: + hide_title: type: boolean - latestVersion: - type: string - license: - type: string - licensePath: - type: string - name: - type: string - notice: - type: string - owner: - additionalProperties: true - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - path: - type: string - policy_templates: + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) items: - additionalProperties: - nullable: true + additionalProperties: false type: object - maxItems: 1000 + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 type: array - readme: + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - release: + type: enum: - - ga - - beta - - experimental + - treemap type: string - screenshots: + required: + - type + - data_source + - metrics + title: Treemap Chart (ES|QL) + type: object + Kibana_HTTP_APIs_treemapGroupByDateHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - date_histogram + type: string + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_treemapGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 type: array - signature_path: + label: + description: Label for the operation type: string - source: - additionalProperties: true - type: object - properties: - license: - type: string - required: - - license - status: + operation: + enum: + - filters type: string - title: + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_treemapGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - type: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content + - auto type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true - type: object - properties: - description: - type: string - hide_in_deployment_modes: - items: - enum: - - default - - agentless - type: string - maxItems: 2 - type: array - name: - type: string - title: - type: string - vars: - items: - type: string - maxItems: 100 - type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: - type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram type: string required: - - installationInfo - - name - - version - - title - - deprecated - - assets - title: get_package_info + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_get_packages_response: + Kibana_HTTP_APIs_treemapGroupByRanges: additionalProperties: false properties: - items: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_list_item' - maxItems: 10000 + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array required: - - items - title: get_packages_response + - operation + - field + - ranges + title: Ranges Operation type: object - Kibana_HTTP_APIs_get_stats_response: + Kibana_HTTP_APIs_treemapGroupByTerms: additionalProperties: false properties: - response: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - agent_policy_count: - type: number - package_policy_count: - type: number + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array required: - - agent_policy_count - - package_policy_count + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - response - title: get_stats_response + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_get_verification_key_id_response: + Kibana_HTTP_APIs_treemapLegend: additionalProperties: false + description: Configuration for the treemap chart legend appearance and behavior properties: - id: - nullable: true + nested: + description: Show nested legend with hierarchical breakdown levels + type: boolean + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Legend + type: object + Kibana_HTTP_APIs_treemapMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - id - title: get_verification_key_id_response + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_install_kibana_assets_request: + Kibana_HTTP_APIs_treemapMetricCountMetric: additionalProperties: false properties: - force: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - space_ids: - description: >- - When provided install assets in the specified spaces instead of the - current space. - items: - type: string - maxItems: 100 - minItems: 1 - type: array - title: install_kibana_assets_request + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_install_kibana_assets_response: + Kibana_HTTP_APIs_treemapMetricCumulativeSum: additionalProperties: false properties: - success: - type: boolean + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - success - title: install_kibana_assets_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_install_package_from_registry_request: + Kibana_HTTP_APIs_treemapMetricDifferences: additionalProperties: false properties: - force: - default: false - type: boolean - ignore_constraints: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_treemapMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_treemapMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - title: install_package_from_registry_request + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation type: object - Kibana_HTTP_APIs_install_package_response: + Kibana_HTTP_APIs_treemapMetricMovingAverage: additionalProperties: false properties: - _meta: - additionalProperties: false - type: object - properties: - install_source: - type: string - name: - type: string - required: - - install_source - - name - items: - items: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number required: - - items - - _meta - title: install_package_response + - operation + - of + title: Moving Average Operation type: object - Kibana_HTTP_APIs_install_rule_assets_request: + Kibana_HTTP_APIs_treemapMetricPercentile: additionalProperties: false properties: - force: - type: boolean - title: install_rule_assets_request + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation type: object - Kibana_HTTP_APIs_installation_info: - additionalProperties: true + Kibana_HTTP_APIs_treemapMetricPercentileRanks: + additionalProperties: false properties: - additional_spaces_installed_kibana: - additionalProperties: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 100 - type: array - type: object - created_at: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - experimental_data_stream_features: - items: - additionalProperties: true - type: object - properties: - data_stream: - type: string - features: - additionalProperties: true - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 - type: array - install_format_schema_version: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - install_source: + operation: enum: - - registry - - upload - - bundled - - custom + - percentile_rank type: string - install_status: + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_treemapMetricStatsMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - installed - - installing - - install_failed + - min + - max + - average + - median + - standard_deviation type: string - installed_es: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_es_asset_reference' - maxItems: 10000 - type: array - installed_kibana: - items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_kibana_asset_reference' - maxItems: 10000 - type: array - installed_kibana_space_id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_rollback_ttl_expired: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - latest_executed_state: - additionalProperties: true - type: object - properties: - error: - type: string - name: - type: string - started_at: - type: string - latest_install_failed_attempts: - items: - additionalProperties: true - type: object - properties: - created_at: - type: string - error: - additionalProperties: true - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - required: - - name - - message - target_version: - type: string - required: - - created_at - - target_version - - error - maxItems: 10 - type: array - name: + field: + description: Field to be used for the metric type: string - namespaces: - items: - type: string - maxItems: 100 - type: array - previous_version: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - rolled_back: - type: boolean - type: + operation: + enum: + - sum type: string - updated_at: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - verification_key_id: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - verification_status: + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_treemapMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - unverified - - verified - - unknown + - unique_count type: string - version: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - type - - installed_kibana - - installed_es - - name - - version - - install_status - - install_source - - verification_status - title: installation_info + - field + - operation + title: Unique Count Metric Operation type: object - x-oas-optional: true - Kibana_HTTP_APIs_installed_package: + Kibana_HTTP_APIs_treemapNoESQL: additionalProperties: false + description: Treemap chart configuration schema for data source queries (non-ES|QL mode), defining metrics and breakdown dimensions properties: - dataStreams: - items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - required: - - name - - title - maxItems: 10000 - type: array + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' description: type: string - icons: + drilldowns: items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object maxItems: 100 type: array - name: - type: string - status: - type: string + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: + type: boolean + hide_title: + type: boolean + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_treemapStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' title: type: string - version: + type: + enum: + - treemap type: string required: - - name - - version - - status - - dataStreams - title: installed_package + - type + - data_source + - metrics + title: Treemap Chart (DSL) type: object - Kibana_HTTP_APIs_kibana_asset_reference: + Kibana_HTTP_APIs_treemapStyling: additionalProperties: false + description: Visual chart styling options properties: - deferred: + labels: + additionalProperties: false + description: Labels configuration + type: object + properties: + visible: + description: Show category labels + type: boolean + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Treemap styling + type: object + Kibana_HTTP_APIs_unassignedColorSchema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_colorFromPalette' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_color_code' + description: The color to use for unassigned values. + title: unassignedColorSchema + Kibana_HTTP_APIs_uniqueCountMetricOperation: + additionalProperties: false + properties: + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - id: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - originId: + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - type: - anyOf: - - enum: - - dashboard - - lens - - visualization - - search - - index-pattern - - map - - ml-module - - security-rule - - csp-rule-template - - osquery-pack-asset - - osquery-saved-query - - tag - type: string - - type: string required: - - id - - type - title: kibana_asset_reference + - field + - operation + title: Unique Count Metric Operation type: object - Kibana_HTTP_APIs_new_agent_policy: + Kibana_HTTP_APIs_update_maintenance_window: additionalProperties: false properties: - advanced_settings: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: additionalProperties: false type: object properties: - agent_download_target_directory: - nullable: true - agent_download_timeout: - nullable: true - agent_features_disable_policy_change_acks_enabled: - nullable: true - agent_internal: - nullable: true - agent_limits_go_max_procs: - nullable: true - agent_logging_files_interval: - nullable: true - agent_logging_files_keepfiles: - nullable: true - agent_logging_files_rotateeverybytes: - nullable: true - agent_logging_level: - nullable: true - agent_logging_metrics_period: - nullable: true - agent_logging_to_files: - nullable: true - agent_monitoring_runtime_experimental: - nullable: true - agent_features: + custom: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_schedule_request' + required: + - custom + scope: + $ref: '#/components/schemas/Kibana_HTTP_APIs_maintenance_window_scope' + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + title: update_maintenance_window + type: object + Kibana_HTTP_APIs_update_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: items: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - maxItems: 100 + type: string + maxItems: 1000 type: array - agentless: + ca_sha256: + nullable: true + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: + items: + format: uri + type: string + maxItems: 10 + minItems: 1 + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + secrets: additionalProperties: false type: object properties: - cloud_connectors: - additionalProperties: false - type: object - properties: - enabled: - type: boolean - target_csp: - enum: - - aws - - azure - - gcp - type: string - required: - - enabled - cluster_id: - type: string - resources: + ssl: additionalProperties: false type: object properties: - requests: - additionalProperties: false - type: object - properties: - cpu: - type: string - memory: - type: string - bumpRevision: - type: boolean - data_output_id: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - elasticsearch type: string - description: + write_to_logs_streams: + nullable: true + type: boolean + title: update_output_elasticsearch + type: object + Kibana_HTTP_APIs_update_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + maxItems: 1000 + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos type: string - download_source_id: + broker_timeout: + type: number + ca_sha256: nullable: true type: string - fleet_server_host_id: + ca_trusted_fingerprint: nullable: true type: string - force: - type: boolean - global_data_tags: - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + nullable: true + type: number + config_yaml: + nullable: true + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + hash: + additionalProperties: false + type: object + properties: + hash: + type: string + random: + type: boolean + headers: items: additionalProperties: false type: object properties: - name: + key: type: string value: - anyOf: - - type: string - - type: number + type: string required: - - name + - key - value maxItems: 100 type: array - has_agent_version_conditions: - type: boolean - has_fleet_server: - type: boolean + hosts: + items: + type: string + maxItems: 10 + minItems: 1 + type: array id: type: string - inactivity_timeout: - default: 1209600 - minimum: 0 - type: number is_default: + default: false type: boolean - is_default_fleet_server: - type: boolean - is_managed: + is_default_monitoring: + default: false type: boolean - is_protected: + is_internal: type: boolean - is_verifier: + is_preconfigured: type: boolean - keep_monitoring_alive: - default: false - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled + key: + type: string + name: + type: string + otel_disable_beatsauth: nullable: true type: boolean - min_agent_version: + otel_exporter_config_yaml: nullable: true type: string - monitoring_diagnostics: + partition: + enum: + - random + - round_robin + - hash + type: string + password: + nullable: true + type: string + proxy_id: + nullable: true + type: string + random: additionalProperties: false type: object properties: - limit: - additionalProperties: false - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - additionalProperties: false - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - logs - - metrics - - traces - type: string - maxItems: 3 - type: array - monitoring_http: + group_events: + type: number + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: additionalProperties: false type: object properties: - buffer: + group_events: + type: number + sasl: + additionalProperties: false + nullable: true + type: object + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + secrets: + additionalProperties: false + type: object + properties: + password: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + ssl: additionalProperties: false type: object properties: - enabled: - default: false - type: boolean - enabled: - type: boolean - host: - type: string - port: - maximum: 65353 - minimum: 0 - type: number - monitoring_output_id: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + required: + - key + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + timeout: + type: number + topic: type: string - monitoring_pprof_enabled: - type: boolean - name: - minLength: 1 - type: string - namespace: - minLength: 1 + type: + enum: + - kafka type: string - overrides: - additionalProperties: - nullable: true - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. + username: nullable: true - type: object - package_agent_version_conditions: + type: string + version: + type: string + required: + - name + title: update_output_kafka + type: object + Kibana_HTTP_APIs_update_output_logstash: + additionalProperties: false + properties: + allow_edit: items: - additionalProperties: false - type: object - properties: - name: - type: string - title: - type: string - version_condition: - type: string - required: - - name - - title - - version_condition + type: string maxItems: 1000 - nullable: true type: array - required_versions: - items: - additionalProperties: false - type: object - properties: - percentage: - description: Target percentage of agents to auto upgrade - maximum: 100 - minimum: 0 - type: number - version: - description: Target version for automatic agent upgrade - type: string - required: - - version - - percentage - maxItems: 100 + ca_sha256: nullable: true - type: array - space_ids: + type: string + ca_trusted_fingerprint: + nullable: true + type: string + config_yaml: + nullable: true + type: string + hosts: items: type: string - maxItems: 100 + maxItems: 10 + minItems: 1 type: array - supports_agentless: - default: false - deprecated: true - description: >- - Indicates whether the agent policy supports agentless integrations. - Deprecated in favor of the Fleet agentless policies API. + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + otel_disable_beatsauth: + nullable: true + type: boolean + otel_exporter_config_yaml: + nullable: true + type: string + proxy_id: + nullable: true + type: string + secrets: + additionalProperties: false + type: object + properties: + ssl: + additionalProperties: false + type: object + properties: + key: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string + shipper: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' nullable: true - type: boolean - unenroll_timeout: - minimum: 0 - type: number - required: - - name - - namespace - title: new_agent_policy - type: object - Kibana_HTTP_APIs_new_enrollment_api_key: - additionalProperties: false - properties: - expiration: - type: string - name: - type: string - policy_id: + ssl: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' + nullable: true + type: + enum: + - logstash type: string - required: - - policy_id - title: new_enrollment_api_key + title: update_output_logstash type: object - Kibana_HTTP_APIs_new_output_elasticsearch: + Kibana_HTTP_APIs_update_output_remote_elasticsearch: additionalProperties: false properties: allow_edit: @@ -59402,15 +111643,19 @@ components: id: type: string is_default: - default: false type: boolean is_default_monitoring: - default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean + kibana_api_key: + nullable: true + type: string + kibana_url: + nullable: true + type: string name: type: string otel_disable_beatsauth: @@ -59434,6 +111679,18 @@ components: additionalProperties: false type: object properties: + service_token: + anyOf: + - additionalProperties: false + type: object + properties: + hash: + type: string + id: + type: string + required: + - id + - type: string ssl: additionalProperties: false type: object @@ -59450,6 +111707,9 @@ components: required: - id - type: string + service_token: + nullable: true + type: string shipper: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' @@ -59458,2960 +111718,6157 @@ components: allOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' nullable: true + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean type: enum: - - elasticsearch + - remote_elasticsearch type: string write_to_logs_streams: nullable: true type: boolean - required: - - name - - type - - hosts - title: new_output_elasticsearch + title: update_output_remote_elasticsearch type: object - Kibana_HTTP_APIs_new_output_kafka: + Kibana_HTTP_APIs_update_package_policy_request: additionalProperties: false properties: - allow_edit: + additional_datastreams_permissions: + description: Additional data stream permissions that will be added to the agent policy. items: type: string maxItems: 1000 + nullable: true type: array - auth_type: - enum: - - none - - user_pass - - ssl - - kerberos - type: string - broker_timeout: - type: number - ca_sha256: + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. nullable: true type: string - ca_trusted_fingerprint: + cloud_connector_name: + description: Transient field for cloud connector name during creation. + maxLength: 255 + minLength: 1 nullable: true type: string - client_id: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this integration to its inputs.' type: string - compression: - enum: - - gzip - - snappy - - lz4 - - none + description: + description: Package policy description type: string - compression_level: - nullable: true - type: number - config_yaml: + enabled: + type: boolean + force: + type: boolean + global_data_tags: + items: + additionalProperties: false + type: object + properties: + name: + description: The name of the custom field. Cannot contain spaces. + type: string + value: + anyOf: + - type: string + - type: number + description: The value of the custom field. + required: + - name + - value + maxItems: 100 nullable: true + type: array + inputs: + items: + additionalProperties: false + type: object + properties: + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this input.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + name: + type: string + policy_template: + type: string + streams: + items: + additionalProperties: false + type: object + properties: + compiled_stream: + nullable: true + condition: + description: '**Experimental.** Agent condition expression to evaluate whether to apply this stream.' + type: string + config: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + type: object + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + type: object + properties: + indices: + items: + type: string + maxItems: 100 + type: array + type: + type: string + required: + - dataset + deprecated: + $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + migrate_from: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + maxItems: 1000 + type: array + type: + type: string + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: + additionalProperties: false + type: object + properties: + frozen: + type: boolean + type: + type: string + value: + nullable: true + required: + - value + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + maxItems: 1000 + type: array + is_managed: + type: boolean + name: type: string - connection_type: - enum: - - plaintext - - encryption + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string - hash: + output_id: + nullable: true + type: string + overrides: additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true type: object properties: - hash: - type: string - random: - type: boolean - headers: + inputs: + additionalProperties: + nullable: true + type: object + package: + $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' + package_agent_version_condition: + type: string + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies that the package policy will be added to. + type: string + maxItems: 1000 + type: array + spaceIds: items: + type: string + maxItems: 100 + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + var_group_selections: + additionalProperties: + type: string + description: Variable group selections. Maps var_group name to the selected option name within that group. + type: object + vars: + additionalProperties: additionalProperties: false type: object properties: - key: + frozen: + type: boolean + type: type: string value: - type: string + nullable: true required: - - key - value + description: Package variable (see integration documentation for more information) + type: object + version: + type: string + title: update_package_policy_request + type: object + Kibana_HTTP_APIs_update_package_request: + additionalProperties: false + properties: + keepPoliciesUpToDate: + type: boolean + namespace_customization_enabled_for: + description: Namespaces for which namespace-level customization is enabled on this package. + items: + type: string maxItems: 100 type: array - hosts: + title: update_package_request + type: object + Kibana_HTTP_APIs_update_package_response: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + required: + - item + title: update_package_response + type: object + Kibana_HTTP_APIs_update_rule: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] items: + description: The tags for the rule. type: string - maxItems: 10 - minItems: 1 type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - schedule + title: update_rule + type: object + Kibana_HTTP_APIs_update_rule_action: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_alerts_filter' + frequency: + $ref: '#/components/schemas/Kibana_HTTP_APIs_update_rule_action_frequency' + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string id: + description: The identifier for the connector saved object. type: string - is_default: - default: false + params: + additionalProperties: + nullable: true + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. type: boolean - is_default_monitoring: - default: false + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + title: update_rule_action + type: object + Kibana_HTTP_APIs_update_rule_action_alerts_filter: + additionalProperties: false + properties: + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_alerts_filter_query' + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + type: object + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + type: object + properties: + end: + description: The end of the time frame, in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame, in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in support for daylight savings time and are not recommended. + type: string + required: + - days + - hours + - timezone + title: update_rule_action_alerts_filter + type: object + Kibana_HTTP_APIs_update_rule_action_frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. type: boolean - is_internal: + throttle: + description: The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when `notify_when` is set to `onThrottleInterval`. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + title: update_rule_action_frequency + type: object + Kibana_HTTP_APIs_upgrade_package_policies_request: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + maxItems: 1000 + type: array + required: + - packagePolicyIds + title: upgrade_package_policies_request + type: object + Kibana_HTTP_APIs_valueDisplay: + additionalProperties: false + description: Configure the visibility and the format of the values rendered on each chart partition section + properties: + mode: + description: How to format values when visible. + enum: + - absolute + - percentage + type: string + percent_decimals: + description: Decimal places for percentage display (0-10) + maximum: 10 + minimum: 0 + type: number + visible: + description: Show metric values on the chart type: boolean - is_preconfigured: + title: valueDisplay + type: object + Kibana_HTTP_APIs_vis_api_direction: + description: Sort direction. + enum: + - asc + - desc + title: vis_api_direction + type: string + Kibana_HTTP_APIs_vis_api_domain_custom: + additionalProperties: false + description: Uses explicitly provided domain bounds (min and max). + properties: + max: + description: Max domain value + type: number + min: + description: Min domain value + type: number + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding + type: boolean + type: + enum: + - custom + type: string + required: + - type + - min + - max + title: vis_api_domain_custom + type: object + Kibana_HTTP_APIs_vis_api_domain_fit: + additionalProperties: false + description: Uses tight domain bounds from the observed data minimum to maximum, without baseline expansion. + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - key: - type: string - name: + type: + enum: + - fit type: string - otel_disable_beatsauth: - nullable: true + required: + - type + title: vis_api_domain_fit + type: object + Kibana_HTTP_APIs_vis_api_domain_full: + additionalProperties: false + description: Uses the full chart domain, including baseline expansion when applicable (for example, includes zero for bar-like series). + properties: + rounding: + description: Whether to round axis domain bounds outward to readable “nice” values (for example 1, 5, 10, 100) instead of exact data min/max. + title: vis_api_domain_rounding type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - partition: + type: enum: - - random - - round_robin - - hash - type: string - password: - nullable: true - type: string - proxy_id: - nullable: true + - full type: string - random: - additionalProperties: false - type: object - properties: - group_events: - type: number - required_acks: - enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + required: + - type + title: vis_api_domain_full + type: object + Kibana_HTTP_APIs_vis_api_orientation: + description: Orientation of the tagcloud. + enum: + - horizontal + - vertical + - angled + title: vis_api_orientation + type: string + Kibana_HTTP_APIs_vis_api_simple_orientation: + default: horizontal + description: Orientation + enum: + - horizontal + - vertical + title: vis_api_simple_orientation + type: string + Kibana_HTTP_APIs_vis_api_xy_axis_config: + additionalProperties: false + description: Axis configuration for X, Y, and Y2 axes. The Y axis is on the start (leading) side, the Y2 axis is on the end (trailing) side. + properties: + x: additionalProperties: false + description: X-axis configuration type: object properties: - group_events: - type: number - sasl: + domain: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: X-axis domain configuration + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: X-axis scale type. Use 'temporal' for timestamp/date fields (for example, @timestamp or DATE_TRUNC results). Use 'ordinal' for categorical/text fields. Use 'linear' for numeric fields. + enum: + - ordinal + - temporal + - linear + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + 'y': additionalProperties: false - nullable: true + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' type: object properties: - mechanism: + domain: + description: Y-axis domain configuration + discriminator: + mapping: + custom: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + fit: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + full: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + grid: + additionalProperties: false + description: Axis grid lines configuration + type: object + properties: + visible: + description: Show grid lines for this axis + type: boolean + required: + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 + - linear + - log + - sqrt type: string - secrets: + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + y2: additionalProperties: false + description: 'Y-axis configuration with scale and bounds. The axis position is determined by the key: y renders on the start side (left in vertical charts), y2 on the end side (right in vertical charts).' type: object properties: - password: + domain: anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_full' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_fit' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_domain_custom' + description: Y-axis domain configuration + grid: additionalProperties: false + description: Axis grid lines configuration type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string + visible: + description: Show grid lines for this axis + type: boolean required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: - type: string - type: - enum: - - kafka - type: string - username: - nullable: true - type: string - version: - type: string - required: - - name - - type - - hosts - - auth_type - title: new_output_kafka + - visible + labels: + additionalProperties: false + description: Label configuration + type: object + properties: + orientation: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_orientation' + scale: + description: Y-axis scale type for data transformation + enum: + - linear + - log + - sqrt + type: string + ticks: + additionalProperties: false + description: Axis tick marks configuration + type: object + properties: + visible: + description: Show tick marks on the axis + type: boolean + required: + - visible + title: + additionalProperties: false + description: Axis title configuration + type: object + properties: + text: + description: Axis title text. + type: string + visible: + description: When `true`, displays the title. + type: boolean + required: + - domain + title: Axis type: object - Kibana_HTTP_APIs_new_output_logstash: + Kibana_HTTP_APIs_waffleESQL: additionalProperties: false + description: Waffle chart configuration for ES|QL queries properties: - allow_edit: + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + description: + type: string + drilldowns: items: - type: string - maxItems: 1000 + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of ES|QL breakdown columns (minimum 1) items: - type: string - maxItems: 10 + additionalProperties: false + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 minItems: 1 type: array - id: - type: string - is_default: - default: false + hide_border: type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: + hide_title: type: boolean - is_preconfigured: - type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + additionalProperties: false + type: object + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + minItems: 1 + type: array + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - secrets: - additionalProperties: false - type: object - properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true type: enum: - - logstash + - waffle type: string required: - - name - type - - hosts - title: new_output_logstash + - data_source + - metrics + title: Waffle Chart (ES|QL) type: object - Kibana_HTTP_APIs_new_output_remote_elasticsearch: + Kibana_HTTP_APIs_waffleGroupByDateHistogram: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - ca_trusted_fingerprint: - nullable: true + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - config_yaml: - nullable: true + operation: + enum: + - date_histogram type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + suggested_interval: + default: auto + description: Suggested time interval. type: string - is_default: - default: false - type: boolean - is_default_monitoring: + use_original_time_range: default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_waffleGroupByFilters: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation type: string - kibana_url: - nullable: true + operation: + enum: + - filters type: string - name: + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_waffleGroupByHistogram: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. type: string - otel_disable_beatsauth: - nullable: true + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - otel_exporter_config_yaml: - nullable: true + label: + description: Label for the operation type: string - preset: + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - histogram type: string - proxy_id: - nullable: true + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_waffleGroupByRanges: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. type: string - secrets: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: + items: + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 + type: array + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_waffleGroupByTerms: + additionalProperties: false + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. type: boolean - type: + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: enum: - - remote_elasticsearch + - terms type: string - write_to_logs_streams: - nullable: true - type: boolean + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' required: - - name - - type - - hosts - title: new_output_remote_elasticsearch + - operation + - fields + title: Terms Operation type: object - Kibana_HTTP_APIs_output_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_waffleLegend: + additionalProperties: false + description: Legend configuration for waffle chart properties: - allow_edit: + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + truncate_after_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + values: items: + description: 'Legend value display mode: absolute (show raw metric values in legend)' + enum: + - absolute type: string - maxItems: 1000 + maxItems: 1 + minItems: 1 type: array - ca_sha256: - nullable: true + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - ca_trusted_fingerprint: - nullable: true + title: Legend + type: object + Kibana_HTTP_APIs_waffleMetricCounterRate: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + operation: + enum: + - counter_rate type: string - is_default: - default: false - type: boolean - is_default_monitoring: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Counter Rate Operation + type: object + Kibana_HTTP_APIs_waffleMetricCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + field: + description: Field to be used for the metric type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - preset: + operation: enum: - - balanced - - custom - - throughput - - scale - - latency + - count type: string - proxy_id: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricCumulativeSum: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - elasticsearch + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - write_to_logs_streams: - nullable: true - type: boolean required: - - name - - type - - hosts - title: output_elasticsearch + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_output_kafka: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricDifferences: + additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - auth_type: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: enum: - - none - - user_pass - - ssl - - kerberos + - differences type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - ca_trusted_fingerprint: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - client_id: + required: + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_waffleMetricFormula: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - compression: + label: + description: Label for the operation + type: string + operation: enum: - - gzip - - snappy - - lz4 - - none + - formula type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - connection_type: + time_scale: + description: Time scale enum: - - plaintext - - encryption + - s + - m + - h + - d type: string - hash: - additionalProperties: true - type: object - properties: - hash: - type: string - random: - type: boolean - headers: - items: - additionalProperties: true - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_waffleMetricLastValue: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - is_default: - default: false - type: boolean - is_default_monitoring: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + operation: + enum: + - last_value type: string - name: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + time_field: + description: Time field used to determine document recency type: string - partition: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_waffleMetricMovingAverage: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: enum: - - random - - round_robin - - hash + - moving_average type: string - password: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - proxy_id: - nullable: true + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - random: - additionalProperties: true - type: object - properties: - group_events: - type: number - required_acks: + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_waffleMetricPercentile: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - 1 - - 0 - - -1 - type: integer - round_robin: - additionalProperties: true - type: object - properties: - group_events: - type: number - sasl: - additionalProperties: true - nullable: true - type: object - properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: - additionalProperties: true - type: object - properties: - password: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: + - percentile + type: string + percentile: + default: 95 + description: Percentile type: number - topic: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - type: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_waffleMetricPercentileRanks: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: enum: - - kafka + - percentile_rank type: string - username: - nullable: true + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - version: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - name - - type - - hosts - - auth_type - title: output_kafka + - field + - operation + title: Percentile Ranks Operation type: object - Kibana_HTTP_APIs_output_logstash: - additionalProperties: true + Kibana_HTTP_APIs_waffleMetricStatsMetric: + additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - ca_trusted_fingerprint: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - config_yaml: - nullable: true + operation: + enum: + - min + - max + - average + - median + - standard_deviation type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting type: string - is_default: + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricSumMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - is_default_monitoring: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_waffleMetricUniqueCountMetric: + additionalProperties: false + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - is_internal: + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_waffleNoESQL: + additionalProperties: false + description: Waffle chart configuration for standard queries + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + description: + type: string + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + group_by: + description: Array of breakdown dimensions (minimum 1) + items: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleGroupByFilters' + maxItems: 100 + minItems: 1 + type: array + hide_border: type: boolean - is_preconfigured: + hide_title: type: boolean - name: - type: string - otel_disable_beatsauth: - nullable: true + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - proxy_id: - nullable: true + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleLegend' + metrics: + description: Array of metric configurations (minimum 1) + items: + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleMetricFormula' + maxItems: 100 + minItems: 1 + type: array + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_waffleStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - secrets: - additionalProperties: true - type: object - properties: - ssl: - additionalProperties: true - type: object - properties: - key: - anyOf: - - additionalProperties: true - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true type: enum: - - logstash + - waffle type: string required: - - name - type - - hosts - title: output_logstash + - data_source + - metrics + title: Waffle Chart (DSL) type: object - Kibana_HTTP_APIs_output_remote_elasticsearch: - additionalProperties: true + Kibana_HTTP_APIs_waffleStyling: + additionalProperties: false + description: Visual chart styling options properties: - allow_edit: + values: + $ref: '#/components/schemas/Kibana_HTTP_APIs_valueDisplay' + title: Waffle styling + type: object + Kibana_HTTP_APIs_WiredStreamUpsertRequest: + additionalProperties: false + type: object + properties: + dashboards: items: type: string - maxItems: 1000 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true - type: string - hosts: + queries: items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: - type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true - type: string - kibana_url: - nullable: true - type: string - name: - type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - nullable: true - type: string - secrets: - additionalProperties: true - type: object - properties: - service_token: - anyOf: - - additionalProperties: true + type: object + properties: + description: + type: string + esql: + type: object + properties: + query: + type: string + required: + - query + evidence: + items: + type: string + type: array + features: + items: type: object properties: - hash: - type: string id: type: string + run_id: + type: string required: - id - - type: string - ssl: - additionalProperties: true + type: array + id: + description: A non-empty string. + minLength: 1 + type: string + severity_score: + type: number + title: + description: A non-empty string. + minLength: 1 + type: string + type: + default: match + enum: + - match + - stats + type: string + required: + - id + - title + - description + - esql + type: array + rules: + items: + type: string + type: array + stream: + additionalProperties: false + type: object + properties: + description: + type: string + ingest: + additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: true + failure_store: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore' + lifecycle: + $ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle' + processing: + additionalProperties: false + type: object + properties: + steps: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep' + type: array + updated_at: {} + required: + - steps + settings: + additionalProperties: false + type: object + properties: + index.number_of_replicas: + additionalProperties: false type: object properties: - hash: - type: string - id: - type: string + value: + type: number required: - - id - - type: string - service_token: - nullable: true - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: - enum: - - remote_elasticsearch - type: string - write_to_logs_streams: - nullable: true - type: boolean + - value + index.number_of_shards: + additionalProperties: false + type: object + properties: + value: + type: number + required: + - value + index.refresh_interval: + additionalProperties: false + type: object + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + wired: + additionalProperties: false + type: object + properties: + draft: + type: boolean + fields: + $ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition' + routing: + items: + type: object + properties: + destination: + description: A non-empty string. + minLength: 1 + type: string + draft: + type: boolean + status: + enum: + - enabled + - disabled + type: string + where: + $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition' + required: + - destination + - where + type: array + required: + - fields + - routing + required: + - lifecycle + - processing + - settings + - failure_store + - wired + query_streams: + items: + type: object + properties: + name: + type: string + required: + - name + type: array + type: + enum: + - wired + type: string + required: + - description + - ingest + - type required: - - name - - type - - hosts - title: output_remote_elasticsearch - type: object - Kibana_HTTP_APIs_output_shipper: - additionalProperties: true + - dashboards + - rules + - queries + - stream + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting: + additionalProperties: false properties: - compression_level: - nullable: true - type: number - disk_queue_compression_enabled: - nullable: true - type: boolean - disk_queue_enabled: - default: false - nullable: true - type: boolean - disk_queue_encryption_enabled: - nullable: true - type: boolean - disk_queue_max_size: - nullable: true - type: number - disk_queue_path: - nullable: true + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - loadbalance: - nullable: true + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean - max_batch_bytes: - nullable: true - type: number - mem_queue_events: + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' nullable: true - type: number - queue_flush_timeout: + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true - type: number - required: - - disk_queue_path - - disk_queue_max_size - - disk_queue_encryption_enabled - - disk_queue_compression_enabled - - compression_level - - loadbalance - - mem_queue_events - - queue_flush_timeout - - max_batch_bytes - title: output_shipper - type: object - Kibana_HTTP_APIs_output_ssl: - additionalProperties: true - properties: - certificate: type: string - certificate_authorities: + params: + additionalProperties: false + description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`. + properties: + includeInterim: + default: true + type: boolean + jobSelection: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + kqlQueryString: + nullable: true + type: string + lookbackInterval: + nullable: true + type: string + resultType: + enum: + - record + - bucket + - influencer + type: string + severity: + maximum: 100 + minimum: 0 + type: number + topNBuckets: + minimum: 1 + nullable: true + type: number + required: + - jobSelection + - severity + - resultType + - lookbackInterval + - topNBuckets + - kqlQueryString + title: Anomaly Detection Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_alert + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: type: string - maxItems: 10 type: array - key: - type: string - verification_mode: - enum: - - full - - none - - certificate - - strict + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - title: output_ssl + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection type: object - Kibana_HTTP_APIs_package_icon: + Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting: additionalProperties: false properties: - dark_mode: - type: boolean - path: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - size: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - src: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true type: string - title: + params: + additionalProperties: false + description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`. + properties: + excludeJobs: + additionalProperties: false + nullable: true + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + includeJobs: + additionalProperties: false + type: object + properties: + groupIds: + default: [] + items: + type: string + type: array + jobIds: + default: [] + items: + type: string + type: array + testsConfig: + additionalProperties: false + nullable: true + type: object + properties: + behindRealtime: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - timeInterval + datafeed: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + delayedData: + additionalProperties: false + nullable: true + type: object + properties: + docsCount: + minimum: 1 + nullable: true + type: number + enabled: + default: true + type: boolean + timeInterval: + nullable: true + type: string + required: + - docsCount + - timeInterval + errorMessages: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + mml: + additionalProperties: false + nullable: true + type: object + properties: + enabled: + default: true + type: boolean + required: + - datafeed + - mml + - delayedData + - behindRealtime + - errorMessages + required: + - includeJobs + - excludeJobs + - testsConfig + title: Anomaly Detection Jobs Health Rule Params + type: object + rule_type_id: + enum: + - xpack.ml.anomaly_detection_jobs_health type: string - type: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string required: - - src - title: package_icon + - name + - consumer + - schedule + - rule_type_id + - params + title: Anomaly detection jobs health type: object - Kibana_HTTP_APIs_package_list_item: - additionalProperties: true + Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false properties: - categories: + actions: + default: [] items: - type: string - maxItems: 100 + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - conditions: - additionalProperties: true + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - elastic: - additionalProperties: true + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false type: object properties: - capabilities: - items: - type: string - maxItems: 10 - type: array - subscription: + blob: + maxLength: 10000 type: string - kibana: - additionalProperties: true + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`. + properties: + condition: + additionalProperties: false type: object properties: - version: + alertOnNoData: + type: boolean + downThreshold: + type: number + groupBy: + type: string + includeRetests: + type: boolean + locationsThreshold: + type: number + recoveryStrategy: + enum: + - firstUp + - conditionNotMet type: string + window: + anyOf: + - additionalProperties: false + type: object + properties: + time: + additionalProperties: false + type: object + properties: + size: + default: 5 + type: number + unit: + default: m + enum: + - s + - m + - h + - d + type: string + required: + - time + - additionalProperties: false + type: object + properties: + numberOfChecks: + default: 5 + maximum: 100 + minimum: 1 + type: number + required: + - window + kqlQuery: + type: string + locations: + items: + type: string + type: array + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + tags: + items: + type: string + type: array + title: Synthetics Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string required: - - deprecated - data_streams: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string type: array - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - description: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - discovery: - additionalProperties: true + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics monitor status + type: object + Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - datasets: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: items: - additionalProperties: true + additionalProperties: false type: object properties: - name: + id: type: string required: - - name - maxItems: 100 + - id + maxItems: 10 type: array - fields: + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`. + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + kqlQuery: + type: string + locations: items: - additionalProperties: true - type: object - properties: - name: - type: string - required: - - name - maxItems: 100 + type: string type: array - download: - type: string - format_version: + monitorIds: + items: + type: string + type: array + monitorTypes: + items: + type: string + type: array + projects: + items: + type: string + type: array + search: + type: string + tags: + items: + type: string + type: array + title: Synthetics TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.synthetics.alerts.tls type: string - icons: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_icon' - maxItems: 100 + type: string type: array - id: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - installationInfo: - $ref: '#/components/schemas/Kibana_HTTP_APIs_installation_info' - integration: + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Synthetics TLS + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - internal: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean - latestVersion: - type: string + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - owner: - additionalProperties: true - type: object + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`. properties: - github: + monitorId: type: string - type: - enum: - - elastic - - partner - - community + severity: + type: number + stackVersion: type: string - path: + required: + - monitorId + - severity + title: Uptime Duration Anomaly Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.durationAnomaly type: string - policy_templates: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 + type: string type: array - readme: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - signature_path: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string - source: - additionalProperties: true + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime duration anomaly + type: object + Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting: + additionalProperties: false + properties: + actions: + default: [] + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - license: - type: string + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number required: - - license - status: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: + additionalProperties: false + type: object + properties: + id: + type: string + required: + - id + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + type: object + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string - title: + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. + type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - type: - anyOf: - - enum: - - integration - type: string - - enum: - - input - type: string - - enum: - - content - type: string - - type: string - var_groups: - items: - additionalProperties: true - type: object - properties: - description: - type: string - name: - type: string - options: - items: - additionalProperties: true + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: false + description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`. + properties: + availability: + additionalProperties: false + type: object + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + required: + - range + - rangeUnit + - threshold + filters: + anyOf: + - additionalProperties: false type: object properties: - description: - type: string - hide_in_deployment_modes: + monitor.type: items: - enum: - - default - - agentless type: string - maxItems: 2 type: array - name: - type: string - title: - type: string - vars: + observer.geo.name: items: type: string - maxItems: 100 type: array - required: - - name - - title - - vars - maxItems: 100 - type: array - selector_title: - type: string - title: + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + - type: string + isAutoGenerated: + type: boolean + locations: + items: type: string - required: - - name - - title - - selector_title - - options - maxItems: 100 - type: array - vars: - items: - additionalProperties: - nullable: true - type: object - maxItems: 1000 - type: array - version: - type: string - required: - - installationInfo - - name - - version - - title - - deprecated - - id - title: package_list_item - type: object - Kibana_HTTP_APIs_package_metadata: - additionalProperties: false - properties: - has_policies: - type: boolean - required: - - has_policies - title: package_metadata - type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_package: - additionalProperties: false - properties: - experimental_data_stream_features: + type: array + numTimes: + type: number + search: + type: string + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + stackVersion: + type: string + timerange: + additionalProperties: false + type: object + properties: + from: + type: string + to: + type: string + required: + - from + - to + timerangeCount: + type: number + timerangeUnit: + type: string + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + title: Uptime Monitor Status Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.monitorStatus + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - additionalProperties: false - type: object - properties: - data_stream: - type: string - features: - additionalProperties: false - type: object - properties: - doc_value_only_numeric: - type: boolean - doc_value_only_other: - type: boolean - synthetic_source: - type: boolean - tsdb: - type: boolean - required: - - data_stream - - features - maxItems: 100 + type: string type: array - fips_compatible: - type: boolean - name: - description: Package name - type: string - requires_root: - type: boolean - title: - type: string - version: - description: Package version + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true type: string required: - name - - version - title: package_policy_package + - consumer + - schedule + - rule_type_id + - params + title: Uptime monitor status type: object - x-oas-optional: true - Kibana_HTTP_APIs_package_policy_response: + Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + actions: + default: [] items: - type: string - maxItems: 1000 - nullable: true + $ref: '#/components/schemas/Kibana_HTTP_APIs_new_rule_action' type: array - agents: - type: number - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true - type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. - type: string - created_at: - type: string - created_by: - type: string - description: - description: Package policy description - type: string - elasticsearch: - additionalProperties: true + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: - privileges: - additionalProperties: true - type: object - properties: - cluster: - items: - type: string - maxItems: 100 - type: array - enabled: - type: boolean - global_data_tags: - items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value - maxItems: 100 - nullable: true - type: array - id: - type: string - inputs: - anyOf: - - items: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + artifacts: + additionalProperties: false + type: object + properties: + dashboards: + items: additionalProperties: false type: object properties: - compiled_input: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean id: type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for - more information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object required: - - type - - enabled - - streams - - deprecated - - compiled_input - maxItems: 100 + - id + maxItems: 10 type: array - - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that input. Defaults to `true` - (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to - evaluate whether to apply this stream. - type: string - deprecated: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_deprecation_info - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to - the selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the - integration documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to - know which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. + investigation_guide: + additionalProperties: false type: object - x-oas-optional: true - description: Package policy inputs. - is_managed: + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want the rule to run on an interval basis after it is created. type: boolean + flapping: + allOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_rule_flapping' + nullable: true name: - description: Unique name for the package policy. + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - type: string - output_id: + notify_when: + description: 'Indicates how frequently rule actions are triggered. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify `notify_when` at both the rule and action level. The recommended approach is to set it for each action individually. If you set `notify_when` at the rule level and then edit the rule, it will automatically be converted to action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval nullable: true type: string - overrides: + params: additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object + description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`. properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: - type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + stackVersion: + type: string + title: Uptime TLS Rule Params + type: object + rule_type_id: + enum: + - xpack.uptime.alerts.tlsCertificate type: string - policy_ids: + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + type: object + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. items: - description: >- - IDs of the agent policies which that package policy will be added - to. type: string - maxItems: 1000 - type: array - revision: - description: Package policy revision. - type: number - secret_references: - items: - additionalProperties: false - type: object - properties: - id: - type: string - required: - - id - maxItems: 1000 type: array - spaceIds: + throttle: + description: Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values. + nullable: true + type: string + required: + - name + - consumer + - schedule + - rule_type_id + - params + title: Uptime TLS certificate + type: object + Kibana_HTTP_APIs_xyAnnotationByRefLayer: + additionalProperties: false + description: Reference to a library annotation group + properties: + group_id: + description: ID of the linked annotation group from the library + type: string + type: + enum: + - annotation_group + type: string + required: + - type + - group_id + title: Annotation Layer (By Reference) + type: object + Kibana_HTTP_APIs_xyAnnotationLayerNoESQL: + additionalProperties: false + description: Layer containing annotations (query-based, points, and ranges) + properties: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + events: + description: Array of annotation configurations items: - type: string + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationQuery' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualEvent' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationManualRange' maxItems: 100 + minItems: 1 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: + ignore_global_filters: default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. type: boolean - updated_at: - type: string - updated_by: + type: + enum: + - annotations type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - anyOf: - - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - x-oas-optional: true - description: Package level variable. - version: - description: Package policy ES version. + required: + - type + - data_source + - events + title: Annotation Layer (DSL) + type: object + Kibana_HTTP_APIs_xyAnnotationManualEvent: + additionalProperties: false + description: Manual point annotation at specific timestamp + properties: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label text for the annotation + type: string + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + text: + additionalProperties: false + description: Annotation text label visibility + type: object + properties: + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + timestamp: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + type: + enum: + - point type: string + visible: + description: Show the annotation + type: boolean required: - - name - - enabled - - package - - inputs - - revision - - updated_at - - updated_by - - created_at - - created_by - title: package_policy_response + - type + - timestamp + title: xyAnnotationManualEvent type: object - Kibana_HTTP_APIs_package_policy_status_response: + Kibana_HTTP_APIs_xyAnnotationManualRange: additionalProperties: false + description: Manual range annotation spanning time interval properties: - body: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for range + enum: + - inside + - outside + type: string + interval: additionalProperties: false + description: Time range for annotation type: object properties: - message: - type: string + from: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string + to: + anyOf: + - description: Unix timestamp in milliseconds + type: number + - description: ISO date string + type: string required: - - message - id: + - from + - to + label: + description: Label text for the annotation type: string - name: + type: + enum: + - range type: string - statusCode: - type: number - success: + visible: + description: Show the annotation type: boolean required: - - id - - success - title: package_policy_status_response + - type + - interval + title: xyAnnotationManualRange type: object - Kibana_HTTP_APIs_reauthorize_transform_request: + Kibana_HTTP_APIs_xyAnnotationQuery: additionalProperties: false + description: Annotation from query results matching a filter properties: - transforms: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + extra_fields: + description: Additional fields for annotation tooltip items: - additionalProperties: false - type: object - properties: - transformId: - type: string - required: - - transformId - maxItems: 1000 + description: Additional field to include in tooltip + type: string + maxItems: 100 type: array + icon: + description: Icon to display at the annotation point + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label text for the annotation + type: string + line: + additionalProperties: false + description: Vertical line configuration for point annotation + type: object + properties: + stroke_dash: + description: Vertical line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Vertical line width in pixels + maximum: 10 + minimum: 1 + type: number + required: + - stroke_width + - stroke_dash + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + text: + additionalProperties: false + description: Annotation text label configuration + type: object + properties: + field: + description: Field name for text label source + type: string + visible: + description: Show text label on the annotation + type: boolean + required: + - visible + time_field: + description: Field containing the timestamp + type: string + type: + enum: + - query + type: string + visible: + description: Show the annotation + type: boolean required: - - transforms - title: reauthorize_transform_request + - type + - query + - time_field + title: xyAnnotationQuery type: object - Kibana_HTTP_APIs_review_upgrade_request: + Kibana_HTTP_APIs_xyBreakdownDateHistogram: additionalProperties: false properties: - action: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. + type: string + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: enum: - - accept - - decline - - pending + - date_histogram type: string - target_version: + suggested_interval: + default: auto + description: Suggested time interval. type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. + type: boolean required: - - action - - target_version - title: review_upgrade_request + - operation + - field + title: Date Histogram Operation type: object - Kibana_HTTP_APIs_review_upgrade_response: + Kibana_HTTP_APIs_xyBreakdownFilters: additionalProperties: false properties: - success: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + filters: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' + maxItems: 100 + type: array + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string required: - - success - title: review_upgrade_response + - operation + - filters + title: Filters Operation type: object - Kibana_HTTP_APIs_rollback_package_response: + Kibana_HTTP_APIs_xyBreakdownHistogram: additionalProperties: false properties: - success: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. type: boolean - version: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation + type: string + operation: + enum: + - histogram type: string required: - - version - - success - title: rollback_package_response + - operation + - field + title: Histogram Operation type: object - Kibana_HTTP_APIs_simplified_create_package_policy_request: + Kibana_HTTP_APIs_xyBreakdownRanges: additionalProperties: false properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + field: + description: Field to be used for the range. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - range + type: string + ranges: items: - type: string + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number maxItems: 100 - nullable: true type: array - cloud_connector: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyBreakdownTerms: + additionalProperties: false + properties: + aggregate_first: + description: When `true`, aggregates data before splitting into series. Defaults to `false`. + type: boolean + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + excludes: additionalProperties: false type: object properties: - cloud_connector_id: - description: >- - ID of an existing cloud connector to reuse. If not provided, a - new connector will be created. - type: string - enabled: - default: false - description: Whether cloud connectors are enabled for this policy. + as_regex: + description: When `true`, treats the values as regular expressions. type: boolean - name: - description: >- - Optional name for the cloud connector. If not provided, will be - auto-generated from credentials. - maxLength: 255 - minLength: 1 - type: string - target_csp: - description: >- - Target cloud service provider. If not provided, will be - auto-detected from inputs. - enum: - - aws - - azure - - gcp - type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: + items: + description: Fields to be used for the terms. + type: string + maxItems: 4 + minItems: 1 + type: array + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. + type: string + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false + type: object + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyChartESQL: + additionalProperties: false + description: XY chart configuration for ES|QL queries + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' description: - description: Policy description. type: string - force: - description: >- - Force package policy creation even if the package is not verified, - or if the agent policy is managed. + drilldowns: + items: + anyOf: + - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown + type: object + - additionalProperties: false + properties: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string + required: + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: type: boolean - global_data_tags: + hide_title: + type: boolean + layers: + description: ES|QL chart layers items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' maxItems: 100 + minItems: 1 type: array - id: - description: Policy unique identifier. - type: string - inputs: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: Enable or disable that input. Defaults to `true` (enabled). - type: boolean - streams: - additionalProperties: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - description: >- - Enable or disable that stream. Defaults to `true` - (enabled). - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Input streams. Refer to the integration documentation to know - which streams are available. - type: object - vars: - additionalProperties: - anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - - additionalProperties: false - type: object - properties: - id: - type: string - isSecretRef: - type: boolean - required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration - documentation for more information. - type: object - required: - - deprecated - description: >- - Package policy inputs. Refer to the integration documentation to - know which inputs are available. - type: object - name: - description: Unique name for the policy. + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: type: string - namespace: - description: >- - Policy namespace. When not specified, it inherits the agent policy - namespace. + type: + enum: + - xy type: string - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - policy_template: - description: >- - The policy template to use for the agentless package policy. If not - provided, the default policy template will be used. + required: + - type + - layers + title: XY Chart (ES|QL) + type: object + Kibana_HTTP_APIs_xyChartNoESQL: + additionalProperties: false + description: XY chart configuration for DSL queries + properties: + axis: + $ref: '#/components/schemas/Kibana_HTTP_APIs_vis_api_xy_axis_config' + description: type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: + drilldowns: + items: anyOf: - - type: string - - type: number - - type: boolean - - items: - type: string - maxItems: 100 - type: array - - items: - type: number - maxItems: 100 - type: array - additionalProperties: false + default: + open_in_new_tab: false + use_filters: true + use_time_range: true + properties: + dashboard_id: + type: string + label: + type: string + open_in_new_tab: + default: false + description: When enabled, the dashboard opens in a new browser tab. + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - dashboard_drilldown + type: string + use_filters: + default: true + description: When enabled, filters are passed to the opening dashboard. + type: boolean + use_time_range: + default: true + description: When enabled, time range is passed to the opening dashboard. + type: boolean + required: + - dashboard_id + - label + - trigger + - type + title: dashboard_drilldown + type: object + - additionalProperties: false + properties: + label: + type: string + open_in_new_tab: + default: true + type: boolean + trigger: + enum: + - on_apply_filter + type: string + type: + enum: + - discover_drilldown + type: string + required: + - label + - trigger + - type + title: discover_drilldown type: object + - additionalProperties: false properties: - id: + encode_url: + default: true + description: When true, URL is escaped using percent encoding + type: boolean + label: type: string - isSecretRef: + open_in_new_tab: + default: true type: boolean + trigger: + enum: + - on_click_row + - on_click_value + - on_open_panel_menu + - on_select_range + type: string + type: + enum: + - url_drilldown + type: string + url: + description: Templated Url. Variables documented at https://www.elastic.co/docs/explore-analyze/dashboards/drilldowns#url-template-variable + type: string required: - - id - - isSecretRef - nullable: true - description: >- - Input/stream level variable. Refer to the integration documentation - for more information. + - url + - label + - trigger + - type + title: url_drilldown + type: object + maxItems: 100 + type: array + filters: + $ref: '#/components/schemas/Kibana_HTTP_APIs_lensPanelFilters' + hide_border: + type: boolean + hide_title: + type: boolean + layers: + description: Chart layers + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayersNoESQL' + maxItems: 100 + minItems: 1 + type: array + legend: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegend' + query: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + references: + items: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-content-management-utils-referenceSchema' + type: array + styling: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStyling' + time_range: + $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-es-query-server-timeRangeSchema' + title: + type: string + type: + enum: + - xy + type: string + required: + - type + - layers + title: XY Chart (DSL) + type: object + Kibana_HTTP_APIs_xyFitting: + additionalProperties: false + description: Missing data interpolation configuration for line and area series + properties: + emphasize: + description: Visually distinguish fitted segments with a dashed line style and reduced area opacity + type: boolean + extend: + description: How to render line and area edges when data does not cover the full X domain + enum: + - none + - zero + - nearest + type: string + type: + description: Fitting function type for missing data + enum: + - none + - zero + - linear + - carry + - lookahead + - average + - nearest + type: string + required: + - type + title: xyFitting + type: object + Kibana_HTTP_APIs_xyLayerESQL: + additionalProperties: false + description: Data layer for ES|QL queries with column references + properties: + breakdown_by: + additionalProperties: false + description: ES|QL column for breakdown + type: object + properties: + collapse_by: + $ref: '#/components/schemas/Kibana_HTTP_APIs_collapseBy' + color: + $ref: '#/components/schemas/Kibana_HTTP_APIs_colorMapping' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + data_source: + $ref: '#/components/schemas/Kibana_HTTP_APIs_esqlDataSource' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + additionalProperties: false type: object + properties: + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + 'y': + description: Array of ES|QL columns for Y-axis metrics + items: + additionalProperties: false + description: ES|QL column for Y-axis metric + type: object + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + column: + description: Column to use + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + required: + - column + maxItems: 100 + type: array required: - - name - - package - title: simplified_create_package_policy_request + - data_source + - type + - 'y' + title: Layer (ES|QL) type: object - Kibana_HTTP_APIs_update_output_elasticsearch: + Kibana_HTTP_APIs_xyLayerNoESQL: additionalProperties: false + description: Data layer for standard queries with metrics and buckets properties: - allow_edit: + breakdown_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyBreakdownFilters' + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + type: + description: Chart type for the data layer + enum: + - area + - area_percentage + - area_stacked + - bar + - bar_horizontal + - bar_horizontal_stacked + - bar_horizontal_percentage + - bar_percentage + - bar_stacked + - line + type: string + x: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXDateHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXTerms' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXHistogram' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXRanges' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyXFilters' + 'y': + description: Array of metrics to display on Y-axis items: - type: string - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYPercentileRanks' + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYDifferences' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYMovingAverage' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCumulativeSum' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYCounterRate' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyYFormula' + maxItems: 100 type: array - ca_sha256: - nullable: true - type: string - ca_trusted_fingerprint: - nullable: true - type: string - config_yaml: - nullable: true + required: + - type + - data_source + - 'y' + title: Layer (DSL) + type: object + Kibana_HTTP_APIs_xyLayersESQL: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerESQL' + description: XY chart layer types for ES|QL queries + title: xyLayersESQL + Kibana_HTTP_APIs_xyLayersNoESQL: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationLayerNoESQL' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyAnnotationByRefLayer' + description: XY chart layer types for DSL queries + title: xyLayersNoESQL + Kibana_HTTP_APIs_xyLegend: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideHorizontal' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendOutsideVertical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendInside' + description: Legend configuration for XY chart + title: Legend + Kibana_HTTP_APIs_xyLegendInside: + additionalProperties: false + description: Inside legend + properties: + columns: + description: Number of legend columns + maximum: 5 + minimum: 1 + type: number + layout: + additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: + enum: + - inside type: string - hosts: + position: + description: Legend position inside the chart + enum: + - top_left + - top_right + - bottom_left + - bottom_right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend items: - format: uri + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value type: string - maxItems: 10 - minItems: 1 + maxItems: 17 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + required: + - placement + title: Inside + type: object + Kibana_HTTP_APIs_xyLegendOutsideHorizontal: + additionalProperties: false + description: Outside legend positioned horizontal (top/bottom) of the chart + properties: + layout: + anyOf: + - additionalProperties: false + type: object + properties: + truncate: + additionalProperties: false + type: object + properties: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + - additionalProperties: false + type: object + properties: + type: + enum: + - list + type: string + required: + - type + placement: + enum: + - outside type: string - preset: + position: enum: - - balanced - - custom - - throughput - - scale - - latency + - top + - bottom type: string - proxy_id: - nullable: true + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden type: string - secrets: + title: Outside horizontal + type: object + Kibana_HTTP_APIs_xyLegendOutsideVertical: + additionalProperties: false + description: Outside legend positioned vertical (left/right) of the chart + properties: + layout: additionalProperties: false type: object properties: - ssl: + truncate: additionalProperties: false type: object properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: + enabled: + description: Enable truncation of legend items + type: boolean + max_lines: + description: Number of lines before legend items are truncated. + maximum: 10 + minimum: 1 + title: legendTruncateAfterLines + type: number + type: + enum: + - grid + type: string + required: + - type + placement: enum: - - elasticsearch + - outside type: string - write_to_logs_streams: - nullable: true + position: + enum: + - left + - right + type: string + series_header: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyLegendSeriesHeader' + size: + $ref: '#/components/schemas/Kibana_HTTP_APIs_legendSize' + statistics: + description: Statistics to display in legend + items: + description: Statistical functions that can be displayed in chart legend for data series + enum: + - min + - max + - avg + - median + - range + - last_value + - last_non_null_value + - first_value + - first_non_null_value + - difference + - difference_percentage + - count + - total + - standard_deviation + - variance + - distinct_count + - current_and_last_value + type: string + maxItems: 17 + type: array + visibility: + description: Legend visibility. + enum: + - auto + - visible + - hidden + type: string + title: Outside vertical + type: object + Kibana_HTTP_APIs_xyLegendSeriesHeader: + additionalProperties: false + description: Legend table series header configuration. + properties: + text: + description: Legend table series header text. + type: string + visible: + description: When true, shows the legend table series header. type: boolean - title: update_output_elasticsearch + title: xyLegendSeriesHeader type: object - Kibana_HTTP_APIs_update_output_kafka: + Kibana_HTTP_APIs_xyReferenceLineLayerNoESQL: additionalProperties: false + description: Reference line layer for standard queries properties: - allow_edit: + data_source: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-reference-schema' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_kbn-data-view-spec-schema' + ignore_global_filters: + default: false + description: When `true`, ignores global filters when fetching data for this layer. Defaults to `false`. + type: boolean + sampling: + default: 1 + description: Sampling factor between 0 (no sampling) and 1 (full sampling). + maximum: 1 + minimum: 0 + type: number + thresholds: + description: Array of reference line thresholds items: - type: string - maxItems: 1000 + anyOf: + - anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineUniqueCountMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatsMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineSumMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineLastValue' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentile' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLinePercentileRanks' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineStatic' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_xyRefLineFormula' + maxItems: 100 + minItems: 1 type: array - auth_type: + type: enum: - - none - - user_pass - - ssl - - kerberos + - reference_lines type: string - broker_timeout: - type: number - ca_sha256: - nullable: true + required: + - type + - data_source + - thresholds + title: Reference Line Layer (DSL) + type: object + Kibana_HTTP_APIs_xyRefLineCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - client_id: + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - compression: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line enum: - - gzip - - snappy - - lz4 - - none + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - compression_level: - nullable: true - type: number - config_yaml: - nullable: true + label: + description: Label for the operation type: string - connection_type: + operation: enum: - - plaintext - - encryption + - count type: string - hash: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - hash: - type: string - random: + visible: + description: Show text label on the reference line type: boolean - headers: - items: - additionalProperties: false - type: object - properties: - key: - type: string - value: - type: string - required: - - key - - value - maxItems: 100 - type: array - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - is_default: - default: false - type: boolean - is_default_monitoring: - default: false - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - key: + required: + - operation + title: Count Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineFormula: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - name: + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula type: string - partition: + icon: + description: Icon to display on the reference line enum: - - random - - round_robin - - hash + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - password: - nullable: true + label: + description: Label for the operation type: string - proxy_id: - nullable: true + operation: + enum: + - formula type: string - random: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - required_acks: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + description: Time scale enum: - - 1 - - 0 - - -1 - type: integer - round_robin: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyRefLineLastValue: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - group_events: - type: number - sasl: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentile: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false - nullable: true + description: Reference line text label configuration type: object properties: - mechanism: - enum: - - PLAIN - - SCRAM-SHA-256 - - SCRAM-SHA-512 - type: string - secrets: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyRefLinePercentileRanks: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + fill: + description: Fill direction for reference line + enum: + - above + - below + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - password: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - required: - - key - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - timeout: - type: number - topic: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - type: + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyRefLineStatic: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. enum: - - kafka + - x + - 'y' + - y2 type: string - username: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - version: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string + label: + description: Label for the operation + type: string + operation: + enum: + - static_value + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + value: + default: 100 + description: Static value + type: number required: - - name - title: update_output_kafka + - operation + title: Static Operation Definition type: object - Kibana_HTTP_APIs_update_output_logstash: + Kibana_HTTP_APIs_xyRefLineStatsMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: + label: + description: Label for the operation type: string - otel_disable_beatsauth: - nullable: true - type: boolean - otel_exporter_config_yaml: - nullable: true + operation: + enum: + - min + - max + - average + - median + - standard_deviation type: string - proxy_id: - nullable: true + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - secrets: + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - type: - enum: - - logstash + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - title: update_output_logstash + required: + - field + - operation + title: Stats Metric Operation type: object - Kibana_HTTP_APIs_update_output_remote_elasticsearch: + Kibana_HTTP_APIs_xyRefLineSumMetric: additionalProperties: false properties: - allow_edit: - items: - type: string - maxItems: 1000 - type: array - ca_sha256: - nullable: true + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 type: string - ca_trusted_fingerprint: - nullable: true + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric type: string - config_yaml: - nullable: true + fill: + description: Fill direction for reference line + enum: + - above + - below type: string - hosts: - items: - format: uri - type: string - maxItems: 10 - minItems: 1 - type: array - id: + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - kibana_api_key: - nullable: true + label: + description: Label for the operation type: string - kibana_url: - nullable: true + operation: + enum: + - sum type: string - name: + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right type: string - otel_disable_beatsauth: - nullable: true + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: + additionalProperties: false + description: Reference line text label configuration + type: object + properties: + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyRefLineUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The axis this reference line is drawn on. Values match the root axis configuration keys. If omitted, defaults to the primary Y axis. + enum: + - x + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - otel_exporter_config_yaml: - nullable: true + field: + description: Field to be used for the metric type: string - preset: + fill: + description: Fill direction for reference line enum: - - balanced - - custom - - throughput - - scale - - latency + - above + - below type: string - proxy_id: - nullable: true + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + icon: + description: Icon to display on the reference line + enum: + - asterisk + - alert + - bell + - bolt + - bug + - circle + - editor_comment + - flag + - heart + - map_marker + - pin_filled + - star_empty + - star_filled + - tag + - triangle type: string - secrets: + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + position: + description: Position of the icon and label relative to the reference line + enum: + - auto + - left + - right + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + stroke_dash: + description: Line style + enum: + - solid + - dashed + - dotted + type: string + stroke_width: + description: Line width in pixels + maximum: 10 + minimum: 1 + type: number + text: additionalProperties: false + description: Reference line text label configuration type: object properties: - service_token: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - ssl: - additionalProperties: false - type: object - properties: - key: - anyOf: - - additionalProperties: false - type: object - properties: - hash: - type: string - id: - type: string - required: - - id - - type: string - service_token: - nullable: true + visible: + description: Show text label on the reference line + type: boolean + required: + - visible + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string - shipper: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper' - nullable: true - ssl: - allOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl' - nullable: true - sync_integrations: - type: boolean - sync_uninstalled_integrations: - type: boolean - type: + required: + - field + - operation + title: Unique Count Metric Operation + type: object + Kibana_HTTP_APIs_xyStyling: + additionalProperties: false + description: Visual styling options for the chart + properties: + areas: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingAreas' + bars: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingBars' + fitting: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyFitting' + interpolation: + description: Curve interpolation method for line and area series enum: - - remote_elasticsearch + - linear + - smooth + - stepped type: string - write_to_logs_streams: - nullable: true - type: boolean - title: update_output_remote_elasticsearch + overlays: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingOverlays' + points: + $ref: '#/components/schemas/Kibana_HTTP_APIs_xyStylingPoints' + title: xyStyling type: object - Kibana_HTTP_APIs_update_package_policy_request: + Kibana_HTTP_APIs_xyStylingAreas: additionalProperties: false + description: Area-specific rendering settings properties: - additional_datastreams_permissions: - description: >- - Additional datastream permissions, that will be added to the agent - policy. - items: - type: string - maxItems: 1000 - nullable: true - type: array - cloud_connector_id: - description: ID of the cloud connector associated with this package policy. - nullable: true + fill_opacity: + description: Area fill opacity (0-1 typical, max 2 for legacy) + maximum: 2 + minimum: 0 + type: number + title: xyStylingAreas + type: object + Kibana_HTTP_APIs_xyStylingBars: + additionalProperties: false + description: Bar-specific rendering settings + properties: + data_labels: + additionalProperties: false + description: Data label configuration for bar series + type: object + properties: + visible: + default: false + description: Display value labels on bar data points + type: boolean + minimum_height: + description: Minimum bar height in pixels + minimum: 0 + type: number + title: xyStylingBars + type: object + Kibana_HTTP_APIs_xyStylingOverlays: + additionalProperties: false + description: Visual overlays drawn on top of the chart canvas + properties: + current_time_marker: + additionalProperties: false + description: Current time marker configuration + type: object + properties: + visible: + default: false + description: Show current time marker line + type: boolean + partial_buckets: + additionalProperties: false + description: Partial (incomplete) bucket indicator configuration + type: object + properties: + visible: + default: false + description: Show partial bucket indicators at time range edges + type: boolean + title: xyStylingOverlays + type: object + Kibana_HTTP_APIs_xyStylingPoints: + additionalProperties: false + description: Data point marker settings for line and area series + properties: + visibility: + description: Data point marker visibility on line and area series + enum: + - auto + - visible + - hidden type: string - cloud_connector_name: - description: Transient field for cloud connector name during creation. - maxLength: 255 - minLength: 1 - nullable: true + title: xyStylingPoints + type: object + Kibana_HTTP_APIs_xyXDateHistogram: + additionalProperties: false + properties: + drop_partial_intervals: + description: When `true`, drops partial intervals from the results. + type: boolean + field: + description: Field to be used for the date histogram. type: string - condition: - description: >- - **Experimental.** Agent condition expression to evaluate whether to - apply this integration to its inputs. + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. + type: boolean + label: + description: Label for the operation type: string - description: - description: Package policy description + operation: + enum: + - date_histogram type: string - enabled: - type: boolean - force: + suggested_interval: + default: auto + description: Suggested time interval. + type: string + use_original_time_range: + default: false + description: When `true`, uses the original time range instead of the current query time range. type: boolean - global_data_tags: + required: + - operation + - field + title: Date Histogram Operation + type: object + Kibana_HTTP_APIs_xyXFilters: + additionalProperties: false + properties: + filters: items: - additionalProperties: false - type: object - properties: - name: - description: The name of the custom field. Cannot contain spaces. - type: string - value: - anyOf: - - type: string - - type: number - description: The value of the custom field. - required: - - name - - value + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterWithLabel' maxItems: 100 - nullable: true - type: array - inputs: - items: - additionalProperties: false - type: object - properties: - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this input. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - name: - type: string - policy_template: - type: string - streams: - items: - additionalProperties: false - type: object - properties: - compiled_stream: - nullable: true - condition: - description: >- - **Experimental.** Agent condition expression to evaluate - whether to apply this stream. - type: string - config: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - data_stream: - additionalProperties: false - type: object - properties: - dataset: - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - dynamic_dataset: - type: boolean - dynamic_namespace: - type: boolean - privileges: - additionalProperties: false - type: object - properties: - indices: - items: - type: string - maxItems: 100 - type: array - type: - type: string - required: - - dataset - deprecated: - $ref: '#/components/schemas/Kibana_HTTP_APIs_deprecation_info' - enabled: - type: boolean - id: - type: string - keep_enabled: - type: boolean - migrate_from: - type: string - release: - enum: - - ga - - beta - - experimental - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the - selected option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - enabled - - data_stream - - compiled_stream - - deprecated - maxItems: 1000 - type: array - type: - type: string - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. - type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: - type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) - type: object - required: - - type - - enabled - - deprecated - maxItems: 1000 type: array - is_managed: + label: + description: Label for the operation + type: string + operation: + enum: + - filters + type: string + required: + - operation + - filters + title: Filters Operation + type: object + Kibana_HTTP_APIs_xyXHistogram: + additionalProperties: false + properties: + field: + description: Field to be used for the histogram. + type: string + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + granularity: + anyOf: + - description: Granularity of the histogram. + maximum: 7 + minimum: 1 + type: number + - enum: + - auto + type: string + default: auto + include_empty_rows: + default: true + description: When `true`, includes empty rows in the results. type: boolean - name: + label: + description: Label for the operation type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + operation: + enum: + - histogram type: string - output_id: - nullable: true + required: + - operation + - field + title: Histogram Operation + type: object + Kibana_HTTP_APIs_xyXRanges: + additionalProperties: false + properties: + field: + description: Field to be used for the range. type: string - overrides: - additionalProperties: false - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - additionalProperties: - nullable: true - type: object - package: - $ref: '#/components/schemas/Kibana_HTTP_APIs_package_policy_package' - package_agent_version_condition: + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation type: string - policy_id: - deprecated: true - description: ID of the agent policy which the package policy will be added to. - nullable: true + operation: + enum: + - range type: string - policy_ids: + ranges: items: - description: >- - IDs of the agent policies which that package policy will be added - to. - type: string - maxItems: 1000 + additionalProperties: false + type: object + properties: + gt: + description: Greater than. + type: number + label: + description: Label. + type: string + lte: + description: Less than or equal to. + type: number + maxItems: 100 type: array - spaceIds: + required: + - operation + - field + - ranges + title: Ranges Operation + type: object + Kibana_HTTP_APIs_xyXTerms: + additionalProperties: false + properties: + excludes: + additionalProperties: false + type: object + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to exclude. + type: string + maxItems: 100 + type: array + required: + - values + fields: items: + description: Fields to be used for the terms. type: string - maxItems: 100 + maxItems: 4 + minItems: 1 type: array - supports_agentless: - default: false - description: >- - Indicates whether the package policy belongs to an agentless agent - policy. - nullable: true - type: boolean - supports_cloud_connector: - default: false - description: Indicates whether the package policy supports cloud connectors. - nullable: true - type: boolean - var_group_selections: - additionalProperties: - type: string - description: >- - Variable group selections. Maps var_group name to the selected - option name within that group. + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + includes: + additionalProperties: false type: object - vars: - additionalProperties: - additionalProperties: false - type: object - properties: - frozen: - type: boolean - type: + properties: + as_regex: + description: When `true`, treats the values as regular expressions. + type: boolean + values: + items: + description: Values to include. type: string - value: - nullable: true - required: - - value - description: >- - Package variable (see integration documentation for more - information) + maxItems: 100 + type: array + required: + - values + increase_accuracy: + description: When `true`, increases accuracy at the cost of performance. + type: boolean + label: + description: Label for the operation + type: string + limit: + default: 5 + description: Number of terms to return. + type: number + operation: + enum: + - terms + type: string + other_bucket: + additionalProperties: false type: object - version: + properties: + include_documents_without_field: + description: When `true`, includes documents that do not have the specified field. + type: boolean + required: + - include_documents_without_field + rank_by: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByAlphabetical' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByRare' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankBySignificant' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByMetric' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByCustomCountOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileOperation' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_termsRankByPercentileRankOperation' + required: + - operation + - fields + title: Terms Operation + type: object + Kibana_HTTP_APIs_xyYCounterRate: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - counter_rate + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting type: string required: - - package - title: update_package_policy_request + - field + - operation + title: Counter Rate Operation type: object - Kibana_HTTP_APIs_update_package_request: + Kibana_HTTP_APIs_xyYCountMetric: additionalProperties: false properties: - keepPoliciesUpToDate: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. type: boolean - namespace_customization_enabled_for: - description: >- - Namespaces for which namespace-level customization is enabled on - this package. - items: - type: string - maxItems: 100 - type: array - title: update_package_request + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - operation + title: Count Metric Operation type: object - Kibana_HTTP_APIs_update_package_response: + Kibana_HTTP_APIs_xyYCumulativeSum: additionalProperties: false properties: - item: - $ref: '#/components/schemas/Kibana_HTTP_APIs_get_package_info' + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - cumulative_sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - item - title: update_package_response + - field + - operation + title: Cumulative Sum Operation type: object - Kibana_HTTP_APIs_upgrade_package_policies_request: + Kibana_HTTP_APIs_xyYDifferences: additionalProperties: false properties: - packagePolicyIds: - items: - type: string - maxItems: 1000 - type: array + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - differences + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string required: - - packagePolicyIds - title: upgrade_package_policies_request + - operation + - of + title: Differences Operation + type: object + Kibana_HTTP_APIs_xyYFormula: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + formula: + description: Formula + type: string + label: + description: Label for the operation + type: string + operation: + enum: + - formula + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + description: Time scale + enum: + - s + - m + - h + - d + type: string + required: + - operation + - formula + title: Formula Operation + type: object + Kibana_HTTP_APIs_xyYLastValue: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + multi_value: + default: false + description: Whether to return all values for multi-value fields. Only affects data table and metric charts; other charts use the last value from the array. + type: boolean + operation: + enum: + - last_value + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_field: + description: Time field used to determine document recency + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + - time_field + title: Last Value Operation + type: object + Kibana_HTTP_APIs_xyYMovingAverage: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + of: + $ref: '#/components/schemas/Kibana_HTTP_APIs_fieldMetricOperations' + operation: + enum: + - moving_average + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + window: + default: 5 + description: Window + type: number + required: + - operation + - of + title: Moving Average Operation + type: object + Kibana_HTTP_APIs_xyYPercentile: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile + type: string + percentile: + default: 95 + description: Percentile + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Operation + type: object + Kibana_HTTP_APIs_xyYPercentileRanks: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - percentile_rank + type: string + rank: + default: 0 + description: Percentile Rank + type: number + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Percentile Ranks Operation + type: object + Kibana_HTTP_APIs_xyYStatsMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - min + - max + - average + - median + - standard_deviation + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Stats Metric Operation + type: object + Kibana_HTTP_APIs_xyYSumMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - sum + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Sum Metric Operation + type: object + Kibana_HTTP_APIs_xyYUniqueCountMetric: + additionalProperties: false + properties: + axis: + description: The Y axis this metric is plotted on. Values match the root axis configuration keys (axis.y, axis.y2). If omitted, defaults to the Y axis start (leading) side. + enum: + - 'y' + - y2 + type: string + color: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_staticColor' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_autoColor' + empty_as_null: + default: false + description: When `true`, treats empty buckets as null instead of zero. + type: boolean + field: + description: Field to be used for the metric + type: string + filter: + $ref: '#/components/schemas/Kibana_HTTP_APIs_filterSimple' + format: + $ref: '#/components/schemas/Kibana_HTTP_APIs_formatType' + label: + description: Label for the operation + type: string + operation: + enum: + - unique_count + type: string + reduced_time_range: + description: Reduced time range + title: Operation Reduced Time Range Setting + type: string + time_scale: + $ref: '#/components/schemas/Kibana_HTTP_APIs_operationTimeScaleSetting' + time_shift: + description: Time shift + title: Operation Time Shift Setting + type: string + required: + - field + - operation + title: Unique Count Metric Operation type: object Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: @@ -62427,97 +117884,63 @@ components: title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object @@ -62525,11 +117948,7 @@ components: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' @@ -62609,8 +118028,7 @@ components: description: The name associated with the message. type: string role: - $ref: >- - #/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' required: - role required: @@ -62734,8 +118152,7 @@ components: example: user.name type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id @@ -62753,15 +118170,12 @@ components: errors: description: List of errors that occurred during the bulk operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -62785,8 +118199,7 @@ components: created: description: List of anonymization fields successfully created. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: @@ -62797,14 +118210,12 @@ components: skipped: description: List of anonymization fields that were skipped during the operation. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated @@ -63000,9 +118411,7 @@ components: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: - description: >- - List of field names within the data object that should be - anonymized. + description: List of field names within the data object that should be anonymized. example: - user.name - source.ip @@ -63025,18 +118434,12 @@ components: Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_EsqlContentReference - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_HrefContentReference + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object @@ -63188,9 +118591,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -63200,8 +118601,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object @@ -63219,18 +118619,14 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: @@ -63266,10 +118662,8 @@ components: - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object @@ -63289,16 +118683,13 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' @@ -63344,9 +118735,7 @@ components: - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: - description: >- - The field by which to sort the conversations. Possible values are - `created_at`, `title`, and `updated_at`. + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title @@ -63407,9 +118796,7 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array @@ -63419,8 +118806,7 @@ components: - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object @@ -63438,27 +118824,21 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: - description: >- - Fields to extract from the query result, defaults to all fields if - not provided or empty. + description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author @@ -63469,9 +118849,7 @@ components: type: object properties: description: - description: >- - Description for when this index or data stream should be queried for - Knowledge Base content. Passed to the LLM as a tool description. + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: @@ -63483,9 +118861,7 @@ components: example: knowledge_base_index type: string queryDescription: - description: >- - Description of query field used to fetch Knowledge Base content. - Passed to the LLM as part of the tool input schema. + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: @@ -63502,10 +118878,8 @@ components: - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object @@ -63525,20 +118899,15 @@ components: example: default type: string users: - description: >- - Users who have access to the Knowledge Base Entry, defaults to - current user. Empty array provides access to all users. + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: - description: >- - Array of objects defining the input schema, allowing the LLM to extract - structured data to be used in retrieval. + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: @@ -63561,8 +118930,7 @@ components: type: array Security_AI_Assistant_API_InputTextInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -63602,11 +118970,9 @@ components: Security_AI_Assistant_API_InterruptResumeValue: description: Union of the interrupt resume values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' additionalProperties: false Security_AI_Assistant_API_InterruptType: description: The type of interrupt @@ -63617,11 +118983,9 @@ components: Security_AI_Assistant_API_InterruptValue: description: Union of the interrupt values oneOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' additionalProperties: false - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' additionalProperties: false Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. @@ -63640,8 +119004,7 @@ components: example: Skipped Entry type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason @@ -63661,15 +119024,12 @@ components: message: Failed to update entry. statusCode: 400 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary @@ -63704,29 +119064,23 @@ components: text: This is the content of the new entry. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: - description: >- - List of IDs of Knowledge Base Entries that were successfully - deleted. + description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: - description: >- - List of Knowledge Base Entries that were skipped during the bulk - action. + description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. @@ -63738,8 +119092,7 @@ components: text: Updated content. type: document items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated @@ -63754,15 +119107,11 @@ components: example: 2 type: integer skipped: - description: >- - Number of Knowledge Base Entries that were skipped during the bulk - action. + description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: - description: >- - Number of Knowledge Base Entries that were successfully processed - during the bulk action. + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: @@ -63799,16 +119148,12 @@ components: description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object @@ -63854,37 +119199,27 @@ components: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: mapping: - document: >- - #/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields - index: >- - #/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields + document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' propertyName: type Security_AI_Assistant_API_KnowledgeBaseReadResponse200: type: object properties: defend_insights_exists: - description: >- - Indicates if Defend Insights documentation exists in the - KnowledgeBase. + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. example: true type: boolean elser_exists: @@ -63904,9 +119239,7 @@ components: example: complete type: string security_labs_exists: - description: >- - Indicates if Security Labs documentation exists in the - KnowledgeBase. + description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: @@ -63914,9 +119247,7 @@ components: example: false type: boolean Security_AI_Assistant_API_KnowledgeBaseResource: - description: >- - Knowledge Base resource name for grouping entries, e.g. 'security_labs', - 'user', etc. + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - defend_insights @@ -64004,16 +119335,10 @@ components: description: Data referred to by the message content. interruptResumeValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' - description: >- - When the agent is resumed after an interrupt, this field is - populated with the details of the resume value. + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. interruptValue: $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' - description: >- - When the agent is interrupted (for example, when user input is - required), this field is populated with the details of the - interrupt. Messages containing interruptValues in the metadata are - excluded from the LLM context. + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. Security_AI_Assistant_API_MessageRole: description: Message role. enum: @@ -64029,9 +119354,7 @@ components: minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -64042,8 +119365,7 @@ components: anonymization_fields: description: Array of anonymization fields that caused the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. @@ -64071,8 +119393,7 @@ components: knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. @@ -64098,8 +119419,7 @@ components: prompts: description: List of prompts that encountered errors. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. @@ -64258,8 +119578,7 @@ components: description: The name of the prompt that was skipped. type: string skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id @@ -64272,15 +119591,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary @@ -64318,8 +119634,7 @@ components: skipped: description: List of prompts that were skipped. items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. @@ -64476,8 +119791,7 @@ components: - value Security_AI_Assistant_API_SelectOptionInterruptResumeValue: allOf: - - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' - type: object properties: type: @@ -64486,9 +119800,7 @@ components: example: SELECT_OPTION type: string value: - description: >- - The value of the selected option to resume the graph execution - with + description: The value of the selected option to resume the graph execution with example: option_1 type: string required: @@ -64510,8 +119822,7 @@ components: - label: Option 1 - label: Option 2 items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' type: array type: enum: @@ -64555,9 +119866,7 @@ components: example: John Doe type: string Security_AI_Assistant_API_Vector: - description: >- - Object containing Knowledge Base Entry text embeddings and modelId used - to create the embeddings. + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: @@ -64655,9 +119964,7 @@ components: type: string type: array alert_rule_uuid: - description: >- - The optional kibana.alert.rule.uuid of the rule that generated this - attack discovery (not applicable to ad hock runs) + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) type: string alert_start: description: The optional time the attack discovery alert was created @@ -64666,22 +119973,16 @@ components: description: The optional time the attack discovery alert was last updated type: string alert_updated_by_user_id: - description: >- - The optional id of the user who last updated the attack discovery - alert + description: The optional id of the user who last updated the attack discovery alert type: string alert_updated_by_user_name: - description: >- - The optional username of the user who updated the attack discovery - alert + description: The optional username of the user who updated the attack discovery alert type: string alert_workflow_status: description: The optional kibana.alert.workflow_status of this attack discovery type: string alert_workflow_status_updated_at: - description: >- - The optional time the attack discovery alert workflow status was - last updated + description: The optional time the attack discovery alert workflow status was last updated type: string assignees: description: The optional array of user-IDs who have been assigned the attack @@ -64692,20 +119993,13 @@ components: description: The ID of the connector that generated the attack discovery type: string connector_name: - description: >- - The (human readable) name of the connector that generated the attack - discovery + description: The (human readable) name of the connector that generated the attack discovery type: string details_markdown: - description: >- - Details of the attack with bulleted markdown that always uses - special syntax for field names and values from the source data. + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. type: string entity_summary_markdown: - description: >- - An optional, short (no more than a sentence) summary of the attack - discovery featuring only the host.name and user.name fields (when - they are applicable), using the same syntax + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax type: string generation_uuid: description: The generation ID of the run that created the attack discovery @@ -64714,9 +120008,7 @@ components: description: The unique ID of the attack discovery type: string index: - description: >- - The concrete Elasticsearch index where this attack discovery is - stored + description: The concrete Elasticsearch index where this attack discovery is stored type: string mitre_attack_tactics: description: An optional array of MITRE ATT&CK tactic for the attack discovery @@ -64725,13 +120017,9 @@ components: type: array replacements: $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' - description: >- - Key-value pairs that are used to replace placeholders in the - markdown fields + description: Key-value pairs that are used to replace placeholders in the markdown fields risk_score: - description: >- - The optional, (but typically populated after generation) risk score - of the alert + description: The optional, (but typically populated after generation) risk score of the alert type: integer summary_markdown: description: A markdown summary of attack discovery, using the same syntax @@ -64751,14 +120039,10 @@ components: description: The optional id of the user who generated the attack discovery type: string user_name: - description: >- - The optional username of the user who generated the attack - discovery, (not applicable to attack discoveries generated by rules) + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) type: string users: - description: >- - The optional array of users who may view the attack discovery. When - empty, (or not present), all users may view the attack discovery. + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. items: $ref: '#/components/schemas/Security_Attack_discovery_API_User' type: array @@ -64779,8 +120063,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array created_at: description: The date the schedule was created @@ -64796,19 +120079,16 @@ components: description: UUID of Attack Discovery schedule type: string last_execution: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' description: The Attack Discovery schedule last execution summary name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval updated_at: description: The date the schedule was updated @@ -64830,30 +120110,22 @@ components: - actions Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: oneOf: - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction - - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: additionalProperties: true type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - schedule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). type: object properties: notify_when: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' nullable: true required: - summary @@ -64866,9 +120138,7 @@ components: description: The connector ID. type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' enum: - onActiveAlert - onThrottleInterval @@ -64876,14 +120146,10 @@ components: type: string Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. + description: Object containing the allowed connector fields, which varies according to the connector type. type: object Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: - description: >- - Defines how often schedule actions are taken. Time interval in seconds, - minutes, hours, or days. + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string @@ -64894,8 +120160,7 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array enabled: description: Indicates whether the schedule is enabled @@ -64904,12 +120169,10 @@ components: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -64929,8 +120192,7 @@ components: message: type: string status: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' description: Status of the execution required: - date @@ -64952,20 +120214,15 @@ components: description: The action type used for sending notifications. type: string alerts_filter: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' frequency: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' group: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -65015,11 +120272,9 @@ components: description: The action type used for sending notifications. type: string id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' uuid: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' required: @@ -65033,19 +120288,16 @@ components: actions: description: The Attack Discovery schedule actions items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' type: array name: description: The name of the schedule type: string params: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' description: The Attack Discovery schedule configuration parameters schedule: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' description: The Attack Discovery schedule interval required: - name @@ -65053,9 +120305,7 @@ components: - schedule - actions Security_Attack_discovery_API_AttackDiscoveryFindSortField: - description: >- - Allowed field names to sort Attack Discovery results by. Clients should - only pass one of the listed values. + description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values. enum: - '@timestamp' type: string @@ -65063,10 +120313,7 @@ components: type: object properties: alerts_context_count: - description: >- - The number of alerts sent as context (max - kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM - for the generation + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation type: number connector_id: description: The connector id (event.dataset) for this generation @@ -65076,29 +120323,19 @@ components: type: object properties: average_successful_duration_nanoseconds: - description: >- - The average duration (avg event.duration) in nanoseconds of - successful generations for the same connector id, for the - current user + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user type: number successful_generations: - description: >- - The number of successful generations for the same connector id, - for the current user + description: The number of successful generations for the same connector id, for the current user type: number discoveries: - description: >- - The number of new Attack discovery alerts (max - kibana.alert.rule.execution.metrics.alert_counts.new) for this - generation + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation type: number end: description: When generation ended (max event.end) type: string execution_uuid: - description: >- - The unique identifier (kibana.alert.rule.execution.uuid) for the - generation + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation type: string loading_message: description: Generation loading message (kibana.alert.rule.execution.status) @@ -65129,23 +120366,15 @@ components: type: object properties: alertsIndexPattern: - description: > - The (space specific) index pattern that contains the alerts to use - as - + description: | + The (space specific) index pattern that contains the alerts to use as context for the attack discovery. - Example: .alerts-security.alerts-default type: string anonymizationFields: - description: >- - The list of fields, and whether or not they are anonymized, allowed - to be sent to LLMs. Consider using the output of the - `/api/security_ai_assistant/anonymization_fields/_find` API (for a - specific Kibana space) to provide this value. + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' type: array apiConfig: $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' @@ -65156,10 +120385,8 @@ components: type: string filter: additionalProperties: true - description: >- - An Elasticsearch-style query DSL object used to filter alerts. For - example: - + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: ```json { "filter": { "bool": { @@ -65204,10 +120431,7 @@ components: - size - subAction Security_Attack_discovery_API_AttackDiscoveryGenericError: - description: >- - Error response for Attack discovery schedule operations when the request - is rejected. Uses `status_code` (snake_case), `error`, and `message` to - match the implementation. + description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation. type: object properties: error: @@ -65232,8 +120456,7 @@ components: type: object properties: id: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_NonEmptyString + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' description: The unique identifier of the failed schedule. name: description: The name of the failed schedule. @@ -65263,13 +120486,10 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError + $ref: '#/components/schemas/Security_Attack_discovery_API_BulkActionAttackDiscoverySchedulesError' type: array ids: - description: >- - The unique identifiers of the schedules successfully affected by the - bulk action. + description: The unique identifiers of the schedules successfully affected by the bulk action. items: $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' type: array @@ -65281,9 +120501,7 @@ components: - errors - total Security_Attack_discovery_API_Filters: - description: >- - The filter array used to define the conditions for when alerts are - selected as an Attack Discovery context. Defaults to an empty array. + description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array. items: {} type: array Security_Attack_discovery_API_IntervalApiSchedule: @@ -65301,9 +120519,7 @@ components: minLength: 1 type: string Security_Attack_discovery_API_NonEmptyTimestamp: - description: >- - A string that represents a timestamp in ISO 8601 format and does not - contain only whitespace characters. + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 @@ -65359,18 +120575,14 @@ components: properties: add: items: - description: >- - A list of user profile `uid`s to assign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string type: array remove: items: - description: >- - A list of user profile `uid`s to unassign. Users need to activate - their user profile by logging into Kibana at least once. + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. format: nonempty minLength: 1 type: string @@ -65428,29 +120640,22 @@ components: type: object properties: requests_per_second: - description: >- - The throttle for the migration task in sub-requests per second. - Corresponds to requests_per_second on the Reindex API. + description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: - description: >- - Number of alerts to migrate per batch. Corresponds to the - source.size option on the Reindex API. + description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. minimum: 1 type: integer slices: - description: >- - The number of subtasks for the migration task. Corresponds to slices - on the Reindex API. + description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: @@ -65458,9 +120663,7 @@ components: - additionalProperties: true type: object Security_Detections_API_AlertStatusExceptClosed: - description: >- - The status of an alert, which can be `open`, `acknowledged`, - `in-progress`, or `closed`. + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - acknowledged @@ -65471,21 +120674,18 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer @@ -65506,28 +120706,21 @@ components: minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created - suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: - description: >- - Use alert tags to organize related alerts into categories that you can - filter and group. + description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: - description: >- - List of keywords to organize related alerts into categories that you can - filter and group. + description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array @@ -65542,46 +120735,29 @@ components: - version - count Security_Detections_API_AnomalyThreshold: - description: >- - Anomaly score threshold above which the rule creates an alert. Valid - values are from 0 to 100. + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: - description: > - Determines if the rule acts as a building block. If yes, the value must - be `default`. - - By default, building-block alerts are not displayed in the UI. These - rules are used as a foundation for other rules that do generate alerts. - - For more information, refer to [About building block - rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: @@ -65592,19 +120768,12 @@ components: required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: - description: > + description: | Edits index patterns of rulesClient. - - - `add_index_patterns` adds index patterns to rules. If an index pattern - already exists for a rule, no changes are made. - - - `delete_index_patterns` removes index patterns from rules. If an index - pattern does not exist for a rule, no changes are made. - - - `set_index_patterns` sets index patterns for rules, overwriting any - existing index patterns. If the set of index patterns is the same as the - existing index patterns, no changes are made. + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: @@ -65622,20 +120791,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: - description: > + description: | Edits investigation fields of rules. - - - `add_investigation_fields` adds investigation fields to rules. If an - investigation field already exists for a rule, no changes are made. - - - `delete_investigation_fields` removes investigation fields from rules. - If an investigation field does not exist for a rule, no changes are - made. - - - `set_investigation_fields` sets investigation fields for rules. If the - set of investigation fields is the same as the existing investigation - fields, no changes are made. + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -65650,18 +120811,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: - description: > + description: | Edits rule actions of rules. - - - `add_rule_actions` adds rule actions to rules. This action is - non-idempotent, meaning that even if the same rule action already exists - for a rule, it will be added again with a new unique ID. - - - `set_rule_actions` sets rule actions for rules. This action is - non-idempotent, meaning that even if the same set of rule actions - already exists for a rule, it will be set again and the actions will - receive new unique IDs. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -65674,30 +120828,22 @@ components: properties: actions: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: - description: > + description: | Overwrites schedule of rules. + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. - - `set_schedule` sets a schedule for rules. If the same schedule already - exists for a rule, no changes are made. - - - Both `interval` and `lookback` have a format of "{integer}{time_unit}", - where accepted time units are `s` for seconds, `m` for minutes, and `h` - for hours. The integer must be positive and larger than 0. Examples: - "45s", "30m", "6h" + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -65708,20 +120854,15 @@ components: type: object properties: interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: > + description: | Lookback time for the rules. - - Additional look-back time that the rule analyzes. For example, - "10m" means the rule analyzes the last 10 minutes of data in - addition to the frequency interval. + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -65751,24 +120892,17 @@ components: - set_alert_suppression_for_threshold type: string value: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: - description: > + description: | Edits tags of rules. - - - `add_tags` adds tags to rules. If a tag already exists for a rule, no - changes are made. - - - `delete_tags` removes tags from rules. If a tag does not exist for a - rule, no changes are made. - - - `set_tags` sets tags for rules, overwriting any existing tags. If the - set of tags is the same as the existing tags, no changes are made. + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -65783,12 +120917,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: - description: > + description: | Edits timeline of rules. - - - `set_timeline` sets a timeline for rules. If the same timeline already - exists for a rule, no changes are made. + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -65801,8 +120933,7 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title @@ -65833,8 +120964,7 @@ components: skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason @@ -65846,14 +120976,10 @@ components: - delete type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65864,10 +120990,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65886,14 +121010,10 @@ components: - disable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65904,10 +121024,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65939,14 +121057,10 @@ components: - include_exceptions - include_expired_exceptions gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -65957,10 +121071,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -65979,15 +121091,12 @@ components: properties: errors: items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary @@ -66026,13 +121135,7 @@ components: - deleted - skipped Security_Detections_API_BulkEditActionSummary: - description: >- - A rule can only be skipped when the bulk action to be performed on it - results in nothing being done. For example, if the `edit` action is used - to add a tag to a rule that already has that tag, or to delete an index - pattern that is not specified in a rule. Objects returned in - `attributes.results.skipped` will only include rules' `id`, `name`, and - `skip_reason`. + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: @@ -66062,14 +121165,10 @@ components: minItems: 1 type: array gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66080,10 +121179,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66107,14 +121204,10 @@ components: - enable type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66125,10 +121218,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66149,14 +121240,10 @@ components: - export type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66167,10 +121254,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66193,9 +121278,7 @@ components: - fill_gaps type: string fill_gaps: - description: >- - Object that describes applying a manual gap fill action for the - specified time range. + description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: @@ -66208,14 +121291,10 @@ components: - start_date - end_date gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66226,10 +121305,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66249,14 +121326,10 @@ components: - run type: string gap_auto_fill_scheduler_id: - description: >- - Gap auto fill scheduler ID used to determine gap fill status for - rules + description: Gap auto fill scheduler ID used to determine gap fill status for rules type: string gap_fill_statuses: - description: >- - Gap fill statuses to filter rules with gaps by status (used together - with gaps_range_*). + description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*). items: $ref: '#/components/schemas/Security_Detections_API_GapFillStatus' type: array @@ -66267,10 +121340,8 @@ components: description: Gaps range start, valid only when query is provided type: string ids: - description: > - Array of rule `id`s to which a bulk action will be applied. Do not - use rule's `rule_id` here. - + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. Only valid when query property is undefined. items: type: string @@ -66301,9 +121372,7 @@ components: reason: $ref: '#/components/schemas/Security_Detections_API_Reason' signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' items: format: nonempty minLength: 1 @@ -66366,9 +121435,7 @@ components: - items: type: string type: array - description: >- - Map Osquery results columns or static values to Elastic Common Schema - (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}} + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object @@ -66428,18 +121495,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66453,8 +121516,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -66470,35 +121532,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66525,13 +121576,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66570,18 +121619,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66595,8 +121640,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -66612,35 +121656,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66669,13 +121702,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66706,18 +121737,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66731,12 +121758,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -66750,35 +121776,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66807,13 +121822,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66828,18 +121841,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -66853,12 +121862,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -66872,35 +121880,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -66929,13 +121926,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -66982,18 +121977,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67007,8 +121998,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67024,35 +122014,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67079,13 +122058,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67124,18 +122101,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67149,8 +122122,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67166,35 +122138,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67223,13 +122184,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67250,18 +122209,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67275,12 +122230,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -67296,13 +122250,11 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: @@ -67310,23 +122262,14 @@ components: references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67355,13 +122298,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: @@ -67397,18 +122338,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67422,12 +122359,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -67441,35 +122377,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67498,13 +122423,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67530,9 +122453,7 @@ components: - endpoint_blocklists type: string Security_Detections_API_ExternalRuleCustomizedFields: - description: >- - An array of customized field names — that is, fields that the user has - modified from their base value. Defaults to an empty array. + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. items: type: object properties: @@ -67543,27 +122464,18 @@ components: - field_name type: array Security_Detections_API_ExternalRuleHasBaseVersion: - description: >- - Determines whether an external/prebuilt rule has its original, - unmodified version present when the calculation of its customization - status is performed (`rule_source.is_customized` and - `rule_source.customized_fields`). + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). type: boolean Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: customized_fields: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' has_base_version: - $ref: >- - #/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external @@ -67598,12 +122510,7 @@ components: - error type: string Security_Detections_API_HistoryWindowStart: - description: >- - Start date to use when checking if a term has been seen before. Supports - relative dates – for example, now-30d will search the last 30 days of - data when checking if a term is new. We do not recommend using absolute - dates, which can cause issues with rule performance due to querying - increasing amounts of data over time. + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string @@ -67631,21 +122538,15 @@ components: - migrations - is_outdated Security_Detections_API_IndexPatternArray: - description: > - Indices on which the rule functions. Defaults to the Security Solution - indices defined on the Kibana Advanced Settings page (Kibana → Stack - Management → Advanced Settings → `securitySolution:defaultIndex`). - + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info - > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: @@ -67655,12 +122556,9 @@ components: required: - type Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: @@ -67674,19 +122572,14 @@ components: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 @@ -67709,18 +122602,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67734,8 +122623,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67751,35 +122639,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67806,13 +122683,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67841,31 +122716,24 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -67879,8 +122747,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -67896,35 +122763,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -67953,13 +122809,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -67969,8 +122823,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: @@ -67983,32 +122836,26 @@ components: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68022,12 +122869,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68041,35 +122887,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68098,19 +122933,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: @@ -68129,27 +122961,21 @@ components: - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68163,12 +122989,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68182,35 +123007,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68239,13 +123053,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68255,25 +123067,13 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 - description: > - Maximum number of alerts the rule can create during a single run (the - rule’s Max alerts per run [advanced - setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) - value). - + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value). > info - - > This setting can be superseded by the [Kibana configuration - setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) - `xpack.alerting.rules.run.alerts.max`, which determines the maximum - alerts generated by any rule in the Kibana alerting framework. For - example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the - rule can generate no more than 1000 alerts even if `max_signals` is set - higher. + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: @@ -68386,18 +123186,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68411,8 +123207,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -68428,35 +123223,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68483,13 +123267,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68518,33 +123300,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68558,8 +123332,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -68575,35 +123348,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68632,13 +123394,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68648,8 +123408,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: @@ -68681,27 +123440,21 @@ components: enum: - new_terms type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68715,12 +123468,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68734,35 +123486,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68791,13 +123532,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68824,10 +123563,8 @@ components: - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: @@ -68839,18 +123576,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -68864,12 +123597,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -68883,35 +123615,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -68940,13 +123661,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -68956,8 +123675,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty @@ -68984,8 +123702,7 @@ components: type: object properties: err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: @@ -69004,31 +123721,20 @@ components: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: - description: >- - To specify a query pack, use the packId field. Example: "packId": - "processes_elastic" + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: - description: >- - To run a single query, use the query field and enter a SQL query. - Example: "query": "SELECT * FROM processes;" + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: - description: >- - To run a saved query, use the saved_query_id field and specify the - saved query ID. Example: "saved_query_id": "processes_elastic" + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: - description: >- - A timeout period, in seconds, after which the query will stop - running. Overwriting the default timeout allows you to support - queries that require more time to complete. The default and minimum - supported value is 60. The maximum supported value is 900. Example: - "timeout": 120. + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object @@ -69082,18 +123788,13 @@ components: type: object properties: command: - description: >- - To run an endpoint response action, specify a value for the command - field. Example: "command": "isolate" + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log. Example: "comment": - "Check processes" + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object @@ -69145,18 +123846,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69170,8 +123867,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -69187,35 +123883,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69242,13 +123927,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69282,25 +123965,20 @@ components: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69314,8 +123992,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -69331,35 +124008,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69388,13 +124054,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69435,25 +124099,20 @@ components: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69467,12 +124126,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -69486,35 +124144,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69543,13 +124190,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69583,18 +124228,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -69608,12 +124249,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -69627,35 +124267,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -69684,13 +124313,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -69702,11 +124329,7 @@ components: - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_Reason: - description: >- - The reason for closing the alerts. Can be one of following predefined - reasons: [false_positive, duplicate, true_positive, benign_positive, - automated_closure, other] or a custom reason provided by the user - through the advanced settings. + description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.' oneOf: - $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' - type: string @@ -69720,45 +124343,23 @@ components: - other type: string Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. - package's "integrations" that this package contains. It is represented - by 3 properties: + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs @@ -69780,35 +124381,23 @@ components: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and + description: | + Describes an Elasticsearch field that is needed for the rule to function. + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. - - Required field is an event field that must be present in the source - indices of a given rule. - + Required field is an event field that must be present in the source indices of a given rule. @example - const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; - @example - const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', @@ -69817,10 +124406,7 @@ components: type: object properties: ecs: - description: >- - Indicates whether the field is ECS-compliant. This property is only - present in responses. Its value is computed based on field’s name - and type. + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field @@ -69841,10 +124427,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: @@ -69880,7 +124463,7 @@ components: execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: @@ -69919,9 +124502,7 @@ components: minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event + description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: @@ -69984,34 +124565,27 @@ components: - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true - description: > + description: | Object containing an action’s conditional filters. - - - `timeframe` (object, optional): Object containing the time frame for - when this action can be run. + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - - `query` (object, optional): Object containing a query filter which - gets applied to an action and determines whether the action should run. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' @@ -70021,9 +124595,7 @@ components: - notifyWhen - throttle Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. + description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. @@ -70037,10 +124609,8 @@ components: type: string Security_Detections_API_RuleActionParams: additionalProperties: true - description: > - Object containing the allowed connector fields, which varies according - to the connector type. - + description: | + Object containing the allowed connector fields, which varies according to the connector type. For Slack: @@ -70088,30 +124658,22 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. @@ -70128,11 +124690,8 @@ components: required: - id Security_Detections_API_RuleExceptionList: - description: > - Array of [exception - containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), - which define exceptions that prevent the rule from generating alerts - even when its other criteria are met. + description: | + Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: @@ -70166,10 +124725,7 @@ components: minimum: 0 type: integer frozen_indices_queried_count: - description: >- - Count of frozen indices queried during the rule execution. These - indices could not be entirely excluded after applying the time range - filter. + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: @@ -70190,9 +124746,7 @@ components: type: object properties: type: - description: >- - The type of reason for the gap (rule_disabled or - rule_did_not_run) + description: The type of reason for the gap (rule_disabled or rule_did_not_run) enum: - rule_disabled - rule_did_not_run @@ -70200,50 +124754,25 @@ components: required: - type total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle + description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle + description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running @@ -70270,14 +124799,12 @@ components: message: type: string metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status @@ -70287,33 +124814,22 @@ components: required: - last_execution Security_Detections_API_RuleFalsePositiveArray: - description: >- - String array used to describe common reasons why the rule may issue - false-positive alerts. Defaults to an empty array. + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: - description: > - The query and filter context array used to define the conditions for - when alerts are created from events. Defaults to an empty array. - + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info - > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: @@ -70323,13 +124839,10 @@ components: type: string Security_Detections_API_RuleMetadata: additionalProperties: true - description: > + description: | Placeholder for metadata about the rule. - > info - - > This field is overwritten when you save changes to the rule’s - settings. + > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. @@ -70337,31 +124850,19 @@ components: minLength: 1 type: string Security_Detections_API_RuleNameOverride: - description: >- - Sets which field in the source event is used to populate the alert's - `signal.rule.name` value (in the UI, this value is displayed on the - Rules page in the Rule column). When unspecified, the rule’s `name` - value is used. The source field must be a string data type. + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' - description: >- - A dynamic unique identifier for the rule object. It is randomly - generated when a rule is created and cannot be changed after that. It is - always a UUID. It is unique within a given Kibana space. The same - prebuilt Elastic rule, when installed in two different Kibana spaces or - two different Elastic environments, will have different object `id`s. + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: @@ -70387,8 +124888,7 @@ components: type: array requests: items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' @@ -70412,22 +124912,14 @@ components: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: - description: > - [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used - by the rule to create alerts. - - - - For indicator match rules, only the query’s results are used to - determine whether an alert is generated. + description: | + [Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts. - - ES|QL rules have additional query requirements. Refer to [Create - ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) - rules for more information. + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: - description: >- - Array containing notes about or references to relevant information about - the rule. Defaults to an empty array. + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array @@ -70453,47 +124945,26 @@ components: threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' propertyName: type Security_Detections_API_RuleRevision: - description: > + description: | The rule's revision number. - - It represents the version of rule's object in Kibana. It is set to `0` - when the rule is installed or created and then gets incremented on each - update. - + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info - - > Not all updates to any rule fields will increment the revision. Only - those fields that are considered static `rule parameters` can trigger - revision increments. For example, an update to a rule's query or index - fields will increment the rule's revision by `1`. However, changes to - dynamic or technical fields like enabled or execution_summary will not - cause revision increments. + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: - description: >- - A stable unique identifier for the rule object. It can be assigned - during rule creation. It can be any string, but often is a UUID. It - should be unique not only within a given Kibana space, but also across - spaces and Elastic environments. The same prebuilt Elastic rule, when - installed in two different Kibana spaces or two different Elastic - environments, will have the same `rule_id`s. + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array @@ -70501,47 +124972,31 @@ components: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: mapping: eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - machine_learning: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - saved_query: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - threat_match: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - threshold: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' propertyName: type Security_Detections_API_RuleVersion: - description: > + description: | The rule's version number. - - - For prebuilt rules it represents the version of the rule's content in - the source [detection-rules](https://github.com/elastic/detection-rules) - repository (and the corresponding `security_detection_engine` Fleet - package that is used for distributing prebuilt rules). - + - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. - > info - - > It is not incremented on each update. Compare this to the `revision` - field. + > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_RunScriptOsConfigValues: @@ -70567,22 +125022,17 @@ components: - runscript type: string comment: - description: >- - Add a note that explains or describes the action. You can find your - comment in the response actions history log + description: Add a note that explains or describes the action. You can find your comment in the response actions history log type: string config: type: object properties: linux: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' macos: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' windows: - $ref: >- - #/components/schemas/Security_Detections_API_RunScriptOsConfigValues + $ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues' required: - command Security_Detections_API_SavedObjectResolveAliasPurpose: @@ -70599,28 +125049,21 @@ components: - conflict type: string Security_Detections_API_SavedQueryId: - description: >- - Kibana [saved - search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) - used by the rule to create alerts. + description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70634,8 +125077,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -70651,35 +125093,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -70706,13 +125137,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -70741,33 +125170,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70781,8 +125202,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -70798,35 +125218,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -70855,13 +125264,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -70871,8 +125278,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: @@ -70902,27 +125308,21 @@ components: enum: - saved_query type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -70936,12 +125336,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -70955,35 +125354,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71012,19 +125400,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: @@ -71040,10 +125425,8 @@ components: - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: @@ -71055,18 +125438,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71080,376 +125459,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - - > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertAssigneesBody: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - required: - - assignees - - ids - Security_Detections_API_SetAlertsStatusByIds: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase - Security_Detections_API_SetAlertsStatusByIdsBase: - type: object - properties: - signal_ids: - description: >- - List of alert ids. Use field `_id` on alert document or - `kibana.alert.uuid`. Note: signals are a deprecated term for alerts. - items: - format: nonempty - minLength: 1 - type: string - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - discriminator: - mapping: - closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - propertyName: status - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase - Security_Detections_API_SetAlertsStatusByQueryBase: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' - required: - - query - - status - Security_Detections_API_SetAlertTags: - description: Object with list of tags to add and remove. - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetAlertTagsBody: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - Security_Detections_API_SetupGuide: - description: >- - Populates the rule’s setup guide with instructions on rule prerequisites - such as required integrations, configuration steps, and anything else - needed for the rule to work correctly. - type: string - Security_Detections_API_Severity: - description: > - Severity level of alerts produced by the rule, which must be one of the - following: - - * `low`: Alerts that are of interest but generally not considered to be - security incidents - - * `medium`: Alerts that require investigation - - * `high`: Alerts that require immediate investigation - - * `critical`: Alerts that indicate it is highly likely a security - incident has occurred - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - description: Source event field used to override the default `severity`. - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SkippedAlertsIndexMigration: - type: object - properties: - index: - type: string - required: - - index - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - description: > - > info - - > Currently, only threats described using the MITRE ATT&CK™ - framework are supported. - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - description: Elasticsearch indices used to check which field values generate alerts. - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - description: > - Array of entries objects that define mappings between the source event - fields and the values in the Elasticsearch threat index. Each entries - object must contain these fields: - - - - field: field from the event indices on which the rule runs - - - type: must be mapping - - - value: field from the Elasticsearch threat index - - You can use Boolean and and or logic to define the conditions for when - matching fields and values generate alerts. Sibling entries objects are - evaluated using or logic, whereas multiple entries in a single entries - object use and logic. See Example of Threat Match rule which uses both - `and` and `or` logic. - items: - type: object - properties: - entries: - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMappingEntry: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - negate: - type: boolean - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71463,35 +125477,340 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SetAlertAssigneesBody: + type: object + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' + Security_Detections_API_SetAlertsStatusByIdsBase: + type: object + properties: + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' + Security_Detections_API_SetAlertsStatusByQueryBase: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetAlertTagsBody: + type: object + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + Security_Detections_API_SetupGuide: + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation + * `critical`: Alerts that indicate it is highly likely a security incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: | + > info + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: Defines the path to the threat indicator in the indicator documents (optional) + type: string + Security_Detections_API_ThreatMapping: + description: | + Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + - field: field from the event indices on which the rule runs + - type: must be mapping + - value: field from the Elasticsearch threat index + + You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. + items: + type: object + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + Security_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71518,13 +125837,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -71553,33 +125870,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71593,8 +125902,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -71610,35 +125918,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71667,13 +125964,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -71683,8 +125978,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: @@ -71730,27 +126024,21 @@ components: enum: - threat_match type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71764,12 +126052,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71783,35 +126070,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71840,19 +126116,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: @@ -71877,10 +126150,8 @@ components: - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: @@ -71892,18 +126163,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -71917,12 +126184,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -71936,35 +126202,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -71993,13 +126248,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72009,12 +126262,9 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: - description: >- - Query used to determine which fields in the Elasticsearch index are used - for generating alerts. + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object @@ -72089,8 +126339,7 @@ components: type: object properties: duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: @@ -72102,9 +126351,7 @@ components: description: The field on which to calculate and compare the cardinality. type: string value: - description: >- - The threshold value from which an alert is generated based on - unique number of values of cardinality.field. + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: @@ -72112,10 +126359,7 @@ components: - value type: array Security_Detections_API_ThresholdField: - description: >- - The field on which the threshold is applied. If you specify an empty - array ([]), alerts are generated when the query returns at least the - number of results specified in the value field. + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: @@ -72128,18 +126372,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72153,8 +126393,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -72170,35 +126409,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72225,13 +126453,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72260,33 +126486,25 @@ components: - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72300,8 +126518,7 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: @@ -72317,35 +126534,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72374,13 +126580,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72390,8 +126594,7 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: @@ -72401,8 +126604,7 @@ components: type: object properties: alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: @@ -72424,27 +126626,21 @@ components: enum: - threshold type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72458,12 +126654,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -72477,35 +126672,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72534,19 +126718,16 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: @@ -72565,10 +126746,8 @@ components: - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: @@ -72580,18 +126759,14 @@ components: - type: object properties: actions: - description: >- - Array defining the automated actions (notifications) taken when - alerts are generated. + description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: @@ -72605,12 +126780,11 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + $ref: '#/components/schemas/Security_Detections_API_UUID' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: @@ -72624,35 +126798,24 @@ components: name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: - description: > - Elasticsearch fields and their types that need to be present for - the rule to function. - + description: | + Elasticsearch fields and their types that need to be present for the rule to function. > info - - > The value of `required_fields` does not affect the rule’s - behavior, and specifying it incorrectly won’t cause the rule to - fail. Use `required_fields` as an informational property to - document the fields that the rule expects to be present in the - data. + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: @@ -72681,13 +126844,11 @@ components: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: @@ -72697,26 +126858,17 @@ components: - description - risk_score - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: - description: > + description: | Defines the maximum interval in which a rule’s actions are executed. - > info - - > The rule level `throttle` field is deprecated in Elastic Security 8.8 - and will remain active for at least the next 12 months. - - > In Elastic Security 8.8 and later, you can use the `frequency` field - to define frequencies for individual actions. Actions without - frequencies will acquire a converted version of the rule’s `throttle` - field. In the response, the converted `throttle` setting appears in the - individual actions' `frequency` field. + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h @@ -72733,17 +126885,10 @@ components: description: Timeline template title type: string Security_Detections_API_TimestampField: - description: >- - Specifies the name of the event timestamp field used for sorting a - sequence of events. Not to be confused with `timestamp_override`, which - specifies the more general field used for querying events within a - range. Defaults to the @timestamp ECS field. + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: - description: >- - Sets the time field used to query indices. When unspecified, rules query - the `@timestamp` field. The source field must be an Elasticsearch date - data type. + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field @@ -72778,10 +126923,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -72791,39 +126933,28 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -72832,8 +126963,7 @@ components: description: Autogenerated value - user that last updated object. type: string version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id @@ -72853,30 +126983,17 @@ components: example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -72891,14 +127008,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -72907,46 +127020,32 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time @@ -72999,32 +127098,24 @@ components: - comment (string): Comments about the exception item. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object @@ -73032,8 +127123,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -73058,8 +127148,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -73075,8 +127164,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -73094,16 +127182,14 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: @@ -73117,8 +127203,7 @@ components: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -73135,8 +127220,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -73151,21 +127235,16 @@ components: - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: @@ -73190,14 +127269,11 @@ components: type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -73224,20 +127300,15 @@ components: Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -73253,21 +127324,14 @@ components: minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -73281,17 +127345,12 @@ components: minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -73354,8 +127413,7 @@ components: isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate' kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' - running-processes: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' @@ -73373,8 +127431,7 @@ components: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcesses + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' - $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object @@ -73383,9 +127440,7 @@ components: type: object properties: canEncrypt: - description: >- - Whether the Kibana instance has encryption enabled for response - actions. + description: Whether the Kibana instance has encryption enabled for response actions. type: boolean required: - data @@ -73400,8 +127455,7 @@ components: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions @@ -73454,17 +127508,12 @@ components: example: updatedAt type: string Security_Endpoint_Management_API_ArchivePathToExecutableSchema: - description: >- - Used only for when the uploaded script is an archive (.zip file for - example). This property defines the relative path to the file included - in the archive that should be executed once its contents are extracted. - The path should be relative to the root of the archive. + description: Used only for when the uploaded script is an archive (.zip file for example). This property defines the relative path to the file included in the archive that should be executed once its contents are extracted. The path should be relative to the root of the archive. example: ./bin/script.sh type: string Security_Endpoint_Management_API_Cancel: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -73490,10 +127539,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -73504,9 +127550,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -73519,8 +127563,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -73600,24 +127643,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -73625,8 +127663,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array required: - name @@ -73637,10 +127674,8 @@ components: type: object properties: downloadUri: - description: > - The server relative URI to download the file associated with the - output of the response action. - + description: | + The server relative URI to download the file associated with the output of the response action. URI does **not** include the space prefix example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download format: uri-reference @@ -73668,9 +127703,7 @@ components: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -73749,9 +127782,7 @@ components: type: object properties: {} Security_Endpoint_Management_API_EndpointRunScriptParameters: - description: >- - Parameters for Run Script response action against Elastic Defend agent - type. + description: Parameters for Run Script response action against Elastic Defend agent type. example: agent_type: endpoint endpoint_ids: @@ -73765,9 +127796,7 @@ components: minLength: 1 type: string scriptInput: - description: >- - The input parameter arguments (if any) for the script that will be - executed. + description: The input parameter arguments (if any) for the script that will be executed. minLength: 1 type: string required: @@ -73788,11 +127817,8 @@ components: example: Collects host data for investigation type: string downloadUri: - description: >- - URI to download the script file. Note that this is the relative path - and does not include the space (if applicable) - example: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + description: URI to download the script file. Note that this is the relative path and does not include the space (if applicable) + example: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download type: string example: type: string @@ -73813,31 +127839,25 @@ components: format: uuid type: string instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: example: Collect host data type: string pathToExecutable: - description: > - The relative path to the file included in the archive that should be - executed once its contents are extracted. Applicable only for - scripts uploaded as an archive (.zip file for example). + description: | + The relative path to the file included in the archive that should be executed once its contents are extracted. Applicable only for scripts uploaded as an archive (.zip file for example). type: string platform: items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: type: boolean tags: description: Tags that categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array updatedAt: format: date-time @@ -73848,12 +127868,7 @@ components: version: type: string Security_Endpoint_Management_API_EndpointScriptFileType: - description: >- - The type of the uploaded file, which determines the expected value of - `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` - should not be included. If `fileType` is "archive", then - `pathToExecutable` is required and should specify the path to the - executable file within the archive. + description: The type of the uploaded file, which determines the expected value of `pathToExecutable`. If `fileType` is "script", then `pathToExecutable` should not be included. If `fileType` is "archive", then `pathToExecutable` is required and should specify the path to the executable file within the archive. enum: - script - archive @@ -73880,8 +127895,7 @@ components: type: string Security_Endpoint_Management_API_Execute: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -73890,8 +127904,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -73929,10 +127942,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -73943,9 +127953,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -73958,8 +127966,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -73974,9 +127981,7 @@ components: minLength: 1 type: string timeout: - description: >- - The maximum timeout value in seconds before the command is - terminated. + description: The maximum timeout value in seconds before the command is terminated. minimum: 1 type: integer required: @@ -74054,8 +128059,7 @@ components: data: description: The list of response actions. items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' type: array elasticAgentIds: description: The list of elastic agent IDs the query was filtered by. @@ -74089,8 +128093,7 @@ components: type: array Security_Endpoint_Management_API_GetFile: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74099,8 +128102,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -74135,10 +128137,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74149,9 +128148,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74164,8 +128161,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74188,10 +128184,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be specified - here. The action will be logged in any cases associated with the - specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74254,8 +128247,7 @@ components: type: array Security_Endpoint_Management_API_Isolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an isolate action response. type: object Security_Endpoint_Management_API_IsolateRouteResponse: @@ -74265,12 +128257,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_KillProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74321,9 +128311,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. type: string Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: @@ -74332,10 +128320,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74346,9 +128331,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74361,8 +128344,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74388,9 +128370,7 @@ components: - type: object properties: process_name: - description: >- - The name of the process to terminate. Valid for - SentinelOne agent type only. + description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string @@ -74401,9 +128381,7 @@ components: example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MDERunScriptParameters: - description: >- - Parameters for Run Script response action against Microsoft Defender - Endpoint agent type. + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. example: agent_type: microsoft_defender_endpoint endpoint_ids: @@ -74426,8 +128404,7 @@ components: type: object Security_Endpoint_Management_API_MemoryDump: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -74439,17 +128416,13 @@ components: code: type: string disk_free_space: - description: >- - The free space on the host machine in bytes after the - memory dump is written to disk + description: The free space on the host machine in bytes after the memory dump is written to disk type: number file_size: description: The size of the memory dump compressed file in bytes type: string path: - description: >- - The path to the memory dump compressed file on the - host machine + description: The path to the memory dump compressed file on the host machine type: string title: Memory dump output type: object @@ -74503,10 +128476,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -74517,9 +128487,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -74532,8 +128500,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -74586,9 +128553,7 @@ components: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 @@ -74647,9 +128612,7 @@ components: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 - kernel: >- - 5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 - UTC 2021 + kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux @@ -74672,9 +128635,7 @@ components: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: - original: >- - version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: - 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab + original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 @@ -74774,9 +128735,7 @@ components: description: Parameters object type: object Security_Endpoint_Management_API_PatchUpdateScriptRouteRequestBody: - description: >- - The script entry properties to be updated. At least one property must be - provided. + description: The script entry properties to be updated. At least one property must be provided. minProperties: 1 type: object properties: @@ -74791,24 +128750,19 @@ components: format: binary type: object fileType: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptFileType' instructions: - description: >- - Instructions for using the script, including details around its - supported input arguments + description: Instructions for using the script, including details around its supported input arguments type: string name: description: Name of the script type: string pathToExecutable: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema + $ref: '#/components/schemas/Security_Endpoint_Management_API_ArchivePathToExecutableSchema' platform: description: Platforms supported by the the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptPlatform' type: array requiresInput: description: Whether the script requires input arguments @@ -74816,8 +128770,7 @@ components: tags: description: Tags to categorize the script items: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScriptTags' type: array Security_Endpoint_Management_API_PendingActionDataType: description: Number of pending actions of this type. @@ -74827,40 +128780,31 @@ components: - type: object properties: execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending execute actions. get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending get-file actions. isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending isolate actions. kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending kill-process actions. running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending running-processes (get processes) actions. scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending scan actions. suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending suspend-process actions. unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending unisolate (release) actions. upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' description: Number of pending upload actions. - additionalProperties: true type: object @@ -74868,9 +128812,7 @@ components: type: object properties: note: - description: >- - A note associated with the protection updates for the given package - policy. + description: A note associated with the protection updates for the given package policy. type: string Security_Endpoint_Management_API_RawScriptParameters: type: object @@ -74915,8 +128857,7 @@ components: type: object properties: data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_ResponseActionDetails: type: object properties: @@ -74932,9 +128873,7 @@ components: type: object properties: completedAt: - description: >- - The date and time the response action was completed for the - agent ID + description: The date and time the response action was completed for the agent ID type: string isCompleted: description: Whether the response action is completed for the agent ID @@ -74942,9 +128881,7 @@ components: wasSuccessful: description: Whether the response action was successful for the agent ID type: boolean - description: >- - The state of the response action for each agent ID that it was sent - to + description: The state of the response action for each agent ID that it was sent to type: object agentType: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' @@ -74965,9 +128902,7 @@ components: name: description: The host name type: string - description: >- - An object containing the host names associated with the agent IDs - the response action was sent to + description: An object containing the host names associated with the agent IDs the response action was sent to type: object id: description: The response action ID @@ -74985,9 +128920,7 @@ components: format: uuid properties: content: - description: >- - The response action output content for the agent ID. Exact - format depends on the response action command. + description: The response action output content for the agent ID. Exact format depends on the response action command. oneOf: - type: object - type: string @@ -75001,17 +128934,12 @@ components: - content title: Agent ID type: object - description: > - The outputs of the response action for each agent ID that it was - sent to. Content different depending on the - - response action command and will only be present for agents that - have responded to the response action + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action type: object parameters: - description: >- - The parameters of the response action. Content different depending - on the response action command + description: The parameters of the response action. Content different depending on the response action command type: object startedAt: description: The response action start time @@ -75027,8 +128955,7 @@ components: - command Security_Endpoint_Management_API_RunningProcesses: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75037,10 +128964,8 @@ components: properties: content: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' type: object Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: description: Processes output for `agentType` of `endpoint` @@ -75071,8 +128996,7 @@ components: type: string Security_Endpoint_Management_API_Runscript: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75081,8 +129005,7 @@ components: properties: content: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_DownloadUri + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' - type: object properties: code: @@ -75094,12 +129017,9 @@ components: type: object parameters: oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: type: object properties: @@ -75134,10 +129054,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75148,9 +129065,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75163,8 +129078,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75172,28 +129086,20 @@ components: - type: object properties: parameters: - description: > - One of the following set of parameters must be provided for the - `agentType` that is specified. + description: | + One of the following set of parameters must be provided for the `agentType` that is specified. oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_RawScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters + - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' required: - parameters Security_Endpoint_Management_API_Scan: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75218,10 +129124,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75232,9 +129135,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75247,8 +129148,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75270,8 +129170,7 @@ components: example: data: description: Collects host data for investigation - downloadUri: >- - /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download + downloadUri: /api/endpoint/scripts_library/123e4567-e89b-12d3-a456-426655440000/download example: ./collect_host_data.sh --help fileHash: abf573681eb54aac5e05e35bf186d4d31abe45ecf242461490523f11d2a8fbb8 fileName: collect_host_data.sh @@ -75288,9 +129187,7 @@ components: data: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointScript' Security_Endpoint_Management_API_SentinelOneRunScriptParameters: - description: >- - Parameters for Run Script response action against SentinelOne agent - type. + description: Parameters for Run Script response action against SentinelOne agent type. example: agent_type: sentinel_one endpoint_ids: @@ -75300,9 +129197,7 @@ components: scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt' properties: scriptId: - description: >- - The script ID from SentinelOne scripts library that will be - executed. + description: The script ID from SentinelOne scripts library that will be executed. minLength: 1 type: string scriptInput: @@ -75343,8 +129238,7 @@ components: type: object Security_Endpoint_Management_API_SuspendProcess: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75391,10 +129285,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75405,9 +129296,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75420,8 +129309,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75464,8 +129352,7 @@ components: type: array Security_Endpoint_Management_API_Unisolate: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - description: Details of an unisolate action response. type: object Security_Endpoint_Management_API_UnisolateRouteResponse: @@ -75475,12 +129362,10 @@ components: description: The action ID (legacy field, same as `data.id`). type: string data: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' Security_Endpoint_Management_API_Upload: allOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' - type: object properties: outputs: @@ -75498,10 +129383,8 @@ components: type: string type: object parameters: - description: > - The parameters for upload returned on the details are derived - via the API from the file that - + description: | + The parameters for upload returned on the details are derived via the API from the file that was uploaded at the time that the response action was submitted type: object properties: @@ -75520,10 +129403,7 @@ components: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: - description: >- - If this action is associated with any alerts, they can be - specified here. The action will be logged in any cases - associated with the specified alerts. Max of 50. + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50. example: - alert-id-1 - alert-id-2 @@ -75534,9 +129414,7 @@ components: minItems: 1 type: array case_ids: - description: >- - The IDs of cases where the action taken will be logged. Max of - 50. + description: The IDs of cases where the action taken will be logged. Max of 50. example: - case-id-1 - case-id-2 @@ -75549,8 +129427,7 @@ components: comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: @@ -75588,9 +129465,7 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: >- - A list of action IDs that should include the complete output of the - action. Max of 50. + description: A list of action IDs that should include the complete output of the action. Max of 50. example: - action-id-1 - action-id-2 @@ -75612,8 +129487,7 @@ components: description: Business unit the asset belongs to. type: string criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' description: The criticality level assigned to this asset. nullable: true environment: @@ -75669,10 +129543,7 @@ components: - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: - description: >- - The criticality level of the asset for bulk upload. The value - `unassigned` is used to indicate that the criticality level is not - assigned and is only used for bulk upload. + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact @@ -75682,10 +129553,8 @@ components: type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': @@ -75713,8 +129582,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: @@ -75724,8 +129592,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: @@ -75739,8 +129606,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75754,8 +129620,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75769,8 +129634,7 @@ components: type: object properties: criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: @@ -75836,13 +129700,11 @@ components: - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_DateRange: @@ -75853,17 +129715,13 @@ components: description: End of the lookback period (date math or ISO string, e.g. "now") type: string start: - description: >- - Start of the lookback period (date math or ISO string, e.g. - "now-10d") + description: Start of the lookback period (date math or ISO string, e.g. "now-10d") type: string required: - start - end Security_Entity_Analytics_API_EngineComponentResource: - description: >- - The type of Elasticsearch or Kibana resource backing an engine - component. + description: The type of Elasticsearch or Kibana resource backing an engine component. enum: - entity_engine - entity_definition @@ -75878,9 +129736,7 @@ components: - ilm_policy type: string Security_Entity_Analytics_API_EngineComponentStatus: - description: >- - Status of an individual Elasticsearch or Kibana resource backing an - engine. + description: Status of an individual Elasticsearch or Kibana resource backing an engine. type: object properties: errors: @@ -75911,10 +129767,9 @@ components: description: Whether the component is currently installed. type: boolean metadata: - $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' resource: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineComponentResource + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed @@ -75938,23 +129793,17 @@ components: required: - type Security_Entity_Analytics_API_EngineDescriptor: - description: >- - Describes a single entity engine, including its configuration and - current status. + description: Describes a single entity engine, including its configuration and current status. type: object properties: delay: default: 1m - description: >- - The delay before the transform processes new data, allowing - late-arriving documents to be included. + description: The delay before the transform processes new data, allowing late-arriving documents to be included. example: 1m pattern: '[smdh]$' type: string docsPerSecond: - description: >- - Throttle value for the number of documents processed per second. Use - -1 for no throttle. + description: Throttle value for the number of documents processed per second. Use -1 for no throttle. type: integer error: description: Present when the engine status is `error`. Describes the failure. @@ -75976,9 +129825,7 @@ components: example: 10 type: integer filter: - description: >- - An optional Kibana Query Language (KQL) filter applied to source - documents before aggregation. + description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation. example: 'host.name: "my-host"' type: string frequency: @@ -76045,10 +129892,7 @@ components: required: - entities Security_Entity_Analytics_API_Entity: - description: >- - An entity record from the Entity Store. The `entity` namespace is a - root-level field in the latest index, unlike source logs where it is - nested under `host`, `user`, or `service`. + description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`. oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' @@ -76103,9 +129947,7 @@ components: - record Security_Entity_Analytics_API_EntityField: additionalProperties: false - description: >- - Core entity fields shared across all entity types. The `entity` - namespace is a root-level field in the Entity Store latest index. + description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index. type: object properties: attributes: @@ -76117,9 +129959,7 @@ components: description: Whether the entity is classified as an asset. type: boolean managed: - description: >- - Whether the entity is managed (for example, via a directory - service). + description: Whether the entity is managed (for example, via a directory service). type: boolean mfa_enabled: description: Whether multi-factor authentication is enabled for the entity. @@ -76229,8 +130069,7 @@ components: type: object properties: calculated_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: @@ -76238,9 +130077,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -76282,9 +130119,7 @@ components: format: double type: number calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 @@ -76293,14 +130128,10 @@ components: description: Unique identifier for the scoring run that produced this document. type: string category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). type: integer category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: @@ -76309,27 +130140,20 @@ components: format: double type: number criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array @@ -76409,9 +130233,7 @@ components: - type: object Security_Entity_Analytics_API_GenericEntity: additionalProperties: false - description: >- - A generic entity record. Maps only the `entity` and `asset` namespaces. - Add additional field mappings here as needed. + description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed. type: object properties: '@timestamp': @@ -76427,9 +130249,7 @@ components: - entity Security_Entity_Analytics_API_HostEntity: additionalProperties: false - description: >- - An entity record representing a host, stored in the Entity Store latest - index. + description: An entity record representing a host, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -76491,9 +130311,7 @@ components: type: string os: additionalProperties: false - description: >- - Elastic Common Schema (ECS) host.os fields collected on the - entity latest index. + description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index. type: object properties: family: @@ -76519,8 +130337,7 @@ components: version: type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: description: Observed host types. items: @@ -76538,10 +130355,7 @@ components: - entity.id type: string Security_Entity_Analytics_API_IndexPattern: - description: >- - An additional Elasticsearch index pattern to include as a source for - entity data. Merged with the default data view indices when the engine - runs. + description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs. example: logs-* type: string Security_Entity_Analytics_API_InspectQuery: @@ -76580,10 +130394,7 @@ components: description: Index to read latest sync markers from type: string Security_Entity_Analytics_API_Interval: - description: >- - Interval in which enrich policy runs. For example, `"1h"` means the rule - runs every hour. Must be less than or equal to half the duration of the - lookback period, + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -76595,11 +130406,8 @@ components: type: string type: array values: - description: > - Matcher values. Must be either an array of strings (e.g. group or - role names) or an array of booleans (e.g. integration-derived flags - like privileged_group_member). Mixed types are intentionally not - supported for simplicity and predictability. + description: | + Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability. oneOf: - items: type: string @@ -76611,12 +130419,10 @@ components: - fields - values Security_Entity_Analytics_API_Metadata: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' - type: object properties: '@timestamp': @@ -76656,8 +130462,7 @@ components: properties: labels: items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringLabel + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' type: array id: type: string @@ -76694,19 +130499,15 @@ components: type: object properties: message: - description: >- - Error message typically only present if the engine is in error - state + description: Error message typically only present if the engine is in error state type: string status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' required: - status Security_Entity_Analytics_API_MonitoringEntitySource: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties' - type: object properties: id: @@ -76718,8 +130519,7 @@ components: - managed Security_Entity_Analytics_API_MonitoringEntitySourceProperties: allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties' - type: object properties: managed: @@ -76834,9 +130634,7 @@ components: - category Security_Entity_Analytics_API_ServiceEntity: additionalProperties: false - description: >- - An entity record representing a service, stored in the Entity Store - latest index. + description: An entity record representing a service, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -76867,8 +130665,7 @@ components: description: Primary service name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: @@ -76996,9 +130793,7 @@ components: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType' Security_Entity_Analytics_API_UserEntity: additionalProperties: false - description: >- - An entity record representing a user, stored in the Entity Store latest - index. + description: An entity record representing a user, stored in the Entity Store latest index. type: object properties: '@timestamp': @@ -77052,8 +130847,7 @@ components: description: Primary user name. type: string risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' additionalProperties: false roles: description: Observed roles assigned to the user. @@ -77080,9 +130874,7 @@ components: description: The field name for the label type: string source: - description: >- - The source where this label was created (api, csv, or - index_sync) + description: The source where this label was created (api, csv, or index_sync) enum: - api - csv @@ -77259,8 +131051,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -77291,8 +131082,7 @@ components: * Hash entries: up to 3 (one for each hash type: md5, sha1, sha256) * Path entry: only 1 allowed items: - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry + $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' minItems: 1 type: array list_id: @@ -77379,10 +131169,8 @@ components: * Code signature entry: only 1 allowed items: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry' minItems: 1 type: array list_id: @@ -77407,18 +131195,14 @@ components: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -77434,21 +131218,16 @@ components: - description Security_Exceptions_API_CreateExceptionListItemBlocklistLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' Security_Exceptions_API_CreateExceptionListItemBlocklistWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: @@ -77458,23 +131237,19 @@ components: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateExceptionListItemEndpointList: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' Security_Exceptions_API_CreateExceptionListItemEventFilters: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' Security_Exceptions_API_CreateExceptionListItemGeneric: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - example: description: This is a sample detection type exception item. entries: @@ -77499,63 +131274,46 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] required: - list_id - entries Security_Exceptions_API_CreateExceptionListItemHostIsolation: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties + - $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: @@ -77565,28 +131323,23 @@ components: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: @@ -77595,8 +131348,7 @@ components: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' @@ -77610,15 +131362,10 @@ components: - entries Security_Exceptions_API_EndpointArtifactTags: default: [] - description: > + description: | Tags for categorization. Special tags for scope control: - - * `"policy:all"` - Global artifact (applies to all Elastic Defend - policies) - - * `"policy:"` - Private artifact (applies to specific Elastic - Defend policy only, where `` is the Elastic Defend - integration policy ID) + * `"policy:all"` - Global artifact (applies to all Elastic Defend policies) + * `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID) items: type: string type: array @@ -77627,24 +131374,18 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > - Exception entries for endpoint security exceptions (used to prevent - detection rule alerts). - + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | + Exception entries for endpoint security exceptions (used to prevent detection rule alerts). - **Fully flexible:** Supports any field name for maximum - compatibility with detection rules. No field restrictions are - enforced. + **Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced. list_id: enum: - endpoint_list example: endpoint_list type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -77655,16 +131396,11 @@ components: type: object properties: entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - description: > + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + description: | Exception entries for the event filter. - - **Flexible field support:** Any event field name is allowed (e.g., - `process.name`, `file.path`, `event.action`, `dns.question.name`, - etc.) - + **Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.) **Minimum requirement:** At least 1 entry required list_id: @@ -77673,8 +131409,7 @@ components: example: endpoint_event_filters type: string os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' @@ -77684,10 +131419,7 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. @@ -77697,8 +131429,7 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: @@ -77712,14 +131443,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' @@ -77751,30 +131479,17 @@ components: example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: - description: > + description: | The exception list's human-readable string identifier. - For endpoint artifacts, use one of the following values: - - * `endpoint_list`: [Elastic Endpoint exception - list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) - - * `endpoint_trusted_apps`: [Trusted applications - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) - - * `endpoint_trusted_devices`: [Trusted devices - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) - - * `endpoint_event_filters`: [Event filters - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) - - * `endpoint_host_isolation_exceptions`: [Host isolation exceptions - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) - - * `endpoint_blocklists`: [Blocklists - list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) + * `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions) + * `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications) + * `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices) + * `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters) + * `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions) + * `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist) example: simple_list format: nonempty minLength: 1 @@ -77789,14 +131504,10 @@ components: type: object properties: _version: - description: >- - The version id, normally returned by the API when the item was - retrieved. Use it ensure updates are done against the latest - version. + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time @@ -77805,19 +131516,15 @@ components: description: Autogenerated value - user that created object. type: string description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: @@ -77827,14 +131534,11 @@ components: namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. + description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' @@ -77897,18 +131601,12 @@ components: type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: @@ -77921,8 +131619,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists @@ -77947,8 +131644,7 @@ components: - id - type operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list @@ -77964,8 +131660,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match @@ -77983,8 +131678,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any @@ -78005,8 +131699,7 @@ components: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard @@ -78023,8 +131716,7 @@ components: properties: entries: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: @@ -78039,21 +131731,16 @@ components: - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: - description: >- - The exception item’s expiration date, in ISO format. This field is only - available for regular exception items, not endpoint exceptions. + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: @@ -78082,9 +131769,7 @@ components: type: array Security_Exceptions_API_ExceptionListItemTags: items: - description: >- - String array containing words and phrases to help categorize exception - items. + description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string @@ -78129,28 +131814,22 @@ components: id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: - description: >- - String array containing words and phrases to help categorize exception - containers. + description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: - description: >- - The type of exception list to be created. Different list types may - denote where they can be utilized. + description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default @@ -78166,21 +131845,14 @@ components: minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - + description: | + Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - - `single`: Only available in the Kibana space in which it is created. - - `agnostic`: Available in all Kibana spaces. - - For endpoint artifacts, the `namespace_type` must always be `agnostic`. - Space awareness for endpoint artifacts is enforced based on Elastic - Defend policy assignments. + For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments. enum: - agnostic - single @@ -78195,14 +131867,560 @@ components: type: object properties: entries: - description: Exactly one entry allowed for host isolation exceptions + description: Exactly one entry allowed for host isolation exceptions + items: + type: object + properties: + field: + description: Must be destination.ip + enum: + - destination.ip + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Must be match + enum: + - match + type: string + value: + description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8") + type: string + required: + - field + - type + - value + - operator + maxItems: 1 + minItems: 1 + type: array + list_id: + enum: + - endpoint_host_isolation_exceptions + example: endpoint_host_isolation_exceptions + type: string + os_types: + description: Must include all three operating systems (windows, linux, macos) + items: + enum: + - windows + - linux + - macos + type: string + maxItems: 3 + minItems: 3 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_ListId: + description: Value list's identifier. + example: 21b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Exceptions_API_TrustedAppHashEntry: + type: object + properties: + field: + description: Process hash field + enum: + - process.hash.md5 + - process.hash.sha1 + - process.hash.sha256 + type: string + operator: + enum: + - included + type: string + type: + description: Hash entries only support match type + enum: + - match + type: string + value: + description: Hash value (MD5, SHA1, or SHA256) + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + type: object + properties: + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: macOS code signature field + enum: + - process.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedAppPathEntry: + type: object + properties: + field: + description: Process executable path field + enum: + - process.executable.caseless + type: string + operator: + enum: + - included + type: string + type: + description: Path supports both match and wildcard types + enum: + - match + - wildcard + type: string + value: + description: Executable path + type: string + required: + - field + - type + - value + - operator + Security_Exceptions_API_TrustedAppsLinuxProperties: + description: Trusted applications list item properties (Linux). + type: object + properties: + entries: + description: Process hash or executable path entries (code signature not supported on Linux) + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Linux only + items: + enum: + - linux + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsMacProperties: + description: Trusted applications list item properties (macOS). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be macOS only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppsWindowsProperties: + description: Trusted applications list item properties (Windows). + type: object + properties: + entries: + description: Process hash, executable path, or code signature entries + items: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry' + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_apps + example: endpoint_trusted_apps + type: string + os_types: + description: Must be Windows only + items: + enum: + - windows + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + type: object + properties: + entries: + description: Must include exactly 2 entries - one for subject_name and one for trusted + items: + oneOf: + - type: object + properties: + field: + enum: + - subject_name + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Certificate subject name + type: string + required: + - field + - type + - value + - operator + - type: object + properties: + field: + enum: + - trusted + type: string + operator: + enum: + - included + type: string + type: + enum: + - match + type: string + value: + description: Must be the string 'true' + enum: + - 'true' + type: string + required: + - field + - type + - value + - operator + maxItems: 2 + minItems: 2 + type: array + field: + description: Windows code signature field + enum: + - process.Ext.code_signature + type: string + type: + enum: + - nested + type: string + required: + - field + - type + - entries + Security_Exceptions_API_TrustedDevicesMacProperties: + description: Trusted devices list item properties (macOS-only, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) + items: + type: object + properties: + field: + description: Device field to match against + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: macOS-only + items: + enum: + - macos + type: string + maxItems: 1 + minItems: 1 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsMacProperties: + description: Trusted devices list item properties (Windows + macOS, username not supported). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS) + items: + type: object + properties: + field: + description: Device field to match against (username not available for multi-OS) + enum: + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + type: string + operator: + description: Must be the value "included" + enum: + - included + type: string + type: + description: Entry match type + enum: + - match + - wildcard + - match_any + type: string + value: + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array + required: + - field + - type + - value + - operator + minItems: 1 + type: array + list_id: + enum: + - endpoint_trusted_devices + example: endpoint_trusted_devices + type: string + os_types: + description: Must include both Windows and macOS (username field not allowed) + items: + enum: + - windows + - macos + type: string + maxItems: 2 + minItems: 2 + type: array + tags: + $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + required: + - list_id + Security_Exceptions_API_TrustedDevicesWindowsProperties: + description: Trusted devices list item properties (Windows-only, allows username field). + type: object + properties: + entries: + description: Exception entries for the trusted device (duplicate field entries are not allowed) items: type: object properties: field: - description: Must be destination.ip + description: Device field to match against (user.name is Windows-only) enum: - - destination.ip + - device.serial_number + - device.type + - host.name + - device.vendor.name + - device.vendor.id + - device.product.id + - device.product.name + - user.name type: string operator: description: Must be the value "included" @@ -78210,61 +132428,394 @@ components: - included type: string type: - description: Must be match + description: Entry match type enum: - match + - wildcard + - match_any type: string value: - description: >- - Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or - "10.0.0.0/8") - type: string + oneOf: + - description: Single value (used with match or wildcard) + type: string + - description: Array of values (used with match_any) + items: + type: string + minItems: 1 + type: array required: - field - type - value - operator - maxItems: 1 minItems: 1 type: array list_id: enum: - - endpoint_host_isolation_exceptions - example: endpoint_host_isolation_exceptions + - endpoint_trusted_devices + example: endpoint_trusted_devices type: string os_types: - description: Must include all three operating systems (windows, linux, macos) + description: Must be Windows-only to allow username field items: enum: - windows - - linux - - macos type: string - maxItems: 3 - minItems: 3 + maxItems: 1 + minItems: 1 type: array tags: $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' required: - list_id - Security_Exceptions_API_ListId: + Security_Exceptions_API_UpdateExceptionListItemBase: + type: object + properties: + _version: + description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' + Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + type: array + Security_Exceptions_API_UpdateExceptionListItemEndpointList: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' + Security_Exceptions_API_UpdateExceptionListItemEventFilters: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' + Security_Exceptions_API_UpdateExceptionListItemGeneric: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - example: + comments: [] + description: Updated description + entries: + - field: host.name + operator: included + type: match + value: rock01 + item_id: simple_list_item + name: Updated name + namespace_type: single + tags: [] + type: simple + type: object + properties: + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + required: + - entries + Security_Exceptions_API_UpdateExceptionListItemHostIsolation: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties' + Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: + allOf: + - $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase' + - $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties' + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_FindListsCursor: + example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + example: value:127.0.0.1 + type: string + Security_Lists_API_List: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string - Security_Exceptions_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - + Security_Lists_API_ListItem: + type: object + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + '@timestamp': + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_at: + description: Autogenerated date of object creation. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + example: elastic + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + example: f5508188-b1e9-4e6e-9662-d039a7d89899 + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + example: '2025-01-08T04:47:34.273Z' + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + example: elastic + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + description: Value list item's identifier. + example: 54b01cfb-058d-44b9-838c-282be16c91cd + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + example: List of bad IPs + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean @@ -78290,12 +132841,17 @@ components: - short - text type: string - Security_Exceptions_API_NonEmptyString: - description: A string that does not contain only whitespace characters - format: nonempty - minLength: 1 + Security_Lists_API_ListVersion: + description: The document version number. + example: 1 + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. + example: WzIsMV0= type: string - Security_Exceptions_API_PlatformErrorResponse: + Security_Lists_API_PlatformErrorResponse: type: object properties: error: @@ -78308,9 +132864,7 @@ components: - statusCode - error - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: + Security_Lists_API_SiemErrorResponse: type: object properties: message: @@ -78318,1019 +132872,1738 @@ components: status_code: type: integer required: - - status_code - - message - Security_Exceptions_API_TrustedAppHashEntry: + - status_code + - message + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + description: The response for copying a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + policy_ids: [] + queries: + - ecs_mapping: + - key: client.port + value: + field: port + id: ports + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: [] + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: + type: string + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + saved_object_id: + description: The saved object ID of the copied pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: + type: string + value: + type: number + type: array + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name + required: + - data + Security_Osquery_API_CopySavedQueryResponse: + description: The response for copying a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + removed: false + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + snapshot: true + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic type: object properties: - field: - description: Process hash field - enum: - - process.hash.md5 - - process.hash.sha1 - - process.hash.sha256 - type: string - operator: - enum: - - included - type: string - type: - description: Hash entries only support match type - enum: - - match - type: string - value: - description: Hash value (MD5, SHA1, or SHA256) - type: string + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + required: + - saved_object_id + - id required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppMacCodeSignatureEntry: + - data + Security_Osquery_API_CreateLiveQueryRequestBody: + example: + agent_all: true + ecs_mapping: + host.uptime: + field: total_seconds + query: select * from uptime; type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. items: - oneOf: - - type: object + type: string + type: array + agent_platforms: + description: A list of agent platforms to run the query on. + items: + type: string + type: array + agent_policy_ids: + description: A list of agent policy IDs to run the query on. + items: + type: string + type: array + alert_ids: + description: A list of alert IDs associated with the live query. + items: + type: string + type: array + case_ids: + description: A list of case IDs associated with the live query. + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string + type: array + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + Security_Osquery_API_CreateLiveQueryResponse: + description: The response for creating a live query. + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agent_all: true + agent_ids: [] + agent_platforms: [] + agent_policy_ids: [] + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + input_type: osquery + metadata: + execution_context: + name: osquery + url: /app/osquery/live_queries/new + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + timeout: 120 + type: INPUT_ACTION + user_id: elastic + type: object + properties: + data: + type: object + properties: + '@timestamp': + description: The timestamp when the action was created. + format: date-time + type: string + action_id: + description: The ID of the action. + type: string + agent_all: + description: Whether the query targets all agents. + type: boolean + agent_ids: + description: The agent IDs targeted by the action. + items: + type: string + type: array + agent_platforms: + description: The agent platforms targeted. + items: + type: string + type: array + agent_policy_ids: + description: The agent policy IDs targeted. + items: + type: string + type: array + agents: + description: The resolved list of agent IDs. + items: + type: string + type: array + expiration: + description: The expiration date of the action. + format: date-time + type: string + input_type: + description: The input type. + type: string + metadata: + description: Custom metadata associated with the action. + type: object + pack_id: + description: The pack ID if the query was run from a pack. + type: string + queries: + description: The queries in this action. + items: + type: object properties: - field: - enum: - - subject_name + action_id: type: string - operator: - enum: - - included + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: type: string - type: - enum: - - match + platform: type: string - value: - description: Certificate subject name + query: type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted + saved_query_id: type: string - operator: - enum: - - included + timeout: + type: integer + version: type: string - type: - enum: - - match + type: array + type: + description: The action type. + type: string + user_id: + description: The user who created the action. + type: string + required: + - action_id + required: + - data + Security_Osquery_API_CreatePacksRequestBody: + example: + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + - fleet-server-policy + queries: + my_query: + ecs_mapping: + client.port: + field: port + tags: + value: + - tag1 + - tag2 + interval: 60 + query: SELECT * FROM listening_ports; + timeout: 120 + shards: + fleet-server-policy: 58 + my_policy_id: 35 + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreatePacksResponse: + description: The response for creating a pack. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: true + name: my_pack + policy_ids: + - my_policy_id + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 1 + type: object + properties: + data: + type: object + properties: + created_at: + description: The date and time the pack was created. + format: date-time + type: string + created_by: + description: The user who created the pack. + nullable: true + type: string + created_by_profile_uid: + description: The profile UID of the user who created the pack. + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + description: Shard configuration as an array of key-value pairs. + items: + type: object + properties: + key: type: string value: - description: Must be the string 'true' - enum: - - 'true' - type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: macOS code signature field - enum: - - process.code_signature - type: string - type: - enum: - - nested - type: string + type: number + type: array + updated_at: + description: The date and time the pack was last updated. + format: date-time + type: string + updated_by: + description: The user who last updated the pack. + nullable: true + type: string + updated_by_profile_uid: + description: The profile UID of the user who last updated the pack. + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - field - - type - - entries - Security_Exceptions_API_TrustedAppPathEntry: + - data + Security_Osquery_API_CreateSavedQueryRequestBody: + example: + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + query: select * from uptime; + timeout: 120 + version: 2.8.0 type: object properties: - field: - description: Process executable path field - enum: - - process.executable.caseless - type: string - operator: - enum: - - included - type: string - type: - description: Path supports both match and wildcard types - enum: - - match - - wildcard - type: string - value: - description: Executable path - type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CreateSavedQueryResponse: + description: The response for creating a saved query. + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + timeout: 120 + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + description: An interval, in seconds, on which to run the query. May be returned as number or string. + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + description: Whether the saved query is prebuilt. + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + description: The saved object ID of the saved query. + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + description: The query timeout in seconds. + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The saved query version. + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id required: - - field - - type - - value - - operator - Security_Exceptions_API_TrustedAppsLinuxProperties: - description: Trusted applications list item properties (Linux). + - data + Security_Osquery_API_DefaultSuccessResponse: + example: {} type: object - properties: - entries: - description: >- - Process hash or executable path entries (code signature not - supported on Linux) - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps - type: string - os_types: - description: Must be Linux only - items: - enum: - - linux - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsMacProperties: - description: Trusted applications list item properties (macOS). + properties: {} + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + example: + host.uptime: + field: total_seconds + type: object + Security_Osquery_API_ECSMappingArray: + description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping). + items: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' + type: array + Security_Osquery_API_ECSMappingArrayItem: + description: ECS mapping item in saved-object storage format (key-value pair). type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + key: + description: The ECS field name. type: string - os_types: - description: Must be macOS only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppsWindowsProperties: - description: Trusted applications list item properties (Windows). + value: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + Security_Osquery_API_ECSMappingArrayOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + nullable: true + Security_Osquery_API_ECSMappingItem: type: object properties: - entries: - description: Process hash, executable path, or code signature entries - items: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppHashEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppPathEntry - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_apps - example: endpoint_trusted_apps + field: + description: The ECS field to map to. + example: host.uptime type: string - os_types: - description: Must be Windows only - items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry: + value: + description: The value to map to the ECS field. + example: total_seconds + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + description: Enables the pack. + example: true + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + example: + data: + '@timestamp': '2022-07-26T09:59:32.220Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2022-07-26T10:04:32.220Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + docs: 0 + ecs_mapping: + host.uptime: + field: total_seconds + failed: 1 + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + pending: 0 + query: select * from uptime; + responded: 1 + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + status: completed + successful: 0 + status: completed + user_id: elastic type: object properties: - entries: - description: >- - Must include exactly 2 entries - one for subject_name and one for - trusted - items: - oneOf: - - type: object + data: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + pack_name: + type: string + prebuilt_pack: + type: boolean + queries: + description: The queries with their execution status. + items: + type: object properties: - field: - enum: - - subject_name - type: string - operator: - enum: - - included - type: string - type: - enum: - - match - type: string - value: - description: Certificate subject name + action_id: type: string - required: - - field - - type - - value - - operator - - type: object - properties: - field: - enum: - - trusted + agents: + items: + type: string + type: array + docs: + description: Number of result documents. + type: integer + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + failed: + description: Number of failed queries. + type: integer + id: type: string - operator: - enum: - - included + pending: + description: Number of pending agents. + type: integer + query: type: string - type: - enum: - - match + responded: + description: Total responded agents. + type: integer + saved_query_id: type: string - value: - description: Must be the string 'true' + status: + description: Status of this individual query. enum: - - 'true' + - completed + - running type: string - required: - - field - - type - - value - - operator - maxItems: 2 - minItems: 2 - type: array - field: - description: Windows code signature field - enum: - - process.Ext.code_signature - type: string - type: - enum: - - nested - type: string - required: - - field - - type - - entries - Security_Exceptions_API_TrustedDevicesMacProperties: - description: >- - Trusted devices list item properties (macOS-only, username not - supported). + successful: + description: Number of successful agents. + type: integer + type: array + status: + description: Global status of the live query (completed, running). + enum: + - completed + - running + type: string + tags: + items: + type: string + type: array + user_id: + type: string + user_profile_uid: + type: string + Security_Osquery_API_FindLiveQueryResponse: + example: + data: + items: + - _source: + '@timestamp': '2023-10-31T00:00:00Z' + action_id: 3c42c847-eb30-4452-80e0-728584042334 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + expiration: '2023-10-31T00:00:00Z' + queries: + - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agents: + - 16d7caf5-efd2-4212-9b62-73dafc91fa13 + ecs_mapping: + host.uptime: + field: total_seconds + id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 + query: select * from uptime; + saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + result_counts: + error_agents: 0 + responded_agents: 1 + successful_agents: 1 + total_rows: 42 + user_id: elastic + total: 1 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) - items: - type: object - properties: - field: - description: Device field to match against - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - type: string - operator: - description: Must be the value "included" - enum: - - included - type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + data: + type: object + properties: + items: + description: An array of live query action items. + items: + type: object + properties: + _source: + type: object + properties: + '@timestamp': + format: date-time + type: string + action_id: + type: string + agents: + items: + type: string + type: array + expiration: + format: date-time + type: string + pack_id: + type: string + queries: + items: + type: object + properties: + action_id: + type: string + agents: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + type: string + query: + type: string + saved_query_id: + type: string + type: array + result_counts: + description: Result count statistics (present when withResultCounts is true). + type: object + properties: + error_agents: + type: integer + responded_agents: + type: integer + successful_agents: + type: integer + total_rows: + type: integer + user_id: + type: string + type: array + total: + description: The total number of live queries. + type: integer + Security_Osquery_API_FindPackResponse: + description: The details of a single query pack. + example: + data: + created_at: '2022-07-25T19:41:10.263Z' + created_by: elastic + description: '' + enabled: true + name: test_pack + namespaces: + - default + policy_ids: [] + queries: + uptime: + ecs_mapping: + message: + field: days + interval: 3600 + query: select * from uptime + read_only: false + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + shards: {} + type: osquery-pack + updated_at: '2022-07-25T20:12:01.455Z' + updated_by: elastic + version: 1 + type: object + properties: + data: + description: The pack details. + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + namespaces: + description: The namespaces the pack belongs to. + items: type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array - required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: macOS-only - items: - enum: - - macos - type: string - maxItems: 1 - minItems: 1 - type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + type: array + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: + description: The saved object type. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer + required: + - saved_object_id + - name required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsMacProperties: - description: >- - Trusted devices list item properties (Windows + macOS, username not - supported). + - data + Security_Osquery_API_FindPacksResponse: + description: A paginated list of query packs. + example: + data: + - created_at: '2023-10-31T00:00:00Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: My pack description + enabled: true + name: My Pack + policy_ids: [] + queries: + - ecs_mapping: + - key: host.uptime + value: + field: total_seconds + id: uptime + interval: 3600 + query: select * from uptime; + read_only: false + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2023-10-31T00:00:00Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + page: 1 + per_page: 10 + total: 1 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed, username not available when targeting both OS) + data: + description: An array of pack objects. items: type: object properties: - field: - description: >- - Device field to match against (username not available for - multi-OS) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name + created_at: + format: date-time type: string - operator: - description: Must be the value "included" - enum: - - included + created_by: + nullable: true type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + created_by_profile_uid: type: string - value: - oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.' + items: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' + id: type: string - minItems: 1 - type: array + interval: + type: integer + platform: + type: string + query: + type: string + removed: + type: boolean + snapshot: + type: boolean + timeout: + type: integer + version: + type: string + type: array + read_only: + description: Whether the pack is read-only (true for prebuilt packs). + type: boolean + saved_object_id: + description: The saved object ID of the pack. + type: string + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + description: The pack version number. + type: integer required: - - field - - type - - value - - operator - minItems: 1 - type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must include both Windows and macOS (username field not allowed) - items: - enum: - - windows - - macos - type: string - maxItems: 2 - minItems: 2 + - saved_object_id + - name type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of packs. + type: integer required: - - list_id - Security_Exceptions_API_TrustedDevicesWindowsProperties: - description: >- - Trusted devices list item properties (Windows-only, allows username - field). + - page + - per_page + - total + - data + Security_Osquery_API_FindSavedQueryDetailResponse: + description: The details of a single saved query. + example: + data: + created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + version: 2.8.0 type: object properties: - entries: - description: >- - Exception entries for the trusted device (duplicate field entries - are not allowed) + data: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + nullable: true + type: string + created_by_profile_uid: + type: string + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + oneOf: + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string + required: + - saved_object_id + - id + required: + - data + Security_Osquery_API_FindSavedQueryResponse: + description: A paginated list of saved queries. + example: + data: + - created_at: '2022-07-26T09:28:08.597Z' + created_by: elastic + created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: saved_query_id + interval: '60' + platform: linux,darwin + prebuilt: false + query: select * from uptime; + saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + updated_at: '2022-07-26T09:28:08.597Z' + updated_by: elastic + updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + version: 2.8.0 + page: 1 + per_page: 100 + total: 11 + type: object + properties: + data: + description: An array of saved query objects. items: type: object properties: - field: - description: Device field to match against (user.name is Windows-only) - enum: - - device.serial_number - - device.type - - host.name - - device.vendor.name - - device.vendor.id - - device.product.id - - device.product.name - - user.name + created_at: + format: date-time type: string - operator: - description: Must be the value "included" - enum: - - included + created_by: + nullable: true type: string - type: - description: Entry match type - enum: - - match - - wildcard - - match_any + created_by_profile_uid: type: string - value: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: oneOf: - - description: Single value (used with match or wildcard) - type: string - - description: Array of values (used with match_any) - items: - type: string - minItems: 1 - type: array + - type: integer + - type: string + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_object_id: + type: string + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + timeout: + type: integer + updated_at: + format: date-time + type: string + updated_by: + nullable: true + type: string + updated_by_profile_uid: + type: string + version: + oneOf: + - type: integer + - type: string required: - - field - - type - - value - - operator - minItems: 1 + - saved_object_id + - id type: array - list_id: - enum: - - endpoint_trusted_devices - example: endpoint_trusted_devices - type: string - os_types: - description: Must be Windows-only to allow username field + page: + description: The current page number. + type: integer + per_page: + description: The number of results per page. + type: integer + total: + description: The total number of saved queries. + type: integer + required: + - page + - per_page + - total + - data + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + example: + data: + edges: + - _id: doc1 + _source: {} + - _id: doc2 + _source: {} + total: 2 + type: object + properties: + data: + type: object + properties: + edges: + description: The result rows from the query execution. + items: + type: object + properties: + _id: + type: string + _source: + description: The Elasticsearch document source containing query results. + type: object + type: array + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - _id: result-001 + fields: + agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 + rows_count: 5 + status: success + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. items: - enum: - - windows - type: string - maxItems: 1 - minItems: 1 + type: object type: array - tags: - $ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags' - required: - - list_id - Security_Exceptions_API_UpdateExceptionListItemBase: + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - _id: row-001 + fields: + host.uptime: + - '12345' + - _id: row-002 + fields: + host.uptime: + - '67890' + total: 2 type: object properties: - _version: - description: >- - The version ID, normally returned by the API when the item is - retrieved. Use it to ensure updates are made against the latest - version. - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - expire_time: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemBlocklistMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties' - Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemComment: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... type: object properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. + type: string required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UpdateExceptionListItemEndpointList: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties' - Security_Exceptions_API_UpdateExceptionListItemEventFilters: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties' - Security_Exceptions_API_UpdateExceptionListItemGeneric: + - data + - hasMore + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + example: '60' + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' + nullable: true + type: string + Security_Osquery_API_LiveHistoryRow: allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - example: - comments: [] - description: Updated description - entries: - - field: host.name - operator: included - type: match - value: rock01 - item_id: simple_list_item - name: Updated name - namespace_type: single - tags: [] - type: simple - type: object + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object properties: - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. + type: string + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string required: - - entries - Security_Exceptions_API_UpdateExceptionListItemHostIsolation: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties' - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties - Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac: - allOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase - - $ref: >- - #/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid + - sourceType + - source + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_PackDescription: + description: The pack description. + example: Pack description type: string - Security_Lists_API_FindListItemsCursor: - description: >- - Returns the items that come after the last item returned in the previous - call (use the `cursor` value returned in the previous call). This - parameter uses the `tie_breaker_id` field to ensure all items are sorted - and returned correctly. - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + Security_Osquery_API_PackId: + description: The ID of the pack. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - Security_Lists_API_FindListItemsFilter: - example: value:127.0.0.1 + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + description: The pack name. + example: my_pack type: string - Security_Lists_API_FindListsCursor: - example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d - format: nonempty - minLength: 1 + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + example: 1 + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + example: 20 + nullable: true + type: integer + Security_Osquery_API_Platform: + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + example: linux,darwin type: string - Security_Lists_API_FindListsFilter: - example: value:127.0.0.1 + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + example: + - policyId1 + - policyId2 + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + example: select * from uptime; type: string - Security_Lists_API_List: - type: object - properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic - type: string - version: - $ref: '#/components/schemas/Security_Lists_API_ListVersion' - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - description: Describes the value list. - format: nonempty - minLength: 1 + Security_Osquery_API_QueryId: + description: The ID of the query. + example: 3c42c847-eb30-4452-80e0-728584042334 type: string - Security_Lists_API_ListId: - description: Value list's identifier. - example: 21b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + example: false + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + example: Saved query description type: string - Security_Lists_API_ListItem: + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + example: 3c42c847-eb30-4452-80e0-728584042334 + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: type: object properties: - _version: - $ref: '#/components/schemas/Security_Lists_API_ListVersionId' - '@timestamp': - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_at: - description: Autogenerated date of object creation. - example: 2025-01-08T04:47:34.273Z - format: date-time - type: string - created_by: - description: Autogenerated value - user that created object. - example: elastic + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - tie_breaker_id: - description: >- - Field used in search to ensure all containers are sorted and - returned correctly. - example: f5508188-b1e9-4e6e-9662-d039a7d89899 + packName: + description: The name of the pack containing the query. type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - description: Autogenerated date of last object update. - example: 2025-01-08T04:47:34.273Z - format: date-time + queryName: + description: The name of the query within the pack. type: string - updated_by: - description: Autogenerated value - user that last updated object. - example: elastic + queryText: + description: The SQL query that was executed. type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - description: Value list item's identifier. - example: 54b01cfb-058d-44b9-838c-282be16c91cd - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListItemMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list item. - type: object - Security_Lists_API_ListItemPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + scheduleId: + description: The schedule ID for the scheduled query. type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - description: The value used to evaluate exceptions. - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListMetadata: - additionalProperties: true - description: Placeholder for metadata about the value list. - type: object - Security_Lists_API_ListName: - description: Value list's name. - example: List of bad IPs - format: nonempty - minLength: 1 - type: string - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: + timestamp: + description: The timestamp of the most recent response for this execution. type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - description: > - Specifies the Elasticsearch data type of excludes the list container - holds. Some common examples: - - - - `keyword`: Many ECS fields are Elasticsearch keywords - - - `ip`: IP addresses - - - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR - notation) - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + example: + policy_id: 50 + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + example: true + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + example: desc type: string - Security_Lists_API_ListVersion: - description: The document version number. - example: 1 - minimum: 1 - type: integer - Security_Lists_API_ListVersionId: - description: > - The version id, normally returned by the API when the document is - retrieved. Use it ensure updates are done against the latest version. - example: WzIsMV0= + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + example: createdAt + nullable: true type: string - Security_Lists_API_PlatformErrorResponse: + Security_Osquery_API_UnifiedHistoryRow: + discriminator: + mapping: + live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + propertyName: sourceType + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: type: object properties: - error: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. type: string - message: + packId: + description: The ID of the pack containing the query. type: string - statusCode: + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: - type: object - properties: - message: + timestamp: + description: The timestamp of the query execution. type: string - status_code: + totalRows: + description: The total number of result rows returned across all agents. + nullable: true type: integer required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - description: An array of queries to run. - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: + - id + - timestamp + - queryText + - agentCount + Security_Osquery_API_UpdatePacksRequestBody: + example: + name: updated_my_pack_name type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CopyPacksResponse: - description: The response for copying a pack. + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdatePacksResponse: + description: The response for updating a pack. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack - enabled: false - name: my_pack_copy - policy_ids: [] + enabled: true + name: updated_my_pack_name + policy_ids: + - my_policy_id queries: - - ecs_mapping: - - key: client.port - value: - field: port - id: ports + ports: + ecs_mapping: + client.port: + field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: [] - updated_at: '2025-02-26T13:37:30.452Z' + shards: + 47638692-7c4c-4053-aa3e-7186f28df349: 35 + 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic + version: 1 type: object properties: data: @@ -79345,54 +134618,20 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Enabled' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' saved_object_id: - description: The saved object ID of the copied pack. + description: The saved object ID of the pack. type: string shards: - description: Shard configuration as an array of key-value pairs. - items: - type: object - properties: - key: - type: string - value: - type: number - type: array + $ref: '#/components/schemas/Security_Osquery_API_Shards' updated_at: format: date-time type: string @@ -79404,31 +134643,43 @@ components: version: description: The pack version number. type: integer - required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_CopySavedQueryResponse: - description: The response for copying a saved query. + Security_Osquery_API_UpdateSavedQueryRequestBody: + example: + id: updated_my_saved_query_name + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + version: + $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_UpdateSavedQueryResponse: + description: The response for updating a saved query. example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy + id: updated_my_saved_query_name interval: '60' - platform: linux,darwin query: select * from uptime; - removed: false saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - snapshot: true - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' + updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic + version: WzQzMTcsMV0= type: object properties: data: @@ -79443,10 +134694,9 @@ components: created_by_profile_uid: type: string description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: @@ -79454,15 +134704,17 @@ components: - type: integer - type: string platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Platform' + prebuilt: + type: boolean query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Removed' saved_object_id: type: string snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' timeout: type: integer updated_at: @@ -79473,5003 +134725,4643 @@ components: type: string updated_by_profile_uid: type: string + version: + description: The saved query version. + type: string required: - saved_object_id - id required: - data - Security_Osquery_API_CreateLiveQueryRequestBody: - example: - agent_all: true - ecs_mapping: - host.uptime: - field: total_seconds - query: select * from uptime; + Security_Osquery_API_Version: + description: Uses the Osquery versions greater than or equal to the specified version string. + example: 1.0.0 + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_AssociatedFilterType: + description: | + How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases). + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: | + Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + nullable: true + type: string + note: + description: The text of the note + example: This is an example text + nullable: true + type: string + timelineId: + description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID). + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - type: object + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + type: string + timelineId: + description: The `savedObjectId` of the timeline that this pinned event is associated with + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - agent_all: - description: When `true`, the query runs on all agents. + aggregatable: + nullable: true type: boolean - agent_ids: - description: A list of agent IDs to run the query on. - items: - type: string - type: array - agent_platforms: - description: A list of agent platforms to run the query on. - items: - type: string - type: array - agent_policy_ids: - description: A list of agent policy IDs to run the query on. - items: - type: string - type: array - alert_ids: - description: A list of alert IDs associated with the live query. - items: - type: string - type: array - case_ids: - description: A list of case IDs associated with the live query. - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - description: A list of event IDs associated with the live query. + category: + nullable: true + type: string + columnHeaderType: + nullable: true + type: string + description: + nullable: true + type: string + example: + nullable: true + type: string + id: + nullable: true + type: string + indexes: items: type: string + nullable: true type: array - metadata: - description: Custom metadata object associated with the live query. + name: nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreateLiveQueryResponse: - description: The response for creating a live query. - example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agent_all: true - agent_ids: [] - agent_platforms: [] - agent_policy_ids: [] - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - input_type: osquery - metadata: - execution_context: - name: osquery - url: /app/osquery/live_queries/new - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - timeout: 120 - type: INPUT_ACTION - user_id: elastic + type: string + placeholder: + nullable: true + type: string + searchable: + nullable: true + type: boolean + type: + nullable: true + type: string + Security_Timeline_API_DataProviderQueryMatch: type: object properties: - data: - type: object - properties: - '@timestamp': - description: The timestamp when the action was created. - format: date-time - type: string - action_id: - description: The ID of the action. - type: string - agent_all: - description: Whether the query targets all agents. - type: boolean - agent_ids: - description: The agent IDs targeted by the action. - items: - type: string - type: array - agent_platforms: - description: The agent platforms targeted. - items: - type: string - type: array - agent_policy_ids: - description: The agent policy IDs targeted. - items: - type: string - type: array - agents: - description: The resolved list of agent IDs. - items: - type: string - type: array - expiration: - description: The expiration date of the action. - format: date-time - type: string - input_type: - description: The input type. - type: string - metadata: - description: Custom metadata associated with the action. - type: object - pack_id: - description: The pack ID if the query was run from a pack. - type: string - queries: - description: The queries in this action. - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - platform: - type: string - query: - type: string - saved_query_id: - type: string - timeout: - type: integer - version: - type: string - type: array - type: - description: The action type. - type: string - user_id: - description: The user who created the action. - type: string - required: - - action_id + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + description: One document ID or an array of IDs (Elasticsearch `_id` of the event). + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string required: - - data - Security_Osquery_API_CreatePacksRequestBody: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. example: - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - - fleet-server-policy - queries: - my_query: - ecs_mapping: - client.port: - field: port - tags: - value: - - tag1 - - tag2 - interval: 60 - query: SELECT * FROM listening_ports; - timeout: 120 - shards: - fleet-server-policy: 58 - my_policy_id: 35 + favoriteDate: 1741337636741 + userName: elastic type: object properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreatePacksResponse: - description: The response for creating a pack. + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: my_pack - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 1 + meta: + alias: Custom filter name + disabled: false + index: .alerts-security.alerts-default,logs-* + key: '@timestamp' + negate: false, + type: exists + value: exists + query: '{"exists":{"field":"@timestamp"}}' type: object properties: - data: + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true type: object properties: - created_at: - description: The date and time the pack was created. - format: date-time + alias: + nullable: true type: string - created_by: - description: The user who created the pack. + controlledBy: nullable: true type: string - created_by_profile_uid: - description: The profile UID of the user who created the pack. + disabled: + nullable: true + type: boolean + field: + nullable: true type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + formattedValue: + nullable: true type: string - shards: - description: Shard configuration as an array of key-value pairs. - items: + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: + type: object + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering). + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + description: The list of failed Timeline imports + items: + type: object + properties: + error: + description: The error containing the reason why the timeline could not be imported type: object properties: - key: + message: + description: The reason why the timeline could not be imported + example: Malformed JSON type: string - value: + status_code: + description: The HTTP status code of the error + example: 400 type: number + id: + description: The ID of the timeline that failed to import + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + type: string + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + example: 99 + type: number + timelines_installed: + description: The amount of successfully installed Timelines + example: 80 + type: number + timelines_updated: + description: The amount of successfully updated Timelines + example: 19 + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true type: array - updated_at: - description: The date and time the pack was last updated. - format: date-time + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true type: string - updated_by: - description: The user who last updated the pack. + version: nullable: true type: string - updated_by_profile_uid: - description: The profile UID of the user who last updated the pack. + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + description: The `savedObjectId` of the note + example: 709f99c6-89b6-4953-9160-35945c8e174e type: string version: - description: The pack version number. - type: integer + description: The version of the note + example: WzQ2LDFd + type: string required: - - saved_object_id - - name + - noteId + - version + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the note. + example: casetester + nullable: true + type: string + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the note + example: casetester + nullable: true + type: string + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - type: object + properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 + type: string + version: + description: The version of this pinned event + example: WzQ2LDFe + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + type: object + properties: + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the pinned event. + example: casetester + nullable: true + type: string + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the pinned event + example: casetester + nullable: true + type: string + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - - data - Security_Osquery_API_CreateSavedQueryRequestBody: - example: - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - query: select * from uptime; - timeout: 120 - version: 2.8.0 + - timeline + - outcome + Security_Timeline_API_ResponseNote: type: object properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateSavedQueryResponse: - description: The response for creating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - timeout: 120 - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + description: One Timeline saved object ID or an array of IDs. + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object properties: - data: + columns: + description: The Timeline's columns + example: + - columnHeaderType: not-filtered + id: '@timestamp' + - columnHeaderType: not-filtered + id: event.category + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + example: 1587468588922 + nullable: true + type: number + createdBy: + description: The user who created the Timeline. + example: casetester + nullable: true + type: string + dataProviders: + description: Object containing query clauses + example: + - enabled: true + excluded: false + id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b + queryMatch: + field: _id, + operator: ':' + value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + description: ID of the Timeline's Data View + example: security-solution-default + nullable: true + type: string + dateRange: + description: The Timeline's search period. + example: + end: 1587456479201 + start: 1587370079200 + nullable: true type: object properties: - created_at: - format: date-time - type: string - created_by: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + description: The Timeline's description + example: Investigating exposure of CVE XYZ + nullable: true + type: string + eqlOptions: + description: EQL query that is used in the correlation tab + example: + eventCategoryField: event.category + query: sequence\n[process where process.name == "sudo"]\n[any where true] + size: 100 + timestampField: '@timestamp' + nullable: true + type: object + properties: + eventCategoryField: nullable: true type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - description: >- - An interval, in seconds, on which to run the query. May be - returned as number or string. - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - description: Whether the saved query is prebuilt. - type: boolean query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - description: The saved object ID of the saved query. + nullable: true type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - description: The query timeout in seconds. - type: integer - updated_at: - format: date-time + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true type: string - updated_by: + timestampField: nullable: true type: string - updated_by_profile_uid: + eventType: + deprecated: true + description: Event types displayed in the Timeline + example: all + nullable: true + type: string + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + example: + - .logs* + items: + type: string + nullable: true + type: array + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + example: search + nullable: true + type: string + kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e + nullable: true + type: string + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 + nullable: true + type: string + templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + example: 12 + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + description: The Timeline's title. + example: CVE XYZ investigation + nullable: true + type: string + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + example: 1741344876825 + nullable: true + type: number + updatedBy: + description: The user who last updated the Timeline + example: casetester + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: - description: The saved query version. - oneOf: - - type: integer - - type: string + description: The version of the Timeline or Timeline template + example: WzE0LDFd + type: string required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_DefaultSuccessResponse: - example: {} - type: object - properties: {} - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - description: >- - Map osquery results columns or static values to Elastic Common Schema - (ECS) fields + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. example: - host.uptime: - field: total_seconds - type: object - Security_Osquery_API_ECSMappingArray: - description: >- - ECS mapping in saved-object storage format (array of key-value pairs). - The find and copy pack endpoints return this format. The read endpoint - returns object format (ECSMapping). - items: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem' - type: array - Security_Osquery_API_ECSMappingArrayItem: - description: ECS mapping item in saved-object storage format (key-value pair). - type: object - properties: - key: - description: The ECS field name. - type: string - value: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - Security_Osquery_API_ECSMappingArrayOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray' - nullable: true - Security_Osquery_API_ECSMappingItem: + filterQuery: null + kuery: + expression: '_id : *' + kind: kuery + serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: - field: - description: The ECS field to map to. - example: host.uptime - type: string - value: - description: The value to map to the ECS field. - example: total_seconds - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - description: Enables the pack. - example: true - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryDetailsResponse: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid example: - data: - '@timestamp': '2022-07-26T09:59:32.220Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2022-07-26T10:04:32.220Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - docs: 0 - ecs_mapping: - host.uptime: - field: total_seconds - failed: 1 - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - pending: 0 - query: select * from uptime; - responded: 1 - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - status: completed - successful: 0 - status: completed - user_id: elastic + columnId: '@timestamp' + sortDirection: desc type: object properties: - data: - type: object + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - type: object properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - pack_name: - type: string - prebuilt_pack: - type: boolean - queries: - description: The queries with their execution status. + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - docs: - description: Number of result documents. - type: integer - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - failed: - description: Number of failed queries. - type: integer - id: - type: string - pending: - description: Number of pending agents. - type: integer - query: - type: string - responded: - description: Total responded agents. - type: integer - saved_query_id: - type: string - status: - description: Status of this individual query. - enum: - - completed - - running - type: string - successful: - description: Number of successful agents. - type: integer + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true type: array - status: - description: Global status of the live query (completed, running). - enum: - - completed - - running - type: string - tags: + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + example: + - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string + nullable: true type: array - user_id: - type: string - user_profile_uid: - type: string - Security_Osquery_API_FindLiveQueryResponse: - example: - data: - items: - - _source: - '@timestamp': '2023-10-31T00:00:00Z' - action_id: 3c42c847-eb30-4452-80e0-728584042334 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - expiration: '2023-10-31T00:00:00Z' - queries: - - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agents: - - 16d7caf5-efd2-4212-9b62-73dafc91fa13 - ecs_mapping: - host.uptime: - field: total_seconds - id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 - query: select * from uptime; - saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - result_counts: - error_agents: 0 - responded_agents: 1 - successful_agents: 1 - total_rows: 42 - user_id: elastic - total: 1 - type: object - properties: - data: - type: object - properties: - items: - description: An array of live query action items. + notes: + description: A list of all the notes that are associated to this Timeline. items: - type: object - properties: - _source: - type: object - properties: - '@timestamp': - format: date-time - type: string - action_id: - type: string - agents: - items: - type: string - type: array - expiration: - format: date-time - type: string - pack_id: - type: string - queries: - items: - type: object - properties: - action_id: - type: string - agents: - items: - type: string - type: array - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined - id: - type: string - query: - type: string - saved_query_id: - type: string - type: array - result_counts: - description: >- - Result count statistics (present when withResultCounts - is true). - type: object - properties: - error_agents: - type: integer - responded_agents: - type: integer - successful_agents: - type: integer - total_rows: - type: integer - user_id: - type: string + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true type: array - total: - description: The total number of live queries. - type: integer - Security_Osquery_API_FindPackResponse: - description: The details of a single query pack. - example: - data: - created_at: '2022-07-25T19:41:10.263Z' - created_by: elastic - description: '' - enabled: true - name: test_pack - namespaces: - - default - policy_ids: [] - queries: - uptime: - ecs_mapping: - message: - field: days - interval: 3600 - query: select * from uptime - read_only: false - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - shards: {} - type: osquery-pack - updated_at: '2022-07-25T20:12:01.455Z' - updated_by: elastic - version: 1 - type: object - properties: - data: - description: The pack details. - type: object + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + example: + - 983f99c6-89b6-4953-9160-35945c8a194f + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object properties: - created_at: - format: date-time - type: string - created_by: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - namespaces: - description: The namespaces the pack belongs to. + type: array + noteIds: items: type: string + nullable: true type: array - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - type: - description: The saved object type. - type: string - updated_at: - format: date-time - type: string - updated_by: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true - type: string - updated_by_profile_uid: + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: type: string version: - description: The pack version number. - type: integer + type: string required: - - saved_object_id - - name - required: - - data - Security_Osquery_API_FindPacksResponse: - description: A paginated list of query packs. - example: - data: - - created_at: '2023-10-31T00:00:00Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: My pack description - enabled: true - name: My Pack - policy_ids: [] - queries: - - ecs_mapping: - - key: host.uptime - value: - field: total_seconds - id: uptime - interval: 3600 - query: select * from uptime; - read_only: false - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2023-10-31T00:00:00Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - page: 1 - per_page: 10 - total: 1 + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + Short_URL_APIs_urlResponse: type: object properties: - data: - description: An array of pack objects. - items: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - description: >- - Pack queries in saved-object storage format (array). Note: the - read endpoint returns object format. - items: - type: object - properties: - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingArrayOrUndefined - id: - type: string - interval: - type: integer - platform: - type: string - query: - type: string - removed: - type: boolean - snapshot: - type: boolean - timeout: - type: integer - version: - type: string - type: array - read_only: - description: Whether the pack is read-only (true for prebuilt packs). - type: boolean - saved_object_id: - description: The saved object ID of the pack. - type: string - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The pack version number. - type: integer - required: - - saved_object_id - - name - type: array - page: - description: The current page number. + accessCount: + description: Number of times the short URL has been resolved. type: integer - per_page: - description: The number of results per page. + accessDate: + description: Unix epoch (milliseconds) of the last time the short URL was resolved. Set to the creation time when the URL has never been accessed. + format: int64 type: integer - total: - description: The total number of packs. + createDate: + description: Unix epoch (milliseconds) when the short URL was created. + format: int64 type: integer - required: - - page - - per_page - - total - - data - Security_Osquery_API_FindSavedQueryDetailResponse: - description: The details of a single saved query. - example: - data: - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 3c42c847-eb30-4452-80e0-728584042334 - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: - data: + id: + description: The identifier for the short URL. + type: string + locator: type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: + description: The identifier for the locator. type: string + state: + description: The locator parameters. + type: object version: - oneOf: - - type: integer - - type: string - required: - - saved_object_id - - id + description: The version of Kibana when the short URL was created. + type: string + slug: + description: | + A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number required: - - data - Security_Osquery_API_FindSavedQueryResponse: - description: A paginated list of saved queries. - example: - data: - - created_at: '2022-07-26T09:28:08.597Z' - created_by: elastic - created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: saved_query_id - interval: '60' - platform: linux,darwin - prebuilt: false - query: select * from uptime; - saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - updated_at: '2022-07-26T09:28:08.597Z' - updated_by: elastic - updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: 2.8.0 - page: 1 - per_page: 100 - total: 11 + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized type: object properties: - data: - description: An array of saved query objects. + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Forbidden + type: object + properties: + error: + example: Forbidden + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references items: type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: >- - #/components/schemas/Security_Osquery_API_ECSMappingOrUndefined id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: + description: Dashboard saved-object id type: string - version: - oneOf: - - type: integer - - type: string required: - - saved_object_id - id type: array - page: - description: The current page number. - type: integer - per_page: - description: The number of results per page. - type: integer - total: - description: The total number of saved queries. - type: integer + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array required: - - page - - per_page - - total - - data - Security_Osquery_API_GetLiveQueryResultsResponse: - description: The response for getting live query results. - example: - data: - edges: - - _id: doc1 - _source: {} - - _id: doc2 - _source: {} - total: 2 + - list + title: Bulk delete SLO request type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status properties: - data: - type: object - properties: - edges: - description: The result rows from the query execution. - items: - type: object - properties: - _id: - type: string - _source: - description: >- - The Elasticsearch document source containing query - results. - type: object - type: array - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - _id: result-001 - fields: - agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13 - rows_count: 5 - status: success - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 + taskId: + description: The taskId of the bulk delete operation + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + title: Bulk delete SLO response type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: - aggregations: - $ref: >- - #/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. + error: + description: The error message if the bulk deletion operation failed + example: Task not found + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + example: true + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO items: type: object + properties: + error: + description: The error message if the deletion operation failed for this SLO + example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found + type: string + id: + description: The ID of the SLO that was deleted + example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + type: string + success: + description: The result of the deletion operation for this SLO + example: true + type: boolean type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - _id: row-001 - fields: - host.uptime: - - '12345' - - _id: row-002 - fields: - host.uptime: - - '67890' - total: 2 + title: The status of the bulk deletion type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: - data: - description: The query results data wrapper. + list: + description: An array of slo ids + items: + description: The SLO Definition id + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - type: object + properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + example: 7d + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + - type: object + properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + example: '2024-12-31T00:00:00.000Z' + type: string type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + title: Bulk Purge Rollup data response type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: - data: - description: The list of unified history rows for the current page. + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: string type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. - type: string + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' required: - - data - - hasMore - Security_Osquery_API_Interval: - description: An interval, in seconds, on which to run the query. - example: '60' - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - description: The kuery to filter the results by. - example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' - nullable: true - type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. - type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - description: An object of queries. + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request type: object - Security_Osquery_API_ObjectQueriesItem: + SLOs_create_slo_response: + title: Create SLO response type: object properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: - $ref: '#/components/schemas/Security_Osquery_API_QueryId' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackDescription: - description: The pack description. - example: Pack description - type: string - Security_Osquery_API_PackDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackDescription' - nullable: true - Security_Osquery_API_PackId: - description: The ID of the pack. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - description: The pack name. - example: my_pack - type: string - Security_Osquery_API_PageOrUndefined: - description: The page number to return. The default is 1. - example: 1 - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - description: The number of results to return per page. The default is 20. - example: 20 - nullable: true - type: integer - Security_Osquery_API_Platform: - description: >- - Restricts the query to a specified platform. The default is all - platforms. To specify multiple platforms, use commas. For example, - `linux,darwin`. - example: linux,darwin - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - description: A list of agents policy IDs. - example: - - policyId1 - - policyId2 - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - description: The SQL query you want to run. - example: select * from uptime; - type: string - Security_Osquery_API_QueryId: - description: The ID of the query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - description: Indicates whether the query is removed. - example: false - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryDescription: - description: The saved query description. - example: Saved query description - type: string - Security_Osquery_API_SavedQueryDescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' - nullable: true - Security_Osquery_API_SavedQueryId: - description: The ID of a saved query. - example: 3c42c847-eb30-4452-80e0-728584042334 - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source - Security_Osquery_API_Shards: - additionalProperties: - type: number - description: >- - An object with shard configuration for policies included in the pack. - For each policy, set the shard configuration to a percentage (1–100) of - target hosts. - example: - policy_id: 50 + SLOs_error_budget: + title: Error budget type: object - Security_Osquery_API_Snapshot: - description: Indicates whether the query is a snapshot. - example: true - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - description: Specifies the sort order. - enum: - - asc - - desc - example: desc - type: string - Security_Osquery_API_SortOrUndefined: - default: createdAt - description: The field that is used to sort the results. - example: createdAt - nullable: true - type: string - Security_Osquery_API_UnifiedHistoryRow: - discriminator: - mapping: - live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - propertyName: sourceType - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter type: object + SLOs_filter_meta: + description: Defines properties for a filter properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. + alias: nullable: true - type: integer - id: - description: Unique identifier for the history row. type: string - packId: - description: The ID of the pack containing the query. + controlledBy: type: string - packName: - description: The name of the pack containing the query. + disabled: + type: boolean + field: type: string - queryName: - description: The name of the query, if available. + group: type: string - queryText: - description: The SQL query that was executed. + index: type: string - spaceId: - description: The Kibana space ID where the query was executed. + isMultiIndex: + type: boolean + key: type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. + negate: + type: boolean + params: + type: object + type: type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount - Security_Osquery_API_UpdatePacksRequestBody: - example: - name: updated_my_pack_name + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: + - type: object + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + - type: object + properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + example: + - some-slo-id + - other-cursor-id + items: + type: string + type: array + size: + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO definitions response type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdatePacksResponse: - description: The response for updating a pack. + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + type: string + size: + description: Size provided for cursor based pagination + example: 25 + type: number + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: true - name: updated_my_pack_name - policy_ids: - - my_policy_id - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: - 47638692-7c4c-4053-aa3e-7186f28df349: 35 - 5e267651-fe50-443e-8d3f-3bbc9171b618: 58 - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: 1 + - - service.name + - service.name + - - service.name + - service.environment + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time + environment: + description: The APM service environment or "*" + example: production type: string - created_by: - nullable: true + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - created_by_profile_uid: + index: + description: The index used by APM metrics + example: metrics-apm*,apm* type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - saved_object_id: - description: The saved object ID of the pack. + service: + description: The APM service name + example: o11y-app type: string - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - updated_at: - format: date-time + transactionName: + description: The APM transaction name or "*" + example: GET /my/api type: string - updated_by: - nullable: true + transactionType: + description: The APM transaction type or "*" + example: request type: string - updated_by_profile_uid: + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - version: - description: The pack version number. - type: integer - Security_Osquery_API_UpdateSavedQueryRequestBody: - example: - id: updated_my_saved_query_name + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type type: object properties: - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_UpdateSavedQueryResponse: - description: The response for updating a saved query. - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - id: updated_my_saved_query_name - interval: '60' - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:40:16.297Z' - updated_by: elastic - version: WzQzMTcsMV0= + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + - type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type type: object properties: - data: + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - created_at: - format: date-time - type: string - created_by: - nullable: true - type: string - created_by_profile_uid: - type: string - description: - $ref: >- - #/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - oneOf: - - type: integer - - type: string - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - prebuilt: - type: boolean - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_object_id: - type: string - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - timeout: - type: integer - updated_at: - format: date-time - type: string - updated_by: - nullable: true - type: string - updated_by_profile_uid: - type: string - version: - description: The saved query version. - type: string - required: - - saved_object_id - - id - required: - - data - Security_Osquery_API_Version: - description: >- - Uses the Osquery versions greater than or equal to the specified version - string. - example: 1.0.0 - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: > - How the note is associated with a Timeline saved object and/or an event - (`eventId`). `all`: no association-based restriction from this - parameter. `document_only`: document-linked notes (non-empty `eventId`) - without timeline association in the API's internal sense; post-filtering - drops notes without a usable `eventId`. `saved_object_only`: timeline - notes with no linked event (`eventId` empty or absent); post-filtering - keeps timeline-only notes. `document_and_saved_object`: notes on a - timeline and linked to an event; post-filtering enforces a real - `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter - than missing `eventId` in some cases). - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata - - type: object - properties: - eventId: - description: > - Elasticsearch document `_id` for the event or alert this note - refers to. Same value as the `documentIds` query parameter when - fetching notes via GET /api/note. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc - nullable: true - type: string - note: - description: The text of the note - example: This is an example text - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - timelineId: - description: >- - The `savedObjectId` of the Timeline this note belongs to (not - the note's own ID). - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - allOf: - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata - - type: object - properties: - eventId: - description: The `_id` of the associated event for this pinned event. - example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* type: string - timelineId: - description: >- - The `savedObjectId` of the timeline that this pinned event is - associated with - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + example: 0 + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + example: 100 + type: number + required: + - aggregation + - field required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true + - index + - timestampField + - good + - total type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: The type of data provider. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - description: One document ID or an array of IDs (Elasticsearch `_id` of the event). - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: + description: The type of indicator. + example: sli.histogram.custom type: string required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - description: Indicates when and who marked a Timeline as a favorite. - example: - favoriteDate: 1741337636741 - userName: elastic - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - example: - meta: - alias: Custom filter name - disabled: false - index: .alerts-security.alerts-default,logs-* - key: '@timestamp' - negate: false, - type: exists - value: exists - query: '{"exists":{"field":"@timestamp"}}' + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type type: object properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true + params: + description: An object containing the indicator parameters. + nullable: false type: object properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - formattedValue: - nullable: true + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true + description: The index or index pattern to use + example: my-service-* type: string - value: - nullable: true + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not + type: object + properties: + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - missing: - nullable: true - type: string - query: - nullable: true + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice type: string - range: - nullable: true + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - script: - nullable: true + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - description: >- - Number of notes returned (may be adjusted after the query when - `associatedFilter` applies post-filtering). - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - description: The list of failed Timeline imports - items: - type: object - properties: - error: - description: >- - The error containing the reason why the timeline could not be - imported - type: object - properties: - message: - description: The reason why the timeline could not be imported - example: Malformed JSON - type: string - status_code: - description: The HTTP status code of the error - example: 400 - type: number - id: - description: The ID of the timeline that failed to import - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - type: string - type: array - success: - description: Indicates whether any of the Timelines were successfully imports - type: boolean - success_count: - description: The amount of successfully imported/updated Timelines - example: 99 - type: number - timelines_installed: - description: The amount of successfully installed Timelines - example: 80 - type: number - timelines_updated: - description: The amount of successfully updated Timelines - example: 19 - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: + filters: items: - type: string - nullable: true + $ref: '#/components/schemas/SLOs_filter' type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true + kqlQuery: type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string - type: object properties: - noteId: - description: The `savedObjectId` of the note - example: 709f99c6-89b6-4953-9160-35945c8e174e - type: string - version: - description: The version of the note - example: WzQ2LDFd + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: type: string - required: - - noteId - - version - Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective type: object properties: - created: - description: The time the note was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 type: number - createdBy: - description: The user who created the note. - example: casetester - nullable: true - type: string - updated: - description: The last time the note was updated, using a 13-digit Epoch timestamp - example: 1741344876825 - nullable: true + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + example: 0.995 + maximum: 100 + minimum: 0 type: number - updatedBy: - description: The user who last updated the note - example: casetester - nullable: true + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + example: 5m type: string - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - type: object - properties: - unpinned: - description: Indicates whether the event was successfully unpinned - type: boolean - required: - - unpinned - Security_Timeline_API_PersistTimelineResponse: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - description: The `savedObjectId` of this pinned event - example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 - type: string - version: - description: The version of this pinned event - example: WzQ2LDFe - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + example: 5m + type: string + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + example: true + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + example: 5m + type: string + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + example: event.ingested + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response type: object properties: - created: - description: >- - The time the pinned event was created, using a 13-digit Epoch - timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the pinned event. - example: casetester - nullable: true + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - updated: - description: >- - The last time the pinned event was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 type: number - updatedBy: - description: The user who last updated the pinned event - example: casetester - nullable: true + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' type: string - Security_Timeline_API_QueryMatchResult: + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response type: object properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' type: string - field: - nullable: true + description: + description: The description of the SLO. + example: My SLO description type: string - operator: - nullable: true + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - value: + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type oneOf: - - nullable: true - type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window type: object properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + example: 30d + type: string + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + example: rolling type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: type: object properties: - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string required: - - note - Security_Timeline_API_RowRendererId: - description: Identifies the available row renderers - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - description: One Timeline saved object ID or an array of IDs. - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: type: object properties: - columns: - description: The Timeline's columns - example: - - columnHeaderType: not-filtered - id: '@timestamp' - - columnHeaderType: not-filtered - id: event.category - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - description: The time the Timeline was created, using a 13-digit Epoch timestamp. - example: 1587468588922 - nullable: true - type: number - createdBy: - description: The user who created the Timeline. - example: casetester - nullable: true + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' type: string - dataProviders: - description: Object containing query clauses - example: - - enabled: true - excluded: false - id: >- - id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b - queryMatch: - field: _id, - operator: ':' - value: >- - d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - description: ID of the Timeline's Data View - example: security-solution-default - nullable: true + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ type: string - dateRange: - description: The Timeline's search period. - example: - end: 1587456479201 - start: 1587370079200 - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' description: - description: The Timeline's description - example: Investigating exposure of CVE XYZ - nullable: true + description: A description for the SLO. type: string - eqlOptions: - description: EQL query that is used in the correlation tab - example: - eventCategoryField: event.category - query: sequence\n[process where process.name == "sudo"]\n[any where true] - size: 100 - timestampField: '@timestamp' - nullable: true + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Synthetics_browserMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true + ignore_https_errors: + default: false + description: Ignore HTTPS errors. + type: boolean + inline_script: + description: The inline script. type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true + playwright_options: + description: Playwright options. + type: object + screenshots: + default: 'on' + description: The screenshot option. + enum: + - 'on' + - 'off' + - only-on-failure type: string - timestampField: - nullable: true + synthetics_args: + description: Synthetics agent CLI arguments. + items: + type: string + type: array + type: + description: The monitor type. + enum: + - browser type: string - eventType: - deprecated: true - description: Event types displayed in the Timeline - example: all - nullable: true + required: + - inline_script + - type + title: Browser monitor fields + Synthetics_commonMonitorFields: + title: Common monitor fields + type: object + properties: + alert: + description: | + The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. + type: object + enabled: + default: true + description: Specify whether the monitor is enabled. + type: boolean + labels: + additionalProperties: + type: string + description: | + Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. + type: object + locations: + description: | + The location to deploy the monitor. + Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. + To list available locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. + externalDocs: + url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + items: + type: string + type: array + name: + description: The monitor name. type: string - excludedRowRendererIds: - description: >- - A list of row renderers that should not be used when in `Event - renderers` mode + namespace: + default: default + description: | + The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. + type: string + params: + description: The monitor parameters. + type: string + private_locations: + description: | + The private locations to which the monitors will be deployed. + These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. + You can specify a private location using the location's name. + To list available private locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. + + > info + > You can provide `locations` or `private_locations` or both. At least one is required. items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true + type: string type: array - favorite: + retest_on_failure: + default: true + description: | + Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. + type: boolean + schedule: + description: | + The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + type: number + service.name: + description: The APM service name. + type: string + tags: + description: An array of tags. items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true + type: string type: array - filters: - description: A list of filters that should be applied to the query + timeout: + default: 16 + description: | + The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. + + For browser monitors, the minimum timeout is 30 seconds. Browser monitor timeouts are only applied when the monitor runs on private locations. If a browser monitor specifies a timeout but has no private locations configured, the timeout will have no effect and a warning will be returned in the response. + type: number + required: + - name + Synthetics_getParameterResponse: + title: Get parameter response + type: object + properties: + description: + description: | + The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + type: string + id: + description: The unique identifier of the parameter. + type: string + key: + description: The key of the parameter. + type: string + namespaces: + description: | + The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true + type: string type: array - indexNames: - description: >- - A list of index names to use in the query (e.g. when the default - data view has been modified) - example: - - .logs* + tags: + description: | + An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string - nullable: true type: array - kqlMode: - description: >- - Indicates whether the KQL bar filters the query results or searches - for additional results, where: - * `filter`: filters query results - * `search`: displays additional search results - example: search - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - description: The ID of the saved query that might be used in the Query tab - example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e - nullable: true + value: + description: | + The value associated with the parameter. It will be included in the response if the user has write permissions. type: string - savedSearchId: - description: The ID of the saved search that is used in the ES|QL tab - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + Synthetics_getPrivateLocation: + additionalProperties: true + properties: + agentPolicyId: + description: The ID of the agent policy associated with the private location. type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - description: >- - A unique ID (UUID) for Timeline templates. For Timelines, the value - is `null`. - example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 - nullable: true + geo: + description: Geographic coordinates (WGS84) for the location. + type: object + properties: + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + id: + description: The unique identifier of the private location. type: string - templateTimelineVersion: - description: >- - Timeline template version number. For Timelines, the value is - `null`. - example: 12 - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - description: The Timeline's title. - example: CVE XYZ investigation - nullable: true + isInvalid: + description: | + Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. + type: boolean + label: + description: A label for the private location. type: string - updated: - description: >- - The last time the Timeline was updated, using a 13-digit Epoch - timestamp - example: 1741344876825 - nullable: true - type: number - updatedBy: - description: The user who last updated the Timeline - example: casetester - nullable: true + namespace: + description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - description: The `savedObjectId` of the Timeline or Timeline template - example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e - type: string - version: - description: The version of the Timeline or Timeline template - example: WzE0LDFd - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - description: KQL bar query. - example: - filterQuery: null - kuery: - expression: '_id : *' - kind: kuery - serializedQuery: >- - {"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}} + title: Post a private location type: object - properties: - filterQuery: - nullable: true + Synthetics_httpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - kuery: - nullable: true + check: + description: The check request settings. type: object properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true + request: + description: An optional request to send to the remote host. + type: object + properties: + body: + description: Optional request body content. + type: string + headers: + description: | + A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. + type: object + method: + description: The HTTP method to use. + enum: + - HEAD + - GET + - POST + - OPTIONS + type: string + response: + additionalProperties: true + description: The expected response. + type: object + properties: + body: + type: object + headers: + description: A dictionary of expected HTTP headers. If the header is not found, the check fails. + type: object + ipv4: + default: true + description: If `true`, ping using the ipv4 protocol. + type: boolean + ipv6: + default: true + description: If `true`, ping using the ipv6 protocol. + type: boolean + max_redirects: + default: 0 + description: The maximum number of redirects to follow. + type: number + mode: + default: any + description: | + The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. + enum: + - all + - any type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - description: Object indicating how rows are sorted in the Timeline's grid - example: - columnId: '@timestamp' - sortDirection: desc - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - - type: object - properties: - eventIdToNoteIds: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - description: >- - A list of all the ids of notes that are associated to this - Timeline. - example: - - 709f99c6-89b6-4953-9160-35945c8e174e - items: - type: string - nullable: true - type: array - notes: - description: A list of all the notes that are associated to this Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - description: >- - A list of all the ids of pinned events that are associated to - this Timeline. - example: - - 983f99c6-89b6-4953-9160-35945c8a194f - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - description: >- - A list of all the pinned events that are associated to this - Timeline. - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - savedObjectId: + password: + description: | + The password for authenticating with the server. The credentials are passed with the request. + type: string + proxy_headers: + description: Additional headers to send to proxies during CONNECT requests. + type: object + proxy_url: + description: The URL of the proxy to use for this monitor. + type: string + response: + description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. + type: object + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - http type: string - version: + url: + description: The URL to monitor. + type: string + username: + description: | + The username for authenticating with the server. The credentials are passed with the request. type: string required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: The status of the Timeline. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: The type of Timeline. - enum: - - default - - template - type: string - Short_URL_APIs_urlResponse: - type: object - properties: - accessCount: - description: Number of times the short URL has been resolved. - type: integer - accessDate: - description: >- - Unix epoch (milliseconds) of the last time the short URL was - resolved. Set to the creation time when the URL has never been - accessed. - format: int64 - type: integer - createDate: - description: Unix epoch (milliseconds) when the short URL was created. - format: int64 - type: integer - id: - description: The identifier for the short URL. - type: string - locator: + - type + - url + title: HTTP monitor fields + Synthetics_icmpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true type: object properties: - id: - description: The identifier for the locator. + host: + description: The host to ping. type: string - state: - description: The locator parameters. - type: object - version: - description: The version of Kibana when the short URL was created. + type: + description: The monitor type. + enum: + - icmp type: string - slug: - description: > - A random human-readable slug is automatically generated if the - `humanReadableSlug` parameter is set to `true`. If it is set to - `false`, a random short string is generated. - type: string - SLOs_400_response: - title: Bad request + wait: + default: 1 + description: The wait time in seconds. + type: number + required: + - host + - type + title: ICMP monitor fields + Synthetics_monitorWarning: + title: Monitor warning type: object properties: - error: - example: Bad Request - type: string message: - example: 'Invalid value ''foo'' supplied to: [...]' + description: A human-readable warning message. type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized + monitorId: + description: The monitor ID associated with the warning. + type: string + publicLocationIds: + description: The public location IDs associated with the warning. + items: + type: string + type: array + Synthetics_parameterRequest: + title: Parameter request type: object properties: - error: - example: Unauthorized + description: + description: A description of the parameter. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + key: + description: The key of the parameter. + type: string + share_across_spaces: + description: Specify whether the parameter should be shared across spaces. + type: boolean + tags: + description: An array of tags to categorize the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. type: string - statusCode: - example: 401 - type: number required: - - statusCode - - error - - message - SLOs_403_response: - title: Forbidden + - key + - value + Synthetics_postParameterResponse: + title: Post parameter response type: object properties: - error: - example: Forbidden + description: + description: A description of the parameter. type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]" + id: + description: The unique identifier for the parameter. type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found + key: + description: The parameter key. + type: string + share_across_spaces: + description: Indicates whether the parameter is shared across spaces. + type: boolean + tags: + description: An array of tags associated with the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. + type: string + Synthetics_tcpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + type: object + properties: + host: + description: | + The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". + type: string + proxy_url: + description: | + The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + type: string + proxy_use_local_resolver: + default: false + description: | + Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. + type: boolean + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - tcp + type: string + required: + - host + - type + title: TCP monitor fields + Task_manager_health_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_APIs_health_response: + title: Task health response properties type: object properties: - error: - example: Not Found + id: type: string - message: - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + last_update: type: string - statusCode: - example: 404 - type: number - required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict + stats: + type: object + properties: + capacity_estimation: + description: | + This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. + type: object + configuration: + $ref: '#/components/schemas/Task_manager_health_APIs_configuration' + runtime: + description: | + This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + type: object + workload: + $ref: '#/components/schemas/Task_manager_health_APIs_workload' + status: + type: string + timestamp: + type: string + Task_manager_health_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. type: object + bedrock_config: + title: Connector request properties for an Amazon Bedrock connector + description: Defines properties for connectors when type is `.bedrock`. + type: object + required: + - apiUrl properties: - error: - example: Conflict + apiUrl: type: string - message: - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + description: The Amazon Bedrock request URL. + region: type: string - statusCode: - example: 409 - type: number + description: | + Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`). + defaultModel: + type: string + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + crowdstrike_config: + title: Connector request config properties for a Crowdstrike connector required: - - statusCode - - error - - message - SLOs_artifacts: - description: Links to related assets for the SLO - properties: - dashboards: - description: Array of dashboard references - items: - type: object - properties: - id: - description: Dashboard saved-object id - type: string - required: - - id - type: array - title: Artifacts + - url + description: Defines config properties for connectors when type is `.crowdstrike`. type: object - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_bulk_delete_request: - description: > - The bulk delete SLO request takes a list of SLOs Definition id to - delete. properties: - list: - description: An array of SLO Definition id - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - required: - - list - title: Bulk delete SLO request + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + d3security_config: + title: Connector request properties for a D3 Security connector + description: Defines properties for connectors when type is `.d3security`. type: object - SLOs_bulk_delete_response: - description: > - The bulk delete SLO response returns a taskId that can be used to poll - for its status + required: + - url properties: - taskId: - description: The taskId of the bulk delete operation - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 + url: type: string - title: Bulk delete SLO response + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + email_config: + title: Connector request properties for an email connector + description: Defines properties for connectors when type is `.email`. + required: + - from type: object - SLOs_bulk_delete_status_response: - description: >- - Indicates if the bulk deletion is completed, with the detailed results - of the operation. properties: - error: - description: The error message if the bulk deletion operation failed - example: Task not found + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string - isDone: - description: Indicates if the bulk deletion operation is completed - example: true + nullable: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. + type: string + hasAuth: + description: | + Specifies whether a user and password are required inside the secrets configuration. + default: true type: boolean - results: - description: >- - The results of the bulk deletion operation, including the success - status and any errors for each SLO - items: - type: object - properties: - error: - description: >- - The error message if the deletion operation failed for this - SLO - example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found - type: string - id: - description: The ID of the SLO that was deleted - example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 - type: string - success: - description: The result of the deletion operation for this SLO - example: true - type: boolean - type: array - title: The status of the bulk deletion + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + type: string + nullable: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + type: string + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + type: string + nullable: true + gemini_config: + title: Connector request properties for an Google Gemini connector + description: Defines properties for connectors when type is `.gemini`. type: object - SLOs_bulk_purge_rollup_request: - description: > - The bulk purge rollup data request takes a list of SLO ids and a purge - policy, then deletes the rollup data according to the purge policy. This - API can be used to remove the staled data of an instance SLO that no - longer get updated. - properties: - list: - description: An array of slo ids - items: - description: The SLO Definition id - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - type: array - purgePolicy: - description: Policy that dictates which SLI documents to purge based on age - oneOf: - - type: object - properties: - age: - description: >- - The duration to determine which documents to purge, - formatted as {duration}{unit}. This value should be greater - than or equal to the time window of every SLO provided. - example: 7d - type: string - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-age - type: string - - type: object - properties: - purgeType: - description: >- - Specifies whether documents will be purged based on a - specific age or on a timestamp - enum: - - fixed-time - type: string - timestamp: - description: >- - The timestamp to determine which documents to purge, - formatted in ISO. This value should be older than the - applicable time window of every SLO provided. - example: '2024-12-31T00:00:00.000Z' - type: string - type: object required: - - list - - purgePolicy - title: Bulk Purge Rollup data request - type: object - SLOs_bulk_purge_rollup_response: - description: > - The bulk purge rollup data response returns a task id from the - elasticsearch deleteByQuery response. + - apiUrl + - gcpRegion + - gcpProjectID properties: - taskId: - description: The task id of the purge operation - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + apiUrl: type: string - title: Bulk Purge Rollup data response - type: object - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. - properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + description: The Google Gemini request URL. + defaultModel: type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id + description: The generative artificial intelligence model for Google Gemini to use. + default: gemini-2.5-pro + gcpRegion: type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + description: The GCP region where the Vertex AI endpoint enabled. + gcpProjectID: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' + description: The Google ProjectID that has Vertex AI endpoint enabled. + resilient_config: + title: Connector request properties for a IBM Resilient connector required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response + - apiUrl + - orgId + description: Defines properties for connectors when type is `.resilient`. type: object properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + apiUrl: + description: The IBM Resilient instance URL. type: string + orgId: + description: The IBM Resilient organization ID. + type: string + index_config: + title: Connector request properties for an index connector required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget + - index + description: Defines properties for connectors when type is `.index`. type: object properties: - consumed: - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - type: number - initial: - description: The initial error budget, as 1 - objective - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true + executionTimeField: + description: A field that indicates when the document was indexed. + default: null + type: string + nullable: true + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + default: false type: boolean - remaining: - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - type: number + jira_config: + title: Connector request properties for a Jira connector required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.jira`. type: object - SLOs_filter_meta: - description: Defines properties for a filter properties: - alias: - nullable: true + apiUrl: + description: The Jira instance URL. type: string - controlledBy: + projectKey: + description: The Jira project key. type: string - disabled: - type: boolean - field: + defender_config: + title: Connector request properties for a Microsoft Defender for Endpoint connector + required: + - apiUrl + - projectKey + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. + type: object + properties: + apiUrl: type: string - group: + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + clientId: type: string - index: + description: The application (client) identifier for your app in the Azure portal. + oAuthScope: type: string - isMultiIndex: - type: boolean - key: + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + oAuthServerUrl: type: string - negate: - type: boolean - params: - type: object - type: + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + genai_azure_config: + title: Connector request properties for an OpenAI connector that uses Azure OpenAI + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. + type: object + required: + - apiProvider + - apiUrl + properties: + apiProvider: type: string - value: + description: The OpenAI API provider. + enum: + - Azure OpenAI + apiUrl: type: string - title: FilterMeta - type: object - SLOs_find_slo_definitions_response: + description: The OpenAI API endpoint. + genai_openai_config: + title: Connector request properties for an OpenAI connector description: | - A paginated response of SLO definitions matching the query. - oneOf: - - type: object - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - - type: object - properties: - page: - default: 1 - description: for backward compability - type: number - perPage: - description: for backward compability - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: - description: the cursor to provide to get the next paged results - example: - - some-slo-id - - other-cursor-id - items: - type: string - type: array - size: - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO definitions response + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. + required: + - apiProvider + - apiUrl properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - searchAfter: + apiProvider: type: string - size: - description: Size provided for cursor based pagination - example: 25 - type: number - total: - example: 34 - type: number - title: Find SLO response + description: The OpenAI API provider. + enum: + - OpenAI + apiUrl: + type: string + description: The OpenAI API endpoint. + defaultModel: + type: string + description: The default model to use for requests. + opsgenie_config: + title: Connector request properties for an Opsgenie connector + required: + - apiUrl + description: Defines properties for connectors when type is `.opsgenie`. type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + pagerduty_config: + title: Connector request properties for a PagerDuty connector + description: Defines properties for connectors when type is `.pagerduty`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration + apiUrl: + description: The PagerDuty event URL. type: string + nullable: true + example: https://events.pagerduty.com/v2/enqueue + sentinelone_config: + title: Connector request properties for a SentinelOne connector required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type + - url + description: Defines properties for connectors when type is `.sentinelone`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: metrics-apm*,apm* - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string + servicenow_config: + title: Connector request properties for a ServiceNow ITSM connector required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + default: true + type: boolean + servicenow_itom_config: + title: Connector request properties for a ServiceNow ITOM connector required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type + - apiUrl + description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: - params: - description: An object containing the indicator parameters. - nullable: false + apiUrl: + type: string + description: The ServiceNow instance URL. + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + default: false + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + slack_api_config: + title: Connector request properties for a Slack connector + description: Defines properties for connectors when type is `.slack_api`. + type: object + properties: + allowedChannels: + type: array + description: A list of valid Slack channels. + items: + type: object + required: + - id + - name + maxItems: 25 + properties: + id: + type: string + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + name: + type: string + description: The Slack channel name. + minLength: 1 + swimlane_config: + title: Connector request properties for a Swimlane connector + required: + - apiUrl + - appId + - connectorType + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + type: string + enum: + - all + - alerts + - cases + mappings: + title: Connector mappings properties for a Swimlane connector + description: The field mapping. type: object properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation + alertIdConfig: + title: Alert identifier mapping + description: Mapping for the alert ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "good" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseIdConfig: + title: Case identifier mapping + description: Mapping for the case ID. type: object + required: + - fieldType + - id + - key + - name properties: - equation: - description: The equation to calculate the "total" metric. - example: A + fieldType: type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - oneOf: - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - - field - - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ - type: string - required: - - name - - aggregation - type: array + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + caseNameConfig: + title: Case name mapping + description: Mapping for the case name. + type: object required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + commentsConfig: + title: Case comment mapping + description: Mapping for the case comments. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + descriptionConfig: + title: Case description mapping + description: Mapping for the case description. + type: object required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + ruleNameConfig: + title: Rule name mapping + description: Mapping for the name of the alert's rule. type: object + required: + - fieldType + - id + - key + - name properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count + fieldType: type: string - field: - description: The field use to aggregate the good events. - example: processor.latency + description: The type of field in Swimlane. + id: type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' + description: The identifier for the field in Swimlane. + key: type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + severityConfig: + title: Severity mapping + description: Mapping for the severity. + type: object required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom + - fieldType + - id + - key + - name + properties: + fieldType: + type: string + description: The type of field in Swimlane. + id: + type: string + description: The identifier for the field in Swimlane. + key: + type: string + description: The key for the field in Swimlane. + name: + type: string + description: The name of the field in Swimlane. + thehive_config: + title: Connector request properties for a TheHive connector + description: Defines configuration properties for connectors when type is `.thehive`. + type: object + required: + - url + properties: + organisation: + type: string + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + url: type: string + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + tines_config: + title: Connector request properties for a Tines connector + description: Defines properties for connectors when type is `.tines`. + type: object required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type + - url + properties: + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + type: string + torq_config: + title: Connector request properties for a Torq connector + description: Defines properties for connectors when type is `.torq`. type: object + required: + - webhookIntegrationUrl properties: - params: - description: An object containing the indicator parameters. - nullable: false + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + auth_type: + title: Authentication type + type: string + nullable: true + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + description: | + The type of authentication to use: basic, SSL, or none. + ca: + title: Certificate authority + type: string + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + cert_type: + title: Certificate type + type: string + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + has_auth: + title: Has authentication + type: boolean + description: If true, a username and password for login type authentication must be provided. + default: true + verification_mode: + title: Verification mode + type: string + enum: + - certificate + - full + - none + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + webhook_config: + title: Connector request properties for a Webhook connector + description: Defines properties for connectors when type is `.webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - discriminator: - mapping: - avg: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - cardinality: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - doc_count: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - last_value: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - max: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - min: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - percentile: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - std_deviation: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - sum: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - propertyName: aggregation - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice + nullable: true + description: A set of key-value pairs sent as headers with the request. + method: + type: string + default: post + enum: + - post + - put + description: | + The HTTP request method, either `post` or `put`. + url: type: string + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + verificationMode: + $ref: '#/components/schemas/verification_mode' + cases_webhook_config: + title: Connector request properties for Webhook - Case Management connector required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: '{"body": {{{case.comment}}}}' + createCommentMethod: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + createCommentUrl: type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.id}}}/comment + createIncidentJson: + type: string + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + createIncidentMethod: + type: string + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + default: post + createIncidentResponseKey: + type: string + description: The JSON key in the create external case response that contains the case ID. + createIncidentUrl: + type: string + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + getIncidentResponseExternalTitleKey: + type: string + description: The JSON key in get external case response that contains the case title. + getIncidentUrl: + type: string + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + example: https://example.com/issue/{{{external.system.id}}} + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + type: string + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + updateIncidentJson: + type: string + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' + updateIncidentMethod: + type: string + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + default: put + enum: + - patch + - post + - put + updateIncidentUrl: + type: string + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + example: https://example.com/issue/{{{external.system.ID}}} + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + type: string + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + xmatters_config: + title: Connector request properties for an xMatters connector + description: Defines properties for connectors when type is `.xmatters`. type: object properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. type: string + nullable: true + usesBasic: + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). + type: boolean + default: true + bedrock_secrets: + title: Connector secrets properties for an Amazon Bedrock connector + description: Defines secrets for connectors when type is `.bedrock`. + type: object required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. + - accessKey + - secret properties: - frequency: - default: 1m - description: >- - The interval between checks for changes in the source data. The - minimum value is 1m and the maximum is 59m. The default value is 1 - minute. - example: 5m + accessKey: type: string - preventInitialBackfill: - default: false - description: >- - Start aggregating data from the time the SLO is created, instead of - backfilling data from the beginning of the time window. - example: true - type: boolean - syncDelay: - default: 1m - description: >- - The time delay in minutes between the current time and the latest - source data time. Increasing the value will delay any alerting. The - default value is 1 minute. The minimum value is 1m and the maximum - is 359m. It should always be greater then source index refresh - interval. - example: 5m + description: The AWS access key for authentication. + secret: type: string - syncField: - description: >- - The date field that is used to identify new documents in the source. - It is strongly recommended to use a field that contains the ingest - timestamp. If you use a different field, you might need to set the - delay such that it accounts for data transmission delays. When - unspecified, we use the indicator timestamp field. - example: event.ingested + description: The AWS secret for authentication. + crowdstrike_secrets: + title: Connector secrets properties for a Crowdstrike connector + description: Defines secrets for connectors when type is `.crowdstrike`. + type: object + required: + - clientId + - clientSecret + properties: + clientId: + description: The CrowdStrike API client identifier. type: string - title: Settings + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + d3security_secrets: + title: Connector secrets properties for a D3 Security connector + description: Defines secrets for connectors when type is `.d3security`. + required: + - token type: object - SLOs_slo_definition_response: - title: SLO definition response + properties: + token: + type: string + description: The D3 Security token. + email_secrets: + title: Connector secrets properties for an email connector + description: Defines secrets for connectors when type is `.email`. type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + clientSecret: type: string - description: - description: The description of the SLO. - example: My SLO description + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + password: type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + user: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + gemini_secrets: + title: Connector secrets properties for a Google Gemini connector + description: Defines secrets for connectors when type is `.gemini`. + type: object + required: + - credentialsJson + properties: + credentialsJson: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + resilient_secrets: + title: Connector secrets properties for IBM Resilient connector + required: + - apiKeyId + - apiKeySecret + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: The authentication key ID for HTTP Basic authentication. + apiKeySecret: + type: string + description: The authentication key secret for HTTP Basic authentication. + jira_secrets: + title: Connector secrets properties for a Jira connector required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response + - apiToken + - email + description: Defines secrets for connectors when type is `.jira`. type: object properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' + apiToken: + description: The Jira API authentication token for HTTP basic authentication. type: string - description: - description: The description of the SLO. - example: My SLO description + email: + description: The account email for HTTP Basic authentication. type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + teams_secrets: + title: Connector secrets properties for a Microsoft Teams connector + description: Defines secrets for connectors when type is `.teams`. + type: object + required: + - webhookUrl + properties: + webhookUrl: type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' - example: host-abcde + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + genai_secrets: + title: Connector secrets properties for an OpenAI connector + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + type: object + properties: + apiKey: type: string - name: - description: The name of the SLO. - example: My Service SLO + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + certificateData: type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + privateKeyData: type: string - version: - description: The internal SLO version - example: 2 - type: number + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + caData: + type: string + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + opsgenie_secrets: + title: Connector secrets properties for an Opsgenie connector required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data + - apiKey + description: Defines secrets for connectors when type is `.opsgenie`. + type: object properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. + type: string + pagerduty_secrets: + title: Connector secrets properties for a PagerDuty connector + description: Defines secrets for connectors when type is `.pagerduty`. + type: object required: - - status - - sliValue - - errorBudget - title: Summary + - routingKey + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. + type: string + sentinelone_secrets: + title: Connector secrets properties for a SentinelOne connector + description: Defines secrets for connectors when type is `.sentinelone`. type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window + required: + - token + properties: + token: + description: The A SentinelOne API token. + type: string + servicenow_secrets: + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. + type: object + properties: + clientSecret: + type: string + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + password: + type: string + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + privateKey: + type: string + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + privateKeyPassword: + type: string + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + username: + type: string + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + slack_api_secrets: + title: Connector secrets properties for a Web API Slack connector + description: Defines secrets for connectors when type is `.slack`. + required: + - token + type: object + properties: + token: + type: string + description: Slack bot user OAuth token. + swimlane_secrets: + title: Connector secrets properties for a Swimlane connector + description: Defines secrets for connectors when type is `.swimlane`. + type: object + properties: + apiToken: + description: Swimlane API authentication token. + type: string + thehive_secrets: + title: Connector secrets properties for a TheHive connector + description: Defines secrets for connectors when type is `.thehive`. + required: + - apiKey type: object properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d + apiKey: type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. - enum: - - rolling - - calendarAligned - example: rolling + description: The API key for authentication in TheHive. + tines_secrets: + title: Connector secrets properties for a Tines connector + description: Defines secrets for connectors when type is `.tines`. + type: object + required: + - email + - token + properties: + email: + description: The email used to sign in to Tines. type: string + token: + description: The Tines API token. + type: string + torq_secrets: + title: Connector secrets properties for a Torq connector + description: Defines secrets for connectors when type is `.torq`. + type: object required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: + - token + properties: + token: + description: The secret of the webhook authentication header. + type: string + crt: + title: Certificate + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + key: + title: Certificate key + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + pfx: + title: Personal information exchange + type: string + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + webhook_secrets: + title: Connector secrets properties for a Webhook connector + description: Defines secrets for connectors when type is `.webhook`. type: object properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - field: - description: The field of the metric. - example: processor.processed + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + cases_webhook_secrets: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + pfx: + $ref: '#/components/schemas/pfx' + password: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + user: type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + xmatters_secrets: + title: Connector secrets properties for an xMatters connector + description: Defines secrets for connectors when type is `.xmatters`. type: object properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: + genai_openai_other_config: + title: Connector request properties for an OpenAI connector with Other provider + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. type: object + required: + - apiProvider + - apiUrl + - defaultModel properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" + apiProvider: + type: string + description: The OpenAI API provider. enum: - - percentile - example: percentile + - Other + apiUrl: type: string - field: - description: The field of the metric. - example: processor.processed + description: The OpenAI-compatible API endpoint. + defaultModel: type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' + description: The default model to use for requests. + certificateData: type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: ^[A-Z]$ + description: PEM-encoded certificate content. + minLength: 1 + privateKeyData: type: string - percentile: - description: The percentile value. - example: 95 - type: number + description: PEM-encoded private key content. + minLength: 1 + caData: + type: string + description: PEM-encoded CA certificate content. + minLength: 1 + verificationMode: + type: string + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + default: full + headers: + type: object + description: Custom headers to include in requests. + additionalProperties: + type: string + defender_secrets: + title: Connector secrets properties for a Microsoft Defender for Endpoint connector required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + - clientSecret + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + type: object properties: - artifacts: - $ref: '#/components/schemas/SLOs_artifacts' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. + clientSecret: + description: The client secret for your app in the Azure portal. type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. + run_acknowledge_resolve_pagerduty: + title: PagerDuty connector parameters + description: Test an action that acknowledges or resolves a PagerDuty alert. + type: object + required: + - dedupKey + - eventAction + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - acknowledge + - resolve + run_documents: + title: Index connector parameters + description: Test an action that indexes a document into Elasticsearch. type: object - Synthetics_browserMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true - type: object - properties: - ignore_https_errors: - default: false - description: Ignore HTTPS errors. - type: boolean - inline_script: - description: The inline script. - type: string - playwright_options: - description: Playwright options. - type: object - screenshots: - default: 'on' - description: The screenshot option. - enum: - - 'on' - - 'off' - - only-on-failure - type: string - synthetics_args: - description: Synthetics agent CLI arguments. - items: - type: string - type: array - type: - description: The monitor type. - enum: - - browser - type: string - required: - - inline_script - - type - title: Browser monitor fields - Synthetics_commonMonitorFields: - title: Common monitor fields + required: + - documents + properties: + documents: + type: array + description: The documents in JSON format for index connectors. + items: + type: object + additionalProperties: true + run_message_email: + title: Email connector parameters + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. type: object + required: + - message + - subject properties: - alert: - description: > - The alert configuration. The default is `{ status: { enabled: true - }, tls: { enabled: true } }`. - type: object - enabled: - default: true - description: Specify whether the monitor is enabled. - type: boolean - labels: - additionalProperties: - type: string - description: > - Key-value pairs of labels to associate with the monitor. Labels can - be used for filtering and grouping monitors. - type: object - locations: - description: > - The location to deploy the monitor. - - Monitors can be deployed in multiple locations so that you can - detect differences in availability and response times across those - locations. - - To list available locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Management* and click *Create monitor*. - Locations will be listed in *Locations*. - externalDocs: - url: >- - https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + bcc: + type: array items: type: string + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + cc: type: array - name: - description: The monitor name. - type: string - namespace: - default: default - description: > - The namespace field should be lowercase and not contain spaces. The - namespace must not include any of the following characters: `*`, - `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or - `-`. - type: string - params: - description: The monitor parameters. - type: string - private_locations: - description: > - The private locations to which the monitors will be deployed. - - These private locations refer to locations hosted and managed by - you, whereas `locations` are hosted by Elastic. - - You can specify a private location using the location's name. - - To list available private locations you can: - - - - Run the `elastic-synthetics locations` command with the - deployment's Kibana URL. - - - Go to *Synthetics > Settings* and click *Private locationsr*. - Private locations will be listed in the table. - - - > info - - > You can provide `locations` or `private_locations` or both. At - least one is required. items: type: string - type: array - retest_on_failure: - default: true - description: > - Turn retesting for when a monitor fails on or off. By default, - monitors are automatically retested if the monitor goes from "up" to - "down". If the result of the retest is also "down", an error will be - created and if configured, an alert sent. The monitor will then - resume running according to the defined schedule. Using - `retest_on_failure` can reduce noise related to transient problems. - type: boolean - schedule: - description: > - The monitor's schedule in minutes. Supported values are `1`, `3`, - `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is - `3` minutes for HTTP, TCP, and ICMP monitors. The default value is - `10` minutes for Browser monitors. - type: number - service.name: - description: The APM service name. + description: | + A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + message: type: string - tags: - description: An array of tags. + description: The email message text. Markdown format is supported. + subject: + type: string + description: The subject line of the email. + to: + type: array + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. items: type: string - type: array - timeout: - default: 16 - description: > - The monitor timeout in seconds. The monitor will fail if it doesn't - complete within this time. - - - For browser monitors, the minimum timeout is 30 seconds. Browser - monitor timeouts are only applied when the monitor runs on private - locations. If a browser monitor specifies a timeout but has no - private locations configured, the timeout will have no effect and a - warning will be returned in the response. - type: number + run_message_serverlog: + title: Server log connector parameters + description: Test an action that writes an entry to the Kibana server log. + type: object required: - - name - Synthetics_getParameterResponse: - title: Get parameter response + - message + properties: + level: + type: string + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + default: info + message: + type: string + description: The message for server log connectors. + run_message_slack: + title: Slack connector parameters + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. + type: object + required: + - message + properties: + message: + type: string + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + run_trigger_pagerduty: + title: PagerDuty connector parameters + description: Test an action that triggers a PagerDuty alert. type: object + required: + - eventAction properties: - description: - description: > - The description of the parameter. It is included in the response if - the user has read-only permissions to the Synthetics app. + class: + description: The class or type of the event. type: string - id: - description: The unique identifier of the parameter. + example: cpu load + component: + description: The component of the source machine that is responsible for the event. type: string - key: - description: The key of the parameter. + example: eth0 + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string - namespaces: - description: > - The namespaces associated with the parameter. It is included in the - response if the user has read-only permissions to the Synthetics - app. - items: - type: string + maxLength: 255 + eventAction: + description: The type of event. + type: string + enum: + - trigger + group: + description: The logical grouping of components of a service. + type: string + example: app-stack + links: + description: A list of links to add to the event. type: array - tags: - description: > - An array of tags associated with the parameter. It is included in - the response if the user has read-only permissions to the Synthetics - app. items: - type: string - type: array - value: - description: > - The value associated with the parameter. It will be included in the - response if the user has write permissions. + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + severity: + description: The severity of the event on the affected system. type: string - Synthetics_getPrivateLocation: - additionalProperties: true + enum: + - critical + - error + - info + - warning + default: info + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + type: string + maxLength: 1024 + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + type: string + format: date-time + run_addevent: + title: The addEvent subaction + type: object + required: + - subAction + description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: - agentPolicyId: - description: The ID of the agent policy associated with the private location. + subAction: type: string - geo: - description: Geographic coordinates (WGS84) for the location. + description: The action to test. + enum: + - addEvent + subActionParams: type: object + description: The set of configuration properties for the action. properties: - lat: - description: The latitude of the location. - type: number - lon: - description: The longitude of the location. - type: number - required: - - lat - - lon - id: - description: The unique identifier of the private location. - type: string - isInvalid: - description: > - Indicates whether the location is invalid. If `true`, the location - is invalid, which means the agent policy associated with the - location is deleted. - type: boolean - label: - description: A label for the private location. - type: string - namespace: - description: >- - The namespace of the location, which is the same as the namespace of - the agent policy associated with the location. + additional_info: + type: string + description: Additional information about the event. + description: + type: string + description: The details about the event. + event_class: + type: string + description: A specific instance of the source. + message_key: + type: string + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + metric_name: + type: string + description: The name of the metric. + node: + type: string + description: The host that the event was triggered for. + resource: + type: string + description: The name of the resource. + severity: + type: string + description: The severity of the event. + source: + type: string + description: The name of the event source type. + time_of_event: + type: string + description: The time of the event. + type: + type: string + description: The type of event. + run_closealert: + title: The closeAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: type: string - title: Post a private location + description: The action to test. + enum: + - closeAlert + subActionParams: + type: object + required: + - alias + properties: + alias: + type: string + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + note: + type: string + description: Additional information for the alert. + source: + type: string + description: The display name for the source of the alert. + user: + type: string + description: The display name for the owner. + run_closeincident: + title: The closeIncident subaction type: object - Synthetics_httpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + required: + - subAction + - subActionParams + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - closeIncident + subActionParams: type: object + required: + - incident properties: - check: - description: The check request settings. + incident: type: object + anyOf: + - required: + - correlation_id + - required: + - externalId properties: - request: - description: An optional request to send to the remote host. - type: object - properties: - body: - description: Optional request body content. - type: string - headers: - description: > - A dictionary of additional HTTP headers to send. By - default, Synthetics will set the User-Agent header to - identify itself. - type: object - method: - description: The HTTP method to use. - enum: - - HEAD - - GET - - POST - - OPTIONS - type: string - response: - additionalProperties: true - description: The expected response. - type: object - properties: - body: - type: object - headers: - description: >- - A dictionary of expected HTTP headers. If the header is - not found, the check fails. - type: object - ipv4: - default: true - description: If `true`, ping using the ipv4 protocol. - type: boolean - ipv6: - default: true - description: If `true`, ping using the ipv6 protocol. - type: boolean - max_redirects: - default: 0 - description: The maximum number of redirects to follow. - type: number - mode: - default: any - description: > - The mode of the monitor. If it is `all`, the monitor pings all - resolvable IPs for a hostname. If it is `any`, the monitor pings - only one IP address for a hostname. If you're using a DNS-load - balancer and want to ping every IP address for the specified - hostname, you should use `all`. - enum: - - all - - any + correlation_id: + type: string + nullable: true + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + default: '{{rule.id}}:{{alert.id}}' + externalId: + type: string + nullable: true + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + run_createalert: + title: The createAlert subaction + type: object + required: + - subAction + - subActionParams + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - createAlert + subActionParams: + type: object + properties: + actions: + type: array + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + alias: type: string - password: - description: > - The password for authenticating with the server. The credentials - are passed with the request. + description: The unique identifier used for alert deduplication in Opsgenie. + description: type: string - proxy_headers: - description: Additional headers to send to proxies during CONNECT requests. + description: A description that provides detailed information about the alert. + details: type: object - proxy_url: - description: The URL of the proxy to use for this monitor. + description: The custom properties of the alert in Opsgenie connectors. + additionalProperties: true + example: + key1: value1 + key2: value2 + entity: type: string - response: - description: >- - Controls the indexing of the HTTP response body contents to the - `http.response.body.contents field`. - type: object - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + message: + type: string + description: The alert message in Opsgenie connectors. + note: + type: string + description: Additional information for the alert in Opsgenie connectors. + priority: + type: string + description: The priority level for the alert in Opsgenie connectors. enum: - - http + - P1 + - P2 + - P3 + - P4 + - P5 + responders: + type: array + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + username: + type: string + description: A valid email address for the user. + severity: + type: integer + minimum: 1 + maximum: 4 + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + source: + type: string + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + sourceRef: + type: string + description: A source reference for the alert in TheHive connectors. + tags: + type: array + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + title: type: string - url: - description: The URL to monitor. + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + type: type: string - username: - description: > - The username for authenticating with the server. The credentials - are passed with the request. + description: The type of alert in TheHive connectors. + user: type: string - required: - - type - - url - title: HTTP monitor fields - Synthetics_icmpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The display name for the owner. + visibleTo: + type: array + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + type: object + required: + - type + properties: + id: + type: string + description: The identifier for the entity. + name: + type: string + description: The name of the entity. + type: + type: string + description: Valid values are `team` and `user`. + enum: + - team + - user + username: + type: string + description: The user name. This property is required only when the `type` is `user`. + run_fieldsbyissuetype: + title: The fieldsByIssueType subaction + type: object + required: + - subAction + - subActionParams + description: The `fieldsByIssueType` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - fieldsByIssueType + subActionParams: type: object + required: + - id properties: - host: - description: The host to ping. - type: string - type: - description: The monitor type. - enum: - - icmp + id: type: string - wait: - default: 1 - description: The wait time in seconds. - type: number - required: - - host - - type - title: ICMP monitor fields - Synthetics_monitorWarning: - title: Monitor warning + description: The Jira issue type identifier. + example: 10024 + run_getagentdetails: + title: The getAgentDetails subaction type: object + required: + - subAction + - subActionParams + description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: - message: - description: A human-readable warning message. - type: string - monitorId: - description: The monitor ID associated with the warning. + subAction: type: string - publicLocationIds: - description: The public location IDs associated with the warning. - items: - type: string - type: array - Synthetics_parameterRequest: - title: Parameter request + description: The action to test. + enum: + - getAgentDetails + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - ids + properties: + ids: + type: array + description: An array of CrowdStrike agent identifiers. + items: + type: string + run_getagents: + title: The getAgents subaction type: object + required: + - subAction + description: The `getAgents` subaction for SentinelOne connectors. properties: - description: - description: A description of the parameter. - type: string - key: - description: The key of the parameter. - type: string - share_across_spaces: - description: Specify whether the parameter should be shared across spaces. - type: boolean - tags: - description: An array of tags to categorize the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + subAction: type: string - required: - - key - - value - Synthetics_postParameterResponse: - title: Post parameter response + description: The action to test. + enum: + - getAgents + run_getchoices: + title: The getChoices subaction type: object + required: + - subAction + - subActionParams + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: - description: - description: A description of the parameter. - type: string - id: - description: The unique identifier for the parameter. + subAction: type: string - key: - description: The parameter key. + description: The action to test. + enum: + - getChoices + subActionParams: + type: object + description: The set of configuration properties for the action. + required: + - fields + properties: + fields: + type: array + description: An array of fields. + items: + type: string + run_getfields: + title: The getFields subaction + type: object + required: + - subAction + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: type: string - share_across_spaces: - description: Indicates whether the parameter is shared across spaces. - type: boolean - tags: - description: An array of tags associated with the parameter. - items: - type: string - type: array - value: - description: The value associated with the parameter. + description: The action to test. + enum: + - getFields + run_getincident: + title: The getIncident subaction + type: object + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + required: + - subAction + - subActionParams + properties: + subAction: type: string - Synthetics_tcpMonitorFields: - allOf: - - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - - additionalProperties: true + description: The action to test. + enum: + - getIncident + subActionParams: type: object + required: + - externalId properties: - host: - description: > - The host to monitor; it can be an IP address or a hostname. The - host can include the port using a colon, for example - "example.com:9200". - type: string - proxy_url: - description: > - The URL of the SOCKS5 proxy to use when connecting to the - server. The value must be a URL with a scheme of `socks5://`. If - the SOCKS5 proxy server requires client authentication, then a - username and password can be embedded in the URL. When using a - proxy, hostnames are resolved on the proxy server instead of on - the client. You can change this behavior by setting the - `proxy_use_local_resolver` option. + externalId: type: string - proxy_use_local_resolver: - default: false - description: > - Specify that hostnames are resolved locally instead of being - resolved on the proxy server. If `false`, name resolution occurs - on the proxy server. - type: boolean - ssl: - description: > - The TLS/SSL connection settings for use with the HTTPS endpoint. - If you don't specify settings, the system defaults are used. - type: object - type: - description: The monitor type. - enum: - - tcp + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + example: 71778 + run_issue: + title: The issue subaction + type: object + required: + - subAction + description: The `issue` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issue + subActionParams: + type: object + required: + - id + properties: + id: type: string + description: The Jira issue identifier. + example: 71778 + run_issues: + title: The issues subaction + type: object + required: + - subAction + - subActionParams + description: The `issues` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issues + subActionParams: + type: object required: - - host - - type - title: TCP monitor fields - Task_manager_health_APIs_configuration: - description: > - This object summarizes the current configuration of Task Manager. This - includes dynamic configurations that change over time, such as - `poll_interval` and `max_workers`, which can adjust in reaction to - changing load on the system. + - title + properties: + title: + type: string + description: The title of the Jira issue. + run_issuetypes: + title: The issueTypes subaction type: object - Task_manager_health_APIs_health_response: - title: Task health response properties + required: + - subAction + description: The `issueTypes` subaction for Jira connectors. + properties: + subAction: + type: string + description: The action to test. + enum: + - issueTypes + run_postmessage: + title: The postMessage subaction type: object + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams properties: - id: + subAction: type: string - last_update: + description: The action to test. + enum: + - postMessage + subActionParams: + type: object + description: The set of configuration properties for the action. + properties: + channelIds: + type: array + maxItems: 1 + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + channels: + type: array + deprecated: true + description: | + The name of a channel that your Slack app has access to. + maxItems: 1 + items: + type: string + text: + type: string + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + run_pushtoservice: + title: The pushToService subaction + type: object + required: + - subAction + - subActionParams + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: type: string - stats: + description: The action to test. + enum: + - pushToService + subActionParams: type: object + description: The set of configuration properties for the action. properties: - capacity_estimation: - description: > - This object provides a rough estimate about the sufficiency of - its capacity. These are estimates based on historical data and - should not be used as predictions. - type: object - configuration: - $ref: '#/components/schemas/Task_manager_health_APIs_configuration' - runtime: - description: > - This object tracks runtime performance of Task Manager, tracking - task drift, worker load, and stats broken down by type, - including duration and run results. + comments: + type: array + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + type: object + properties: + comment: + type: string + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + commentId: + type: integer + description: A unique identifier for the comment. + incident: type: object - workload: - $ref: '#/components/schemas/Task_manager_health_APIs_workload' - status: - type: string - timestamp: - type: string - Task_manager_health_APIs_workload: - description: > - This object summarizes the work load across the cluster, including the - tasks in the system, their types, and current status. + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + type: string + nullable: true + maxLength: 20 + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + alertId: + type: string + description: The alert identifier for Swimlane connectors. + caseId: + type: string + description: The case identifier for the incident for Swimlane connectors. + caseName: + type: string + description: The case name for the incident for Swimlane connectors. + category: + type: string + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_display: + type: string + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + correlation_id: + type: string + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + description: + type: string + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + externalId: + type: string + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + id: + type: string + description: The external case identifier for Webhook - Case Management connectors. + impact: + type: string + description: The impact of the incident for ServiceNow ITSM connectors. + issueType: + type: integer + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + labels: + type: array + items: + type: string + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + malware_url: + type: string + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + otherFields: + type: object + additionalProperties: true + maxProperties: 20 + description: | + Custom field identifiers and their values for Jira connectors. + parent: + type: string + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + priority: + type: string + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + ruleName: + type: string + description: The rule name for Swimlane connectors. + severity: + type: integer + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + short_description: + type: string + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - type: array + items: + type: string + status: + type: string + description: The status of the incident for Webhook - Case Management connectors. + subcategory: + type: string + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + summary: + type: string + description: A summary of the incident for Jira connectors. + tags: + type: array + items: + type: string + description: A list of tags for TheHive and Webhook - Case Management connectors. + title: + type: string + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + tlp: + type: integer + minimum: 0 + maximum: 4 + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + urgency: + type: string + description: The urgency of the incident for ServiceNow ITSM connectors. + run_validchannelid: + title: The validChannelId subaction type: object + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + required: + - subAction + - subActionParams + properties: + subAction: + type: string + description: The action to test. + enum: + - validChannelId + subActionParams: + type: object + required: + - channelId + properties: + channelId: + type: string + description: The Slack channel identifier. + example: C123ABC456 securitySchemes: apiKeyAuth: - description: > - These APIs use key-based authentication. You must create an API key and - use the encoded value in the request header. For example: - `Authorization: ApiKey base64AccessApiKey` + description: | + These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http -security: - - apiKeyAuth: [] - - basicAuth: [] -tags: - - description: | - Adjust APM agent configuration without need to redeploy your application. - name: APM agent configuration - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - description: Create APM fleet server schema. - name: APM server schema - - description: > - Configure APM source maps. A source map allows minified files to be mapped - back to original source code--allowing you to maintain the speed advantage - of minified code, without losing the ability to quickly and easily debug - your application. - - For best results, uploading source maps should become a part of your - deployment procedure, and not something you only do when you see unhelpful - errors. That's because uploading source maps after errors happen won't - make old errors magically readable--errors must occur again for source - mapping to occur. - name: APM sourcemaps - - description: Case APIs enable you to open and track issues. - name: cases - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet agentless policies - - name: Fleet cloud connectors - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet remote synced integrations - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - description: > - Programmatically integrate with Logstash configuration management. - - > warn - - > Do not directly access the `.logstash` index. The structure of the - `.logstash` index is subject to change, which could cause your integration - to break. Instead, use the Logstash configuration management APIs. - externalDocs: - description: Centralized pipeline management - url: >- - https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management - name: logstash - x-displayName: Logstash configuration management - - name: Message Signing Service - - description: Machine learning - name: ml - - description: Interact with the Observability AI Assistant resources. - externalDocs: - description: Observability AI Assistant - url: >- - https://www.elastic.co/docs/solutions/observability/observability-ai-assistant - name: observability_ai_assistant - x-displayName: Observability AI Assistant - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - Use the Attack discovery APIs to generate and manage Attack discoveries. - Attack Discovery leverages large language models (LLMs) to analyze alerts - in your environment and identify threats. Each "discovery" represents a - potential attack and describes relationships among multiple alerts to tell - you which users and hosts are involved, how alerts correspond to the MITRE - ATT&CK matrix, and which threat actor might be responsible. - name: Security Attack discovery API - x-displayName: Security Attack discovery - - description: > - Use the detections APIs to create and manage detection rules. Detection - rules search events and external alerts sent to Elastic Security and - generate detection alerts from any hits. Alerts are displayed on the - **Alerts** page and can be assigned and triaged, using the alert status to - mark them as open, closed, or acknowledged. - - - This API supports both key-based authentication and basic authentication. - - - To use key-based authentication, create an API key, then specify the key - in the header of your API calls. - - - To use basic authentication, provide a username and password; this - automatically creates an API key that matches the current user’s - privileges. - - - In both cases, the API key is subsequently used for authorization when the - rule runs. - - > warn - - > If the API key used for authorization has different privileges than the - key that created or most recently updated a rule, the rule behavior might - change. - - - > If the API key that created a rule is deleted, or the user that created - the rule becomes inactive, the rule will stop running. - - - To create and run rules, the user must meet specific requirements for the - Kibana space. Refer to the [Detections - requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) - for a complete list of requirements. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security Elastic Endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: > - Exceptions are associated with detection and endpoint rules, and are used - to prevent a rule from generating an alert from incoming events, even when - the rule's other criteria are met. They can help reduce the number of - false positives and prevent trusted processes and network activity from - generating unnecessary alerts. - - - Exceptions are made up of: - - - * **Exception containers**: A container for related exceptions. Generally, - a single exception container contains all the exception items relevant for - a subset of rules. For example, a container can be used to group together - network-related exceptions that are relevant for a large number of network - rules. The container can then be associated with all the relevant rules. - - * **Exception items**: The query (fields, values, and logic) used to - prevent rules from generating alerts. When an exception item's query - evaluates to `true`, the rule does not generate an alert. - - - For detection rules, you can also use lists to define rule exceptions. A - list holds multiple values of the same Elasticsearch data type, such as IP - addresses. These values are used to determine when an exception prevents - an alert from being generated. - - > info - - > You cannot use lists with endpoint rule exceptions. - - - > info - - > Only exception containers can be associated with rules. You cannot - directly associate an exception item or a list container with a rule. To - use list exceptions, create an exception item that references the relevant - list container. - - - ## Exceptions requirements - - - Before you can start working with exceptions that use value lists, you - must create the `.lists` and `.items` data streams for the relevant Kibana - space. To do this, use the [Create list data - streams](../operation/operation-createlistindex) endpoint. Once these data - streams are created, your role needs privileges to manage rules. For a - complete list of requirements, refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). - name: Security Exceptions API - x-displayName: Security exceptions - - description: > - Lists can be used with detection rule exceptions to define values that - prevent a rule from generating alerts. - - - Lists are made up of: - - - * **List containers**: A container for values of the same Elasticsearch - data type. The following data types can be used: - * `boolean` - * `byte` - * `date` - * `date_nanos` - * `date_range` - * `double` - * `double_range` - * `float` - * `float_range` - * `half_float` - * `integer` - * `integer_range` - * `ip` - * `ip_range` - * `keyword` - * `long` - * `long_range` - * `short` - * `text` - * **List items**: The values used to determine whether the exception - prevents an alert from being generated. - - - All list items in the same list container must be of the same data type, - and each item defines a single value. For example, an IP list container - named `internal-ip-addresses-southport` contains five items, where each - item defines one internal IP address: - - 1. `192.168.1.1` - - 2. `192.168.1.3` - - 3. `192.168.1.18` - - 4. `192.168.1.12` - - 5. `192.168.1.7` - - - To use these IP addresses as values for defining rule exceptions, use the - Security exceptions API to [create an exception list - item](../operation/operation-createexceptionlistitem) that references the - `internal-ip-addresses-southport` list. - - > info - - > Lists cannot be added directly to rules, nor do they define the - operators used to determine when exceptions are applied (`is in list`, `is - not in list`). Use an exception item to define the operator and associate - it with an [exception - container](../operation/operation-createexceptionlist). You can then add - the exception container to a rule's `exceptions_list` object. - - - ## Lists requirements - - - Before you can start using lists, you must create the `.lists` and - `.items` data streams for the relevant Kibana space. To do this, use the - [Create list data streams](../operation/operation-createlistindex) - endpoint. Once these data streams are created, your role needs privileges - to manage rules. Refer to [Enable and access - detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) - for a complete list of requirements. - name: Security Lists API - x-displayName: Security lists - - description: Run live queries, manage packs and saved queries. - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: Manage Kibana short URLs. - name: short url - x-displayName: Short URLs - - description: SLO APIs enable you to define, manage and track service-level objectives - name: slo - - name: synthetics - - description: System - name: system - - description: >- - Task manager APIs enable you to check the health of the Kibana task - manager, which is used by features such as alerting, actions, and - reporting to run mission critical work as persistent background tasks. - externalDocs: - description: Task manager - url: >- - https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management - name: task manager - x-displayName: Task manager - - description: > - The Kibana Upgrade Assistant API helps you prepare for the next major - Elasticsearch release. +x-topics: + - title: Kibana spaces + content: | + Spaces enable you to organize your dashboards and other saved objects into meaningful categories. + You can use the default space or create your own spaces. - > warn + To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. + For example: - > This is a Kibana REST API (not an Elasticsearch API) and requests must - target your Kibana URL: + ```bash + curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \ + -H "Authorization: ApiKey ${API_KEY}" + ``` - > * Self-managed URL pattern: `https://localhost:5601` + If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - > * Elastic Cloud URL pattern: - `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243` - name: upgrade - x-displayName: Upgrade assistant - - description: Uptime APIs enable you to view and update uptime monitoring settings. - externalDocs: - description: Uptime monitoring - url: https://www.elastic.co/docs/solutions/observability/uptime - name: uptime - x-displayName: Uptime - - name: user session - x-displayName: User session management + To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces).